@runningnak3d already confirmed that he has this done. Once he gets his phone fixed up, he will test to reduce the likelihood of bricks, and release for us
. Just keep that F5 button handy lol
LAF (Download mode) What is it, and how can we root with it?
- Thread starter runningnak3d
- Start date
@runningnak3d already confirmed that he has this done. Once he gets his phone fixed up, he will test to reduce the likelihood of bricks, and release for us
. Just keep that F5 button handy lolI will know tomorrow if LG is going to honor my warranty, and it looks like they will. Yep, that will make the fourth brick that will have been repaired in my quest to truly understand LG security (well, this last one was just flat out not paying attention -- 100% flake out because I was so stoked). As soon as LG emails me a date, I will post it....
I have a lot of code to clean up, but more importantly I need to test it again, but then it will be ready for use.
Whatever you do, don't take any updates. As of v10r the exploit is still possible, but as I stated in another thread, the exploit has already been removed from the lafd that the V30 uses, and I am sure that the next major update for our phones will include that update.
-- Brian
I have a lot of code to clean up, but more importantly I need to test it again, but then it will be ready for use.
Whatever you do, don't take any updates. As of v10r the exploit is still possible, but as I stated in another thread, the exploit has already been removed from the lafd that the V30 uses, and I am sure that the next major update for our phones will include that update.
-- Brian
Zacharee1
Recognized Developer / Retired Forum Moderator
If there is a next major update for the V20, that is.
Zacharee1
Recognized Developer / Retired Forum Moderator
Yeah, but when are we getting that? The date I heard was after the public beta release of Android P.
Zacharee1
Recognized Developer / Retired Forum Moderator
Ahh welp then you might be right we will just have to wait and see
Last edited:
LG wouldn't flash my 9008 because they found water damage... even though i never got the phone anywhere near water...
When I received it, i opened it, and sure enough you could see a small drop of water on the board. I asked them to flash it anyway, that I'll sign a waiver confirming that I knew this wasn't a 100% fix, but they refused. And yes, the phone worked perfectly prior to the brick. It was just an aesthetic issue that showed water was on the board.
I'm definitely never buying anything LG ever again, even though they have the best screens (for TVs) at the moment. The fact that they wouldn't flash my perfectly good phone, and leave me out to dry, short $1000.... (phone was 4 days over the TMobile warranty). I ended up fixing it as you know with a new board but they should have flashed it.
That, and their kernel sources are so friggin ugly. Things indented improperly, or missing indent altogether. There are even some parts of the kernel source that you can tell they selected a whole section, and dragged it with the mouse, to screw up the ordering.
Then they go and start locking things down for their devices (aside from the TMobile lockdowns). I can get wanting to keep devices from being botched by end-users, but you can't just lock people out... So if I buy an HP, I can't choose to format it and run Linux? Or maybe a better scenario... I bought this new Windows PC. And it can never have administrative rights... That's absurd. LG Mobile can drop dead for all i care. Any flagship manufactures that do this as well. Samsung, whomever....
After the V20, never again will I buy anything LG.
+1
I'm on TMobile on the jump program and as soon as the S9 comes out I'm jumping ship. That's if I can root it. Having flash withdrawals suck big time! :silly:
Last edited:
Little off-topic, but @storm68 you might want to check the status of the S8 and S8+. As far as I know, they only have system root, and no recovery, and the only reason they have that is because someone got an engineering boot which had dm-verity disabled. It is still signed, so you don't need an unlocked bootloader.
I can't say this enough. I know it is a lot easier for some people to buy phones from the carrier so you don't have to shell out 700, 800 or God forbid $1000.00 on a phone, but things are only going to get worse as far as locking phones down. I don't have my demo unit yet, and when I get it, I will post the ACTUAL details, but it is my guess that when the SD845 is released, the only thing (as an "end user") you will see is what we know as boot, system, userdata, cache and MAYBE modem. The entire TZ will be on the CPU and encrypted. The only avenue for attack will be if you have physical access to the chip (look up the work that is being done to hack the Nintendo Switch). I am not saying that it can't be cracked, but the best that an ordinary person will be able to hope for is an engineering boot leak like the S8 and S8+ -- be that LG, Samsung, HTC, Motorola, or any other OEM that wants to completely lock their phone down.
Even OnePlus will probably have problems giving people access even though they will WANT to. It is the design and security implementation of Qualcomm.
It is my hope the Exynos or Mediatek up their game as far as performance goes -- but at the end of the day, I will take a slower phone that I can root over "fast as crap" that I have zero control over.
-- Brian
I can't say this enough. I know it is a lot easier for some people to buy phones from the carrier so you don't have to shell out 700, 800 or God forbid $1000.00 on a phone, but things are only going to get worse as far as locking phones down. I don't have my demo unit yet, and when I get it, I will post the ACTUAL details, but it is my guess that when the SD845 is released, the only thing (as an "end user") you will see is what we know as boot, system, userdata, cache and MAYBE modem. The entire TZ will be on the CPU and encrypted. The only avenue for attack will be if you have physical access to the chip (look up the work that is being done to hack the Nintendo Switch). I am not saying that it can't be cracked, but the best that an ordinary person will be able to hope for is an engineering boot leak like the S8 and S8+ -- be that LG, Samsung, HTC, Motorola, or any other OEM that wants to completely lock their phone down.
Even OnePlus will probably have problems giving people access even though they will WANT to. It is the design and security implementation of Qualcomm.
It is my hope the Exynos or Mediatek up their game as far as performance goes -- but at the end of the day, I will take a slower phone that I can root over "fast as crap" that I have zero control over.
-- Brian
Oh I see. I didn't know that about the S8. I've been on their forums but at a quick glance. Didn't realize there was no TWRP. If and when you get this going on root for 10r, them I would have to seriously say I'll stick with the V20 with no update, of course. Especially since it's a pull out battery and also the sense that I can put in a micro SD card for hi storage volume. The camera is really nice on this phone and still keeps up with the latest. So yes, your advice will be taken in regards to your info. Thanks :good:
Truer words have never been spoken. I've always been a pure QC "fanboy" but as you say... It looks bleak.
I have mixed feeling right now. I love the quad DAC so I would always want an LG. I had root on the v20, but figured I did not care about it till I could not have it.
Right now, if I had root I wouldn't know what to do with it.
If I could theme my nav buttons, then I would love that.
Running a custom ROM such as LOS just seems foolish. Lose the quad DAC and second screen. The selling point of this phone is the second screen and Quad DAC. V4A kills audio quality. Also stock ROM is fast and fluid.
Sent from my LG V20 using XDA Labs
Right now, if I had root I wouldn't know what to do with it.
If I could theme my nav buttons, then I would love that.
Running a custom ROM such as LOS just seems foolish. Lose the quad DAC and second screen. The selling point of this phone is the second screen and Quad DAC. V4A kills audio quality. Also stock ROM is fast and fluid.
Sent from my LG V20 using XDA Labs
V4a kills audio quality? It was amazing paired with dac on the v10. Just have to find the right settings.
V4A does not work with the quad DAC. It down samples.
Sent from my LG V20 using XDA Labs
Hi
I have a Verizon VS995 unlocked bootloader (used DirtySanta) rooted with Supersu and running Alpharom 1.5.2 (v99518a) stock. If I can help feel free.
I have a Verizon VS995 unlocked bootloader (used DirtySanta) rooted with Supersu and running Alpharom 1.5.2 (v99518a) stock. If I can help feel free.
V4A isn't what downsamples, Android does. And downsampling (to 48KHz of all things) is actually beneficial to reducing post-nyquist aliasing and by extension any harmonic distortion as a result of the streaming.
The actual dynamic EQs and filters it does offer DOES work wonders on improving sound quality though (it has nothing to do with hardware), its all a matter of you tweaking the settings to find what's right for your setup.
Also hi everyone! Decided to finally make an account after lurking this thread for a few months (I went by paulbeenis on the IRC channel if anyone remembers). Excited to see all the progress being done for the V20 and I hope I can help in any way (though my expertise is in audio, not kernel exploits lol)
Similar threads
- Poll
Top Liked Posts
-
There are no posts matching your filters.
-
64EDIT: 2018-08-14
Wow -- re-reading this, whoa, what a bunch of assumptions / misinformation.
Note to self, update this post with the ACTUAL findings, and the ACTUAL way that the *current* (as of Nougat and Oreo) works. Also, add in the way that Google is going to F**K us all in the A** by adding AVB to the boot, and recovery, (and then LG can very easily add it to laf) in 9.0 (Pie). Pie in the face. A**holes.
LAF Is the LG Advanced Flash. When you hold vol up and insert your USB cable to get into download mode, aboot loads a partition called LAF.
It is just a boot image, but instead of the ramdisk (initrd) doing things like mounting system, so Android boots, it loads download mode.
As part of my research on the Boot Chain of Trust (BCT), it occurred to me that if you have an unlocked boot loader, you can flash whatever you want to the recovery partition. The only LG V20s that have unlockable boot loaders WITHOUT using the engineering aboot are the US996 (unlock.bin from LG), and the H918 (fastboot oem unlock). This wouldn't really be needed by the US996 since it has all fastboot commands available, the H918 however, does not.
In the thread about rooting the H918, I came up with the idea of patching LG UP to ignore ARB (Anti-RollBack). When a phone has an unlocked boot loader, aboot (applications boot) doesn't do RSA verification on the boot image. In addition, the boot image doesn't talk to the QFPROM to increment ARB. Heck, the boot image doesn't even have the code needed to write to QFPROM (ARB qfuse). So, the only thing stopping us from flashing an older kernel and system image is that LG UP checks the KDZ to see what ARB version it is at, and it checks QFPROM to see what ARB version the phone is at. If the KDZ is less -- it fails.
So, that is one way. Patch LG UP to ignore ARB, and then flash boot and system from an older KDZ. Unfortunately, my reverse engineering skills aren't great. On the other hand, my ability to read packet dumps and figure out protocols is much better (worked on -- and still work on World of Warcraft emulation). So I got to thinking, LG UP talks to LAF, so time to load up some wireshark, and start sniffing the USB bus to figure out what exactly is being said.
After working on this for a couple of days, I thought that there HAS to be someone else out there that thought of this same thing. Turns out I was correct: link.
As you can see it is a little old, but it put me much farther ahead than I would have been. I think the project was dropped, because as stated above, you need an unlocked boot loader -- and I think T-Mobile is the only one that still does.
BUT we have an engineering aboot. So, this tool is of use to ALL V20s, since we can just push the engineering aboot, and twrp just like back when dirtycow worked.
Finally to the point of this post. I would like some help updating the protocol. It appears that dmesg works no matter what:
Enough to let me know that at the very least, the protocol version has changed.
So, once the missing pieces are back in place, we will be able to once again root any model, on any security patch.
Why can't they plug this hole? They could actually. They could force all phones to require OTA updates -- no more download mode. Until they do, they can change the protocol all they want, but as long as LG UP can talk to the phone, then it can be figured out once again. As for the engineering aboot. That can of worms can't be closed -- they have no way of updating the RSA key in the CPU. Well they could have, if they didn't decide to go the full on / locked down / method. There are slots for 4 keys in QFPROM, but they made the mistake of locking the CPU so that no new keys can be written. The advantage to them was that people like myself can't write my own key. The disadvantage is that if something like the eng aboot leaks, they can't do a thing about it.
So -- WHO'S WITH ME?!?
-- Brian50You guys aren't going to believe this shiz. I just flashed TWRP onto my H918 by total accident.
I was trying to solve the MISC WRTE / COPY (copy2 flashing), and I needed a test file descriptor. I knew that indirect flashing -- RSVD IDDD opens /data/idt.cfg for writing. I wanted ANYTHING except my onboard storage so I didn't brick my phone. When I went to make sure that idt.cfg was in write mode, I MEANT to type lsof (list open files), but what I typed was ls-f, and I got file not found. Then I typed dmesg to try and find out what just happened, and I didn't get anything. So then I typed ls-f again, and this time I got dmesg not found.
So I figured I would try passing some things as the payload: RSVD IDDD /system/bin/sh
ls-f did nothing. So I thought it was running a shell and exiting. Nope.
Finally figured out that what it was looking for was an update file. So.... RSVD IDDD /storage/external_SD/SoftwareUpdate/update.zip
and....
Code:[LAF] Start flashing HW user partition 0 [LAF] success to close handle to flash driver [LAF] flashing done.
Turns out that download mode doesn't verify the integrity of update.zip when it is called via indirect flashing. As in it doesn't check to see that it was signed with the keys that are usually in /res
Root is for real coming soon...
Oh, the best part, this is available in ALL current versions of lafd on any and every LG model.
Any LG model that can unlock their bootloader, or has an engineering aboot (G6 and down) or an engineering abl (V30 and up)
-- Brian31So in today's news we have -- laf root shell for almost all V20s:
First normal laf
Code:./lglaf.py LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf) Type a shell command to execute or "exit" to leave. # whoami Hello, I am LAF. Nice to meet you.# #
As I stated before, normal laf has a very limited list of commands that execvp will allow. If you try and run a command that isn't on that whitelist, you get: "Hello, I am LAF. Nice to meet you."
Now let's replace that laf:
Code:./partitions.py --restore patched-laf.img laf [ 100 % ] 2018-06-20 13:50:27,343 partitions: INFO: Done after writing 50331648 bytes from patched-laf.img
Now notice, this is using --restore which is the normal KDZ flashing method. The SIGN payload gets sent, and then WRTE opcodes are used. This isn't using MISC WRTE / COPY, so ANY laf version can flash it onto any device.
Once sent the hash is compared, and if it matches, it flushes the buffer to NAND.
So what do we get now:
Code:./lglaf.py LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf) Type a shell command to execute or "exit" to leave. # whoami root # uptime 18:09:19 up 0 min, 0 users, load average: 2.11, 0.50, 0.17
So now we just slap TWRP and a few other files onto an SD card, and use dd to flash it onto recovery, and unlock the bootloader.
Now, why is this important? Well right now it isn't. Even with this breakthrough the LS997 still can't be rooted on ARB 1 since there are no ARB 1 aboot images that can be unlocked (it is pulled from the stock LS997 aboot), and the engineering aboot is also ARB 0.
However, if Oreo comes out and they increment ARB, and Oreo won't boot on older firmware, anyone without an H918 will have to choose between Nougat and root, or Oreo and no root. We need a third option ... and this is it
I am posting this because there is nothing Qualcomm, LG or anyone else can do about it since it uses standard KDZ flashing (well -- I guess they could remove download mode completely -- but they won't) They can modify the protocol, but I will just reverse engineer the modifications. It is a cat and mouse game that they will always lose.
I will be pushing the code and the image to my repo. Again, it really doesn't do anyone any good right now -- but it will be out there.
What I am NOT releasing is the part that will have LG scratching their heads. How did I get a modified image to flash AND pass the hash check? If I can modify an image, why not just modify TWRP and flash that directly?
Those questions will never be answered publicly.
-- Brian30I am going to go through this with a fine tooth comb before I risk my device, but after decompiling it, and giving it a quick cursory glance, it doesn't look like ANY calls are made to the fusing functions on init.
If anyone was curious (I was) as to whether you could use a firehose to just write anything you wanted -- nope. It checks the signature of the image being written, and if it doesn't pass -- no flash. Well, again, our engineering aboot is signed, or our phone wouldn't boot
So it looks like the full root procedure will be:
* Have a FULLY charged phone
* Dump TZ (just to make sure that you have a copy on hand) - tool will be provided
* Wipe TZ to get into EDL mode (yes - this is the scary 9008 - doesn't look like the phone even powers on mode) - tool will be provided
* Use QFIL to flash TZ that you dumped, and engineering ABOOT
* You will now have full fastboot so you can fastboot flash recovery twrp.img
* Profit!
This will work on any model V20 except the H918. You guys can thank T-Mobile for deciding to use their own cert.
I will try to contact the person that provided me this firehose and see if they are willing to provide one for the H918.
Lastly, I will be testing this later tonight once I chew through this decompiled code a bit more...
-- Brian30So, I know I haven't posted much the past couple of weeks -- had a family emergency and I just went off the grid. Things are starting to kind of get back to normal, so I will be back around more.
While I was away, I dropped my phone and got a crack in the screen, so I picked up another H918 off of eBay (freaking $120 mint condition with shipping -- that is insane).
Anyway, it came with 10r which of course doesn't have the COPY opcode, so I needed to do some flashing to root it. I flashed 10p, but before I rooted it, I wanted to run some tests.
It turns out I was WRONG about a major assumption (all laf is created equally across models -- as in H910 10p laf is the same as H918 10p laf).
I am sticking by my "I am not releasing anything else until we get freaking Oreo", but I wanted to at least say this was a MAJOR breakthrough.
Right now, with the exception of the LS997, all V20s can be rooted. I would really like to give the LS997 guys some help -- but if I do not want to delay Oreo anymore.
With that said, this a REALLY cool, and I really want to post all the details about it -- going to have to cut off the beer so that I don't.
Suffice it to say, LG are idiots. I am sure Samsung is too, but I have no desire to have a Samsung phone. As a matter of fact, I will be keeping a V20 until SOMEONE releases a flagship phone with:
* removable battery
* SD card
* Headphone jack
* IR blaster
In other words, take a V20, drop in an SD845 with 8gigs RAM, and upgrade the camera (and the upgraded camera is optional).
-- Brian
