MISCWTRE AND IOCT AND COPY my researtch need complate #48
Comments
xnoxcdm
changed the title
|
@xnoxcdm This is awesome. What tool did you flash with that gave you this sniff? |
|
Can you post the full packet capture? |
|
A will post the capture so first explain At new devices firmware when you wont to write data. You have to use |
|
IOCT enables and disables write protection. I need to see the full packet dump, but it is my guess that the arguments are enable/disable and the partition number. So 61 disables write protection, and 12 is the partition number. But this is a guess. I really need to see the full capture. Also what program did you use to flash and obtain this sniff? |
|
i you find som thing post result |
|
@xnoxcdm What program did you use to flash with? Nevermind, figured it out from the sniff. I do need to know what partition you were flashing though. |
|
need help please |
|
Because of endianness, that is 0x4FE00 which in decimal is 327168 -- does that number match up with anything you were flashing? From my tests, that argument doesn't seem to come into play, but I am testing on an LG V20 which has UFS storage and not eMMC storage. If you can give me more information on the partition being flashed, and your partition layout (run partition.py --list) then I might be able to help you. -- Brian |
|
found and success now sucssess write partitions i made it delphi source i will post photo for sucsess |
|
I have a ls770 (Sprint). I would love to see documentation of what you did.
I am unable to see the photo. I have been able to pull my partitions but
have yet to feel comfortable to alter, root or put TWRP on the device. I
cannot stress how frustrated with the bloat on the system, the annoying
emulated sd card garbage.
…On Sun, Mar 25, 2018, 6:51 PM xnoxcdm ***@***.***> wrote:
found and success
00 04 fe 00 is spicafic for ls777
i tried ls993 and gove difrent but i come back and trief ls777 it goves
0004fe00
now sucssess write partitions
carrier and modem
i made it delphi source
i will post photo for sucsess
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#48 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAgK6CU6i41Gq52RMBCQI9f33lsjCrhPks5tiDuggaJpZM4SvBN1>
.
|
|
@xnoxcdm Do you plan on releasing your findings? -- Brian |
|
So, here are most of the unknowns: MISC WRTE,misc_offset,size // misc_offset specifies the offset within the misc partition that you want to start writing. You can verify that by dumping misc after a write, or just use: COPY fd_num,src_offset,size,dst_offset // src_offset being a 512 byte block for eMMC or 4096 byte block for UFS That leaves IOCT -- and this seems to be where the magic happens. IOCT fd_num,unk // Need to figure out what the unk is. I believe it is what enables a block device for copying, and then actually forces the copy. But I have nothing to back this up, and the value from the original sniff that was posted does not work on UFS devices. -- Brian |
|
@shinobisoft writing solved. Please see: https://github.com/steadfasterX/lglaf He needs to merge the PR, but you can clone the repo and merge it manually. PLEASE read the instructions. Not all phones have misc in the same location, and for now it is hardcoded. I included instructions on how to get the values for misc_offset and chunksize. EDIT: you do need to have an unlocked bootloader, or you will bootloop if you modify recovery or boot. -- Brian |
|
@runningkak3d can you repost the sniff again coze it's gone |
|
@Mr-nerd It has personal info and I don't feel like scrubbing it, but here is what you need to know: On Nougat versions of lafd, LG now enforces KDZ v3 only. That means no more TOT flashing, or flashing KDZ v1 or v2 since they lack the SIGN payload. Starting with v3 KDZs, LG pregenerates AND signs with an RSA cert a payload that is sent with the SIGN opcode. You can't modify it since it is signed, and lafd will not flash using the WRTE opcode (it returns fsync fail) if the SIGN payload has not been sent. So, we need to abuse the crap out of MISC WRTE. MISC WRTE was intended to make changes to the misc partition. Mainly to remove the string that causes the phone to boot to recovery when an OTA has been taken. Luckily, it doesn't have any hash checks. So, we can write to misc, but what good does that do? Well, IF you have a version of lafd that still has the COPY opcode, then we can copy from misc to the final destination partition. So, you get the location and size of misc, and break what you are flashing up into chunks that don't exceed miscs size. After the first chunk is written to misc, you copy it over to the final partition, then write the next chunk and copy it over, wash, rinse, repeat... The arguments for MISC WRTE, COPY, and IOCT are as follows: MISC WRTE,offset,size // offset is in blocks. For eMMC it is 512, for UFS 4096. size is in bytes Notice that MISC WRTE doesn't have an fd_num. lafd knows where misc is located, so no OPEN is needed, and so no fd_num. If your misc partition was 8192 bytes, and what you wanted to flash was 32768 bytes, and you misc partition was located at LBA 10000, and the partition you were flashing was at LBA 20000, this is what it would look like: Hopefully that gives you what you want if you want to write your own implementation. -- Brian |
|
Thanks man just need to know what these refer to fd LBA ,0, |
|
fd_num is file descriptor. When you OPEN a block device, lafd gives you the file descriptor that is now associated with that device. By default, when you issue an OPEN, the block device is opened in read only mode -- that is why you need to issue the IOCT. LBA is Logical Block Address. In this case, it is the start or end of a partition. If you issue a ./partitions.py --list you get the start and end LBAs for each partition. The 0 in the MISC WRTE means start at offset zero which is the very beginning of the misc partition. Since it is so small, we want to use all of it, or writing with this method would be very slow. Lastly, because your misc partition will be overwritten, you need to back it up first, and restore it afterwards. Also, because there is no hash checking done with MISC WRTE, you must do it yourself. If you are writing to a critical partition, and you have a write failure -- you have just bricked your device. So, you need to write to the *bak partitions first. For example laf and lafbak, aboot and abootbak, recovery, and recoverybak. You write to the bak partition, then dump it. Hash check what was written to what you were writing. If it matches, THEN issue the COPY from the bak partition to the main. So, from recoverybak to recovery. I am currently adding all of this to my repo, and I will do a pull request here with all the updates. Not to mention the fact that @tuxuser will lol at my horrid Python -- but hey, it gets the job done. And it does get the job done. If you have a hash failure, then only thing that is "ruined" is your backup partition because the COPY doesn't happen until the hash matches. -- Brian |
|
@runningnak3d all that is great but there is still three missing pieces Two if I want to flash aboot for example and I have the aboot on lglaf folder how is it going to transfer the aboot from the computer to the misc partition in order to copy it to my final destination . And last what did you meant by dividing into chunks .. did you meant to repeat the process until I am done or an actual division . Can you clear that out for me |
|
You can't use lglaf.py for writing files -- that isn't what it was designed for. That is just the communication interface / library that partitions.py uses. See the code here: https://github.com/steadfasterX/lglaf He has merged it. That code will work on any eMMC device, but you must change the misc_start and chunksize values since they are hard coded for an LG G4. |
|
Can we chat personally on what's app . I'd appreciate it man 😘 @runningnak3d |
|
I only do IRC. If you want to join #lglaf on irc.freenode.net I will be happy to talk to you. -- Brian |
|
I cannot READ/WRTE from MISC partition or using commands. Please help!! python3 lglaf.py --debug --rawshell -cr -c 'MISC READ' |
|
Has anyone got bootloader unlocked on the ls 775 I have one that can cause it uses the zv3 which has booloader mode enabled it not mine my wife's mine is same phone but on zv4 which is has booatloader disabled I want root but my PC down and still very novis at all this any help be appreciated thanks |
hi I am new
but I sniffed LG LS775 7.0 singed firmware and it use MISCWTRE instead of WRTE command because when you MAKE WTRE command it gives fail any one has explain
The text was updated successfully, but these errors were encountered: