• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Don't know if this matters, but... (Regarding Morningcall)

I copied the wallpaper file in /sbin and opened it in a hex editor, and looked for anything referring to morningcall and sure enough, in offset 0002C660 to 0002C790 it says:

Code:
-d.-ap. nonsecure image./system/bin/morningcall.rb. 
Morningcall is empty.png.errorlogo.
Morningcall is empty.. 
Cannot read morningcall.
Cannot read morningcall.. 
Morningcall cannot be verified. 
Morningcall cannot be verified..
-crypto.-------------------------------------------------------------------------------. 
CRYPTO LIBRARY TEST UNSUCESSFUL

So, I pulled up /system/bin/morningcall and it was just a bunch of random nonsense. So, I was thinking, if we could just read what is in the morningcall file, we may gain some weapons in the arsenal against the bootloader?

Also, in the wallpaper file, there is this:

.-framework. Welcome Security Framework!! . 01. Error Dispaly Test . 02. Application Certificate Test . 03. Crypto Library Test . 04. TrustZone QFPROM Test . 05. TrustZone SFS Test . 06. TrustZone H/W Crypto Engine Test . exit -To exit this test application.Please enter Test number? .%s.exit.Security Framework Bye Bye!!.1.Please input mode? [png or text]: .Please input data? : .Error Display Test Successful. Success !!! Error Display Test .2. Application certificate verification unsucessful . Application certificate verification successful .3.Please Crypto Method (ex: MD5, SHA1, SHA2, ENC(AES), DEC(AES)) : .Please input file? : .Please enter out file name? : . Crypto Library Test Unsuccessful . Crypto Library Test Successful.4.Please Select? [read or write] : . TrustZone QFPROM Test Unsuccessful. TrustZone QFPROM Test Successful.5.Please enter make directory name? [no or make directory name] : .Please enter make file name? [no or make file name] : .Please enter data? : .Please enter test delete file option? [yes or no] : . TrustZone SFS Test Unsuccessful. TrustZone SFS Test Successful.6.. hash .. encrypt .. decrypt .. prng .. exit -To exit this test .Please enter Test name? .TrustZone H/W Crypto Engine Test Bye Bye!!. TrustZone H/W Crypto Engine Test Unsuccessful. TrustZone H/W Crypto Engine Test Successful.No such test command available!.WRITE.write.Please Write QFPROM Address [HEX] : 0x.Please enter Write value LSB ? [HEX] : 0x.Please enter Write value MSB ? [HEX] : 0x./sys/devices/platform/lge-msm8960-qfprom/addr.wt. Cannot open QFPROM address Driver ./sys/devices/platform/lge-msm8960-qfprom/lsb. Cannot open QFPROM lsb Driver./sys/devices/platform/lge-msm8960-qfprom/msb. Cannot open QFPROM msb Driver ./sys/devices/platform/lge-msm8960-qfprom/enable. Cannot open QFPROM read Driver ./sys/devices/platform/lge-msm8960-qfprom/write. Cannot open QFPROM enable Driver . Cannot open QFPROM address Driver./sys/devices/platform/lge-msm8960-qfprom/read. Cannot open QFPROM lsb Driver .%x. Write QFPROM Address : 0x%X .. Write QFPROM Value [LSB] [MSB] : 0x%X 0x%X..READ.read.Please Read QFPROM Address [HEX] : 0x. Read QFPROM Address : 0x%X .. Read QFPROM Value [LSB] [MSB] : 0x%X 0x%X.. Security_interface_tool_crypto_library_test is NULL.. Cannot open Image . Cannot read Image .MD5.md5.SHA1.sha1.SHA2.sha2.DEC.dec.ENC.enc. No such method is available! . Security_interface_command = %d ..w+b. Cannot open Output Image . Cannot write Output Image .[WALLPAPER] : Application certification is NULL..[WALLPAPER] : Cannot read Application certificate ..". Module : %s ..[WALLPAPER] : Length of application string is at Max..[WALLPAPER] : Number of applications in the list has reached Max..%s%s.[WALLPAPER] : Cannot open %s ..[WALLPAPER] : Verify Check Module : %s size : %d..[WALLPAPER] : Cannot read %s file ..[WALLPAPER] : Hash calculate unsuccessful %s file ..[WALLPAPER] : Verify check module hash : 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X.[WALLPAPER] : Application hash verification unsucessful! ..[WALLPAPER] : Application authentication unsuccessful! ../proc/cmdline.[WALLPAPER] : Cmdline: %s.Cmdline: %s ..[WALLPAPER] : Cann't open cmdline..Cann't open cmdline. .lge.signed_image=false.[WALLPAPER] : lge.signed_image=false.lge.signed_image=false .lge.signed_image.false.lge.signed_image=true.[WALLPAPER] : lge.signed_image=true.true.lge.signed_image=true .[WALLPAPER] : lge.signed_image unknown.------------------------------------------.

There are several references to a "Cypto Library". Maybe if we find it, it will help us somehow?

I don't know. I'm just a noob, and I maybe throwing darts out into the darkness, but I think if we find these things, we may find other things that may help out efforts in unlocking the bootloader :D If you wanna check out the full wallpaper file, then check out this pastebin HERE.
 
Worth mentioning.

While the phone is plugged in via usb to pc and then boot into cwm. Pc will ask you to install drivers for lgf160L.

That is the LTE2. We are using its cwm.


I think we all need to take a crack at this. Its not too hard, just download a hex editor, copy and paste stuff from /sbin, /system/bin, and other places them open it up in the hex editor, read it, and post your findings here.

If a brave soul is willing, we can try to look at wallpaper files from other LG phones. We need to really get our hands dirty... WHO IS WITH ME?! ;)
 
  • Like
Reactions: Scorpion7867
Upvote 0
The fact that the pc prompts for drivers while the phone has not fully booted. Is worth looking into..

I believe this similir to what adam discovered with the note 2.

He.discovered that the kernel was loaded while the phone is charging. Thru this he found an exploit.
I believe that to be the case with our phone, too. I've observed my phone charging several times. It seems to start booting, then goes into a charge mode as opposed to booting into the GUI; seems the kernel would be loaded in this state.

I haven't done any tests or logging to confirm this though.
 
Upvote 0
I believe that to be the case with our phone, too. I've observed my phone charging several times. It seems to start booting, then goes into a charge mode as opposed to booting into the GUI; seems the kernel would be loaded in this state.

I haven't done any tests or logging to confirm this though.

What if we build a kernel from source that wouldn't have the wallpaper file. No wallpaper = no morningcall? No morningcall = able to pass the bootloader??????
 
Upvote 0
What if we build a kernel from source that wouldn't have the wallpaper file. No wallpaper = no morningcall? No morningcall = able to pass the bootloader??????
I think we need to confirm that plugging the phone in to charge while it is cold-off activates the kernel. Once we know that, we should have someone with a Morningcall error plug their phone in to see how far the phone is actually booting.

If the kernel does load for charge mode, and if a phone stuck with a Morningcall boots up enough to charge without the error, there may be something there, I think. It seems that would indicate that the kernel loaded without security.
 
Upvote 0
I think we need to confirm that plugging the phone in to charge while it is cold-off activates the kernel. Once we know that, we should have someone with a Morningcall error plug their phone in to see how far the phone is actually booting.

If the kernel does load for charge mode, and if a phone stuck with a Morningcall boots up enough to charge without the error, there may be something there, I think. It seems that would indicate that the kernel loaded without security.

How can we confirm the kernel is being activated ?iv accidentally put my phone in morning call mode by deleting the wrong apps I'm down to test just need some direction
 
Upvote 0
How can we confirm the kernel is being activated ?iv accidentally put my phone in morning call mode by deleting the wrong apps I'm down to test just need some direction

I don't know. I'm a nerd, not a dev. :)

Trying to learn, though. This gets me blood pumping.

We need a way to see behind the splash screen, or some way to log the system console as it starts/boots.
 
Upvote 0
I think we need to confirm that plugging the phone in to charge while it is cold-off activates the kernel. Once we know that, we should have someone with a Morningcall error plug their phone in to see how far the phone is actually booting.

If the kernel does load for charge mode, and if a phone stuck with a Morningcall boots up enough to charge without the error, there may be something there, I think. It seems that would indicate that the kernel loaded without security.

Because the kernel IS the security... Or at least one of the main ones...
 
Upvote 0
Because the kernel IS the security... Or at least one of the main ones...

For sure, I thought about that as I was posting. BUT, when charging, it may be in a mode where the initial security is satisfied, and perhaps we can find a way to pass code to the kernel to make it do something it shouldn't... :thinking:



edit: on a side note, do we have anyone that can pull the bootloaders from the device and reverse-engineer them, so to speak? Perhaps then, we can build a ground-up bootloader without security altogether?

Compaq did it in the 80's, we can do it too. :D
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones