Related
http://forum.xda-developers.com/general/rooting-roms/cnc-bootloader-bootloader-access-phone-t3169432
could something like this help with the unlocking of our bootloader ? or am i not getting how it works all together ?
well if you brave enough to test it ...
it states "unless you softbrick there is no bl mode" which assumes you have a bl mode if you softbrick it. If it's true it's cool and unlock via fastboot might work. if it's not true, you've just softbricked your phone without any way to recover.
Someone brave with Equipement protection plan may want ot backup his phone and try the method and if it softbricks just file a claim with assurion and wait 3 days for a replacement living without phone.
Another problem is - the thread in the link mentions the cnc-bootloader without actual link to it or any other way to download, otherwise maybe I'd try it
there was a user in the root development thread who backed up/deleted laf.img in order to boot to fastboot, which worked but i think it didnt respond to any commands. i bricked my first g4 trying the same but i didnt enter the right command and deleted aboot by accident oops.
found that post
http://forum.xda-developers.com/showthread.php?p=62085237
just wanted to share what seemed like a possibility at helping with the current bootloader status...
as much as id love to try, i have no idea how to but would gladly work with someone that could go with me step by step...
if **** hits the fan , warranty should cover the damage and i could roll back to my trusty G2 till i get the phone back
Alright, let me preface this with a few things... I am FAR from new to android, rooting, linux, exploits, or almost anything embedded (UART, JTAG, SPI, I2C, etc...). I am by no means a guru though...
I am attempting to root this device; it is an unlocked LG G4 US Cellular branded, MM 6.0 lgus991 22a rollback 2, and I am so far at a total impasse... I'll explain my situation.
No fastboot.
Bootloader is locked, and I cannot unlock it. If I try and check "Enable oem unlock" it unchecks itself, and reading through the dmesg it references a file stating two errors; one for lack of permissions, and another for no file(same filename though; likely trying to create the file, being denied, then trying to edit a non-existing file). I forget the exact file name but I have the name of it saved somewhere(persis1234 or something like that, I just don't remember the exact path, I can post it later if it makes a difference).
I have had minor success with the dirtycow exploit, but mostly just replacing files and nothing getting anywhere, or the phone quickly reboots if I replace certain system files(ifconfig, toybox, toolbox, etc...) When it works,it says I have root, but it is VERY limited due to selinux, and the context. Also unable to get a root shell open.
Selinux is protected and I haven't been able to find a way to make it permissive as of yet. Past attempts of editing the recovery or init have resulted in "secure boot error 1003"; phone reboots, and then still stock...
If I grenade this thing, I will only slightly give a f**k. I am not above pulling this thing apart and trying to JTAG my way in if I need to, as it is not my only device. Which seems to me to be the only way at the moment aside from finding another kernel exploit like dirtycow or rowhammer... Unless someone else has another idea, but for now I am going to pursue the JTAG route.
Would something that I already own like a buspirate, RPI, or Arduino Mega, be enough or would I need something like a busblaster? I just don't want to spend more than I need to. I'd rather spend the money on a new phone than something like a medusa pro or something like that.
Any help is appreciated
Why not to flash TOT and then proceed with unlock through lg unlock tool? Maybe it fix the fastboot issue.
aanarchyy said:
Alright, let me preface this with a few things... I am FAR from new to android, rooting, linux, exploits, or almost anything embedded (UART, JTAG, SPI, I2C, etc...). I am by no means a guru though...
I am attempting to root this device; it is an unlocked LG G4 US Cellular branded, MM 6.0 lgus991 22a rollback 2, and I am so far at a total impasse... I'll explain my situation.
No fastboot.
Bootloader is locked, and I cannot unlock it. If I try and check "Enable oem unlock" it unchecks itself, and reading through the dmesg it references a file stating two errors; one for lack of permissions, and another for no file(same filename though; likely trying to create the file, being denied, then trying to edit a non-existing file). I forget the exact file name but I have the name of it saved somewhere(persis1234 or something like that, I just don't remember the exact path, I can post it later if it makes a difference).
I have had minor success with the dirtycow exploit, but mostly just replacing files and nothing getting anywhere, or the phone quickly reboots if I replace certain system files(ifconfig, toybox, toolbox, etc...) When it works,it says I have root, but it is VERY limited due to selinux, and the context. Also unable to get a root shell open.
Selinux is protected and I haven't been able to find a way to make it permissive as of yet. Past attempts of editing the recovery or init have resulted in "secure boot error 1003"; phone reboots, and then still stock...
If I grenade this thing, I will only slightly give a f**k. I am not above pulling this thing apart and trying to JTAG my way in if I need to, as it is not my only device. Which seems to me to be the only way at the moment aside from finding another kernel exploit like dirtycow or rowhammer... Unless someone else has another idea, but for now I am going to pursue the JTAG route.
Would something that I already own like a buspirate, RPI, or Arduino Mega, be enough or would I need something like a busblaster? I just don't want to spend more than I need to. I'd rather spend the money on a new phone than something like a medusa pro or something like that.
Any help is appreciated
Click to expand...
Click to collapse
I am new to LG devices so perhaps this is a bit different(had mostly Samsung or HTC). But from what I can find, that won't help unless it's pre-rooted or my bootloader is unlocked. And I am unable to find a pre-rooted TOT. Unless I am just completely missing something here...
I am not trying to go to stock, the device is already stock and functions mostly alright(aside from the inability to add a Verizon APN, so I'm stuck with 3g). But also attempting to have a bit of a failsafe if I wanton flash something I shouldn't have and still have a recovery option. Which is why I brought up the JTAG option, as I'm sure I would use it in more than just this device.
Not sure why you are attempting to reinvent the wheel with a device that has been out for 2 years....
LG devices are very different from Samsung and HTC. You should read up on the LGUP tool to flash .kdz and .tot file to put the device as close to stock as possible before any further attempts.
Could also look at entering hidden menu options via the dialer in order to select/modify apn settings.
TWRPinFish can be found here in the development section. Will likely be your only option if you cannot fully unlock the bootloader.
Since the Tmo and ATT/international versions allowed bootloader unlock, other variants didn't see as much support. Was easy for us... Sorry to say(for you).
Wish ya the best of luck though
Just a quick remark could jtag be used in such a way to make the boolloader thinks it is something else and maybe trick it in to doing something?????
ElfinJNoty said:
Not sure why you are attempting to reinvent the wheel with a device that has been out for 2 years....
LG devices are very different from Samsung and HTC. You should read up on the LGUP tool to flash .kdz and .tot file to put the device as close to stock as possible before any further attempts.
Could also look at entering hidden menu options via the dialer in order to select/modify apn settings.
TWRPinFish can be found here in the development section. Will likely be your only option if you cannot fully unlock the bootloader.
Since the Tmo and ATT/international versions allowed bootloader unlock, other variants didn't see as much support. Was easy for us... Sorry to say(for you).
Wish ya the best of luck though
Click to expand...
Click to collapse
I don't really see this as reinventing the wheel as right now there is no root for this device, I am looking for a way to do it though. Which is why I was asking about JTAG/eMMc programming as a viable option to do this, especially if I may have a few borked flash attempts, it would be a nice fail-safe.
Most dialer codes do not work, and the few that do, pop up a menu saying "This program does not work on your phone"; even though I can see some info behind the toast, I cannot scroll and as soon as I click ok, it closes.
TWRPinFIsH is a no-go, need to be rooted and be able to disable SELinux, neither of which I can do.
The name of the file that stores the "oem unlock" seems to be /dev/block/platform/soc.0/f9824900.sdhci/by-name/persis1234
Would someone that is able to oem unlock be able to tell me what the contents of that file are?
aanarchyy said:
The name of the file that stores the "oem unlock" seems to be /dev/block/platform/soc.0/f9824900.sdhci/by-name/persis1234
Would someone that is able to oem unlock be able to tell me what the contents of that file are?
Click to expand...
Click to collapse
I own a T-Mobile h811
Running ResurrectionRemix Nougat
.../persis1234 not present
I have an LG H812 and I have the same as previous post - the directory is there but no persis1234 file. The directory you are indicating contains a list of the partitions that are present on the phone's internal memory.
Hello!
I just picked up a SM-G975U to play with.
Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!
I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.
Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.
Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.
I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.
I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.
I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.
This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.
To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.
After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.
After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.
I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.
What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
some screens
Welcome aboard! Appreciate all your work from the Note9! Kudos
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*
krazy_smokezalot said:
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*
Click to expand...
Click to collapse
haha I did own an epic 4g touch back in the day.. was more lurking way back then but who knows lol
for an update, no luck yet lol. been messin with combo on g975u but no easy way in yet. I have managed to change some stuff on efs and other partitions.
the binary checks sammy implemented starting in the s9 devices sucks.
I am still looking though.
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.
dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.
uid 1000 is a step in the right direction tho... beats shell 2000 uid
not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol
Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested
I am definitely interested in learning more and being a part of this convo fellas! I have been in the Bus for at least 8 years now and want to learn the next step which is how to navigate around the S10 S10+ Security Features. Anyone mind showing me a few ropes please?
elliwigy said:
not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol
Click to expand...
Click to collapse
This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.
Chibisuke1219 said:
Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested
Click to expand...
Click to collapse
Any good reads is welcome!
Vell123 said:
This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.
Click to expand...
Click to collapse
There is no scripts lol. I can't share the method or files to get to combo.
An update however, I noticed with system prices you can access the efs folder.
I found a way to pass kernel cmdline to the bootloader to set ro props.
I am still messing with it and need an rma as I messed up my efs and can't get cell service now lol
Is S10+ Snapdragon will get root / magisk in anytime soon?
Sent from my MI 8 using Tapatalk
Vuska said:
Is S10+ Snapdragon will get root / magisk in anytime soon?
Click to expand...
Click to collapse
Who knows lol. Similar to N9 seems like I'm only one working on it lol
Currently stuck In a boot loop as i found a exploit for kernel cmdline injection and set ro.secure=0 which it didn't like. I didn't read the info sammy posted on new securities on s10 lineup around additional security around RKP and Knox Verified Boot. It is not the same as say pixel devices as they added onto it
I was told in the other thread that what i had found was more than likely BS but if u still what the link i can give it also am still willing to use my phone as some help if u need it
Edit: switching phone sry guys but keep workin hard i will keep looking for new s10 + finds even though i wont have it and ill keep u updated with whatever i find
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.
I'm rockin' the s10+ (am g975u)....
I want root!
I will make pwmage!
Stay tuned!
Ph3n0x said:
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.
Click to expand...
Click to collapse
wont work.. secure check fail since signed with dif keys
elliwigy said:
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.
dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.
uid 1000 is a step in the right direction tho... beats shell 2000 uid
Click to expand...
Click to collapse
Since you have UID 1000 access, wouldn't you be able to dump the partitions off the phone?
If so, why not dump each of the writable partitions and then compare checksums/bits before and after doing the unlock?
I have the g975u and am willing to help however
Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.
andrecesarvieira said:
Hello guys!
After much research on the internet about unbrick for Moto Z2 Force, after many forums, tutorials, tools, blankflash, etc., I've came to the conclusion: I've not found anyone who has managed to recover a Moto Z2 Force from a hardbrick with a locked bootloader.
Many are hopeful that it is possible to do so, but I believe it is no more than a fairy tale.
If you succeeded, please help others to get it too.
Click to expand...
Click to collapse
My second Z2 kept bricking and locking itself. My only saving Grace was I was able to unlock it since I had the unlock code still and since it wouldn't boot, it would accept the unlock code. It is a slot ab issue where if your phone never took an OTA (I flash all to Oreo and tried flashing DU and AOSP before taking an OTA to open slot B). This caused the phone to lock itself and go a little nuts. But it was unlocked then locked due to slot issues, so it shouldn't count. Maybe my story is a fairy tale ... No... I remember spending the hour trying to figure out why this thing wouldn't install an AOSP rom but my other would just fine, then facepalm when I figured I just needed to take an OTA.
This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742
41rw4lk said:
This person had a locked bootloader and we were able to sort through and get it back to good. Maybe yours is a little worse off, idk, but the gist should be the same. I'm not sure what you've tried. whether you can load os, etc. Here is a link to the thread where we finally got it sorted, it's a little hit and miss, but maybe it'll get you going in the right direction.
https://forum.xda-developers.com/z2-force/help/help-help-help-deep-cable-flash-cable-t3925742
Click to expand...
Click to collapse
Alas this person had a different problem from me. It sounds like they had something of a pseudo-lock that just needed a nudge to get the kernel to recognize the OEM unlock had been authorized.
The above thread may prove useful to people who have had issues with locked bootloader but who have access to the system.
I do not have access to the system. fastboot oem blankflash command is "restricted" for me. Yet it still classifies both slots as bootable, it just refuses to boot them, which is not enough to trigger any emergency download apparently. It seems this person never succeeded in doing that, because they found an easier way.
I'm really trying to figure out if buying a cable would be worth it, but I have doubts. I was able to access my usb hub and manually short the pin using a voltmeter and some wire to find which traces were connected -- exactly mimicking the action of most "deepflash" cables.
No dice.
That, and I read that the MSM8998 doesn't use the same programmer as other qualcomm androids, possibly uses an older one, and I haven't found any reference to which one. I think blankflash should be possible on these phones, but triggering edl seems impossible from my position, since I have no adb but I do have a basically useless bootloader, which aggressively overrides edl. :angel:
Basically the way I see this, my bootloader thinks its serving a purpose: fending off modified system files, which I unwittingly made its only function when I locked it. It is forbidden from handing over the power of my z force to a patched OS. Since the bootloader exists, and is technically able to boot, it's just not allowed, edl will never be activated because it utterly defeats android security. edl is the backdoor that opens when everything else is completely gone or unintelligible. Is that accurate? :cyclops:
I am beginning to accept that my phone was not meant to be rooted really in the sense that, yes, its Linux and you can, but it's basically been booby trapped by Lenovo and if you fall for the logic I did at first, and try relocking it at the first sign of strange behavior, you have to buy a new phone. Exactly what they want.
Ok so I just got out of prison and use to have a rooted phone actually I've rooted all my phones I cant find a single walk through for this phone matter of fact I cant find anything on it and I want to root it because I wanna get rid of ads and custom recovery possibly a rom that's more customizable its through straight talk can anyone help me please once again it's a sm-s260dl
Just bumping this to see if any response. I also have Sm-s260dl, and it's locked up tight. "oem unlock" option is hidden in settings, and I've tried tricks posted online to reveal it, but don't work. I also went to authorized Samsung service, and they couldn't do anything. They are bound by Samsung agreement that they can't flash any fw on a device except for the original stock fw (to repair only), and there is only one file officially available for Sm-s260dl, which is the same fw it has, which is Tracfone branded, (which is probably the reason it's so inaccessible).
I have network unlocked, using Samkey, and have access to freeze system apps and write secure settings, using adb and Island/appops/setedit apps, but would really like to be able to unlock the bl. I know it's made unlockable by Samsung, but how's can I get to it?
Any way to use activity manager or other adb to toggle the switch through terminal, or...?
Thanks
Hello,
I'm looking for stock firmware for this device. I'm having difficulties flashing the firmware I have found for it. I need the BIT 5 version to flash in Odin.
Thanks.
Souds as if all our s260dl need the same bit, as ive also been searching for it. It is listed as downloadable with Z3x box server, torrent file, so i dont know if there is an atual file attached to it, i dont know. I have been able to get a couple torrents to work, but not this one.I I have chimera, and it has 0 files for this model.
Interesting enough, when looking into this device, I found a post, that shows an image of the s260dl and on the screen the firmware installed is J260Axxxxx.
If i remember correctly, it was a leak before the official release /announcement for the device.
Im thinking itll be accessable soon., or I'll end up getting the z3x box soon anyway. Ill update here if found etc.
Bootloaders locked tight, no root for this device unless exploit found.
Can easily be network unlocked for use on other carriers tho.
please help with this phone
OuijaElite said:
Souds as if all our s260dl need the same bit, as ive also been searching for it. It is listed as downloadable with Z3x box server, torrent file, so i dont know if there is an atual file attached to it, i dont know. I have been able to get a couple torrents to work, but not this one.I I have chimera, and it has 0 files for this model.
Interesting enough, when looking into this device, I found a post, that shows an image of the s260dl and on the screen the firmware installed is J260Axxxxx.
If i remember correctly, it was a leak before the official release /announcement for the device.
Im thinking itll be accessable soon., or I'll end up getting the z3x box soon anyway. Ill update here if found etc.
Click to expand...
Click to collapse
Dude, what happened? Did you manage to move forward with the device?