1. Are you ready for the Galaxy S20? Here is everything we know so far!

Question...

Discussion in 'Android Devices' started by zeest, Jul 1, 2013.

  1. zeest

    zeest Android Enthusiast
    Thread Starter

    Just a thought... What would happen if I were to boot my phone, use adb to completely nuke the filesystem except for the kernel, bootloader, and boot (this should be enough to have at least basics working, right?), then replace it with the filesystem from another phone that is unlocked? Is this possible? If so, when I have some money, I might buy a used motion and give it a shot...
     



    1. Download the Forums for Android™ app!


      Download

       
  2. omgbossis21

    omgbossis21 Android Enthusiast

    Not gonna happen lol. Phone still locked that way anyway. I have an idea though ill pm you.
     
  3. zeest

    zeest Android Enthusiast
    Thread Starter

    Yes, the phone would still be locked, but we could then modify our bootloader to be unlocked, without the Secure Bootloader checks getting in our way.
     
  4. omgbossis21

    omgbossis21 Android Enthusiast

    No BC your basically saying replace the operating system, just like a rom.
     
  5. zeest

    zeest Android Enthusiast
    Thread Starter

    No, replace the bootchain. SBL1-3, maybe TZ (if it is bootchain/loader-specific), then the bootloader once we know this works. In theory, I believe this should work, but it is extremely risky. It was done for the LG Spectrum (http://androidforums.com/spectrum-a...oot-cwm-lg-spectrum-4g-ics-linux-install.html). One mistake, one thing goes wrong, or one thing just doesn't match up and, to the best of my knowledge, there is no recovering unless you happen to have a jtag. Even then, it's questionable. Does anyone happen to have a diagram for a jtag that works with our phone and that is fairly cheap to make (~$10)? Also, pm'ed you back.
     
  6. omgbossis21

    omgbossis21 Android Enthusiast

    A device with an unlocked bootloader who's aboot tz rpm and sbl partition reside in the same block (perhaps the g I know many blocks are the same) and I think its more than with a shot. However out emode prolly resides in rpm block?
     
  7. me_tuyuu

    me_tuyuu Lurker

    i am new to this forum and don't know how to post my questions
    can youyhelp me out?
    i have some problems...
    my galaxr samsung back camera and flash light doesn't works...
    android version 4.1.9 jelly
     
  8. zeest

    zeest Android Enthusiast
    Thread Starter

    I'll ask the people in the Optimus G irc about their block locations. If one of the guys from the team that created freegee are there, I'll talk to them, they seem to know what they are doing, much more than I do.

    @me_tuyuu
    I sent you a message.




    EDIT:
    Thank you google!
    http://pastebin.com/v5cHuWM9
    http://androidforums.com/5240284-post437.html

    Looks good to me :D

    EDIT2:
    http://pastebin.com/7QJ706KA
    Sizes are the same too :D

    Now to get the partitions, then will it be the hard part.
     
  9. zeest

    zeest Android Enthusiast
    Thread Starter

    well...
    Anyone here have a jtag diagram? I know someone had a jtag, just can't remember who...
     
  10. JJ_Azevedo

    JJ_Azevedo Android Enthusiast

    Partition: MODEM at 0x000000800000
    Partition: SBL1 at 0x000004800000
    Partition: SBL2 at 0x000004880000
    Partition: SBL3 at 0x000004900000
    Partition: ABOOT at 0x000004A00000
    Partition: RPM at 0x000004A80000
    Partition: TZ at 0x000006000000
    Partition: PAD at 0x000006080000
    Partition: MODEMST1 at 0x000006080400
    Partition: MODEMST2 at 0x000006380400
    Partition: SNS at 0x000006800000
    Partition: MISC at 0x000007000000
    Partition: SYSTEM at 0x000008000000
    Partition: USERDATA at 0x000048000000
    Partition: PERSIST at 0x0001B3C00000
    Partition: CACHE at 0x0001B4400000
    Partition: TOMBSTONES at 0x0001C5000000
    Partition: RECOVERY at 0x0001C9800000
    Partition: FSG at 0x0001CA400000
    Partition: SSD at 0x0001CA700000
    Partition: DRM at 0x0001CA800000
    Partition: FOTA at 0x0001CB000000
    Partition: MPT at 0x0001CD000000
    Partition: TZBAK at 0x0001CF000000
    Partition: RPMBAK at 0x0001CF080000
    Partition: ENCRYPT at 0x0001CF100000
    Partition: RESERVED at 0x0001CF800000
    Partition: GROW at 0x0001D0800000

    by kanishk619

    is it this what your looking for?
     
  11. zeest

    zeest Android Enthusiast
    Thread Starter

    No, I need a jtag diagram so I can replace stuff without fear of bricking. Although you did help me by telling me the name of the person with the jtag, thanks lol.
     
  12. JJ_Azevedo

    JJ_Azevedo Android Enthusiast

    welcome lol
     
  13. omgbossis21

    omgbossis21 Android Enthusiast

    It was kanishk who made. The jag work supposedly though he refused to share the pinout but with the right ms8960 guide you may have the pinouts
     
  14. AquerMang

    AquerMang Well-Known Member

    Just so you know, I've already bricked my Spirit trying this. And good luck with jtag. I know it's disabled in the bootloader on the Spirit.

    QHSUSB recovery will also not work until we a copy of the HEX and MBN files for our phone(s) signed by LG.
     
  15. zeest

    zeest Android Enthusiast
    Thread Starter

    Maybe he refuses to share the pinout because he (dramatic pause) works for LG! He is undercover, watching our progress and reporting it to LG... lol, jk (hopefully)
     
  16. omgbossis21

    omgbossis21 Android Enthusiast

    If the phone is dissasembled it should be easy to identify with the released msm8960 files. They show the pin out I believe
     
  17. AquerMang

    AquerMang Well-Known Member

    Pinout's not gonna matter because jtag should be disabled on the SoC as dictated by the qfuse.
     
  18. zeest

    zeest Android Enthusiast
    Thread Starter

    The phone does not need to be disassembled to get to the jtag pins. Take your battery out, pull up the sticker with your phone info, and they are right there. Of course, AquerMang could always be right.

    @AquerMang Do you know which qfuse disables JTAG? If so, I can check if it is blown.
     
  19. AquerMang

    AquerMang Well-Known Member

    Qfuses are apparently read-only in usermode with this kernel/bootchain (haven't diagnosed the cause as kernel or APP/SBL yet), so this doesn't matter. It's QFPROM_DEBUG_ENABLE and it is definitely blown (at least on the Spirit, I don't own a Motion).
     
  20. zeest

    zeest Android Enthusiast
    Thread Starter

    Do you know the physical hex location?
     
  21. zeest

    zeest Android Enthusiast
    Thread Starter

    LG Motion QFUSES

    Fuse Name
    Physical Location
    Blown?

    QFPROM_HW_KEY_STATUS
    0x702050​
    Yes​
    QFPROM_SECURE_BOOT_ENABLE
    0x700310​
    Yes​
    QFPROM_OEM_CONFIG
    0x700230​
    Yes​
    QFPROM_DEBUG_ENABLE
    0x700220​
    Yes​
    QFPROM_SECONDARY_HW_KEY
    0x7002A0​
    Yes​
    QFPROM_READ_PERMISSION
    0x7000A8​
    Yes​
    QFPROM_WRITE_PERMISSION
    0x7000B0​
    Yes​
    QFPROM_OVERRIDE_REG
    0x7060C0​
    Yes​
    QFPROM_CHECK_HW_KEY
    0x123456​
    Yes​
    SEC_HW_KEY_BLOWN
    0x00000001​
    Yes​
    PRIM_HW_KEY_BLOWN
    0x00000002​
    Yes​
    HW_KEYS_BLOCKED
    0x00000004​
    Yes​

    QFUSE names and locations obtained from https://android.googlesource.com/ke...f6e/arch/arm/mach-msm/lge/lge_qfprom_access.c
    QFUSE blown status obtained from LG Motion 4G through wallpaper binary.


    Either LG is fuse-blow happy or the locations are wrong.

    EDIT: Sorry about everything being angled, it's the way the forum handles alignment tags *sigh*
     
  22. AquerMang

    AquerMang Well-Known Member

    No, those are supposed to be blown in a production device. That's disabling JTAG and locking everything down via Secure Boot 3.0.

    CHECK_HW_KEY and everything below it is unused (hence the garbage addresses).
     
  23. zeest

    zeest Android Enthusiast
    Thread Starter

    Does QFPROM_OEM_CONFIG have anything to do with "fastboot oem unlock"?
     
  24. AquerMang

    AquerMang Well-Known Member

    A.) it's oem-unlock
    B.) not from anything I can see in the bootloader.

    I am only just learning ARM assembly (come from an x86/game-hacking background) so I could be wrong, but I don't see the QFPROM_OEM_CONFIG address reference anywhere in the fastboot portion of the bootloader. Just in the Secure Boot 3.0 verification codepath.
     
  25. zeest

    zeest Android Enthusiast
    Thread Starter

    What section of the assembly code for the aboot is for fastboot? I have seen commands referenced, but I believe I have just found the reference strings.
     

LG Motion 4G Forum

The LG Motion 4G release date was August 2012. Features and Specs include a 3.5" inch screen, 5MP camera, 1GB RAM, Snapdragon S4 Plus processor, and 1700mAh battery.

August 2012
Release Date
0
Reviews
Loading...

Share This Page

Loading...