Related
ALL PHONES HAVE BEEN BRICKED USING THE DD METHOD, SOME WITH STL5 METHOD, NONE WITH BML5 METHOD
EDIT 22 apr 2013: use stock ROM, Helroz made this on the appstore. If you have newer Galaxy try this from Doky
EDIT 7 nov 2011: BML5 method guide: http://forum.xda-developers.com/showthread.php?t=1335548
EDIT 10 oct 2011: Relock experience?: http://forum.xda-developers.com/showpost.php?p=18294355&postcount=421
EDIT 31 aug 2011: Now Supersafe (BML5) method: http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334
EDIT 18 march 2011: Unsafe (STL5) method: http://forum.xda-developers.com/showpost.php?p=12099386&postcount=6
!!! THIS IS STILL EXPERIMENTAL !!! (OLD STUFF, please disregard)
Before you do anything read the whole thread. It is still unclear why some phones were bricked
----------------------------------------------------------------------------
Hi, Can anyone help me with this question? I have never had the original SIM card in it. Does that help?
Finally i have I5500XWJJ6 rom installed, rooted the phone and used "adb shell su" to get into the shell. Now I cannot find the /efs file system? Why not?
I am looking for the nv_data.bin
Did something change with the newer firmwares?
Read somewhere that it is /dev/bml11
I copied it with dd if=/dev/bml11 of=/sdcard/bml11.img Then it only shows SER in the editor.
With getprop I get (some numbers are deleted for privacy what can be set with setprop?
Code:
# getprop
getprop
[ro.secure]: [1]
[ro.allow.mock.location]: [0]
[ro.debuggable]: [0]
[persist.service.adb.enable]: [1]
[ro.factorytest]: [0]
[ro.serialno]: []
[ro.bootmode]: [unknown]
[ro.baseband]: [unknown]
[ro.carrier]: [unknown]
[ro.bootloader]: [unknown]
[ro.hardware]: [GT-I5500]
[ro.revision]: [0]
[ro.emmc]: [0]
[wifi.interface]: [wlan0]
[ro.build.id]: [ERE27]
[ro.build.display.id]: [ERE27]
[ro.build.version.incremental]: [XWJJ6]
[ro.build.version.sdk]: [7]
[ro.build.version.codename]: [REL]
[ro.build.version.release]: [2.1-update1]
[ro.build.date]: [Thu Oct 21 18:41:03 KST 2010]
[ro.build.date.utc]: [1287654063]
[ro.build.type]: [user]
[ro.build.user]: [root]
[ro.build.host]: [SE-S611]
[ro.build.tags]: [test-keys]
[ro.product.model]: [GT-I5500]
[ro.product.brand]: [Samsung]
[ro.product.name]: [GT-I5500]
[ro.product.device]: [GT-I5500]
[ro.product.board]: [GT-I5500]
[ro.product.cpu.abi]: [armeabi]
[ro.product.manufacturer]: [Samsung]
[ro.product.locale.language]: [en]
[ro.product.locale.region]: [GB]
[ro.wifi.channels]: []
[ro.board.platform]: [msm7k]
[ro.build.PDA]: [I5500XWJJ6]
[ro.build.hidden_ver]: [I5500XWJJ6]
[ro.build.changelist]: [650697]
[ro.build.product]: [GT-I5500]
[ro.build.description]: [GT-I5500-user 2.1-update1 ERE27 XWJJ6 release-keys]
[ro.build.fingerprint]: [Samsung/GT-I5500/GT-I5500/GT-I5500:2.1-update1/ERE27/XWJJ6:user/release-keys]
[rild.libpath]: [/system/lib/libsec-ril.so]
[rild.libargs]: [-d /dev/smd0]
[persist.rild.nitz_plmn]: []
[persist.rild.nitz_long_ons_0]: []
[persist.rild.nitz_long_ons_1]: []
[persist.rild.nitz_long_ons_2]: []
[persist.rild.nitz_long_ons_3]: []
[persist.rild.nitz_short_ons_0]: []
[persist.rild.nitz_short_ons_1]: []
[persist.rild.nitz_short_ons_2]: []
[persist.rild.nitz_short_ons_3]: []
[DEVICE_PROVISIONED]: [1]
[debug.sf.hw]: [0]
[ro.sf.lcd_density]: [120]
[dalvik.vm.heapsize]: [24m]
[ro.url.legal]: [http://www.google.com/intl/%s/mobile/android/basic/phone-legal.html]
[ro.url.legal.android_privacy]: [http://www.google.com/intl/%s/mobile/android/basic/privacy.html]
[ro.com.google.locationfeatures]: [1]
[ro.setupwizard.mode]: [DISABLED]
[ro.com.google.gmsversion]: [2.1_r10]
[ro.config.alarm_alert]: [Alarm_Classic.ogg]
[ro.opengles.version]: [131072]
[net.bt.name]: [Android]
[net.change]: [net.dnschange]
[ro.config.sync]: [yes]
[dalvik.vm.stack-trace-file]: [/data/anr/traces.txt]
[ro.com.google.clientidbase]: [android-samsung]
[ro.com.google.clientidbase.yt]: [android-samsung]
[ro.com.google.clientidbase.am]: [android-samsung]
[ro.com.google.clientidbase.vs]: [android-samsung]
[ro.com.google.clientidbase.gmm]: [android-samsung]
[ro.csc.homescreen.defaultscreen]: [0]
[ro.csc.homescreen.screencount]: [7]
[ro.config.notification_sound]: [OnTheHunt.ogg]
[ro.config.ringtone]: [Club_Cubano.ogg]
[persist.sys.country]: [NL]
[persist.sys.localevar]: []
[persist.sys.timezone]: [Europe/Amsterdam]
[persist.sys.language]: [nl]
[audioflinger.bootsnd]: [0]
[ro.FOREGROUND_APP_ADJ]: [0]
[ro.VISIBLE_APP_ADJ]: [1]
[ro.SECONDARY_SERVER_ADJ]: [2]
[ro.BACKUP_APP_ADJ]: [2]
[ro.HOME_APP_ADJ]: [4]
[ro.HIDDEN_APP_MIN_ADJ]: [7]
[ro.CONTENT_PROVIDER_ADJ]: [14]
[ro.EMPTY_APP_ADJ]: [15]
[ro.FOREGROUND_APP_MEM]: [1536]
[ro.VISIBLE_APP_MEM]: [2048]
[ro.SECONDARY_SERVER_MEM]: [4096]
[ro.BACKUP_APP_MEM]: [4096]
[ro.HOME_APP_MEM]: [4096]
[ro.HIDDEN_APP_MEM]: [5120]
[ro.CONTENT_PROVIDER_MEM]: [6144]
[ro.EMPTY_APP_MEM]: [8960]
[net.tcp.buffersize.default]: [4096,87380,110208,4096,16384,110208]
[net.tcp.buffersize.wifi]: [4095,87380,110208,4096,16384,110208]
[net.tcp.buffersize.umts]: [4094,87380,110208,4096,16384,110208]
[net.tcp.buffersize.edge]: [4093,26280,35040,4096,16384,35040]
[net.tcp.buffersize.gprs]: [4092,8760,11680,4096,8760,11680]
[init.svc.playlogo]: [stopped]
[init.svc.servicemanager]: [running]
[init.svc.vold]: [running]
[init.svc.debuggerd]: [running]
[init.svc.ril-daemon]: [running]
[init.svc.DR-daemon]: [running]
[init.svc.mobex-daemon]: [running]
[init.svc.cnd]: [restarting]
[init.svc.zygote]: [running]
[init.svc.media]: [running]
[init.svc.dbus]: [running]
[init.svc.wlan_tool]: [stopped]
[init.svc.installd]: [running]
[init.svc.keystore]: [running]
[init.svc.memsicd]: [stopped]
[init.svc.adbd]: [running]
[wlan.driver.status]: [ok]
[ril.dataoff_nwk_op]: [false]
[ro.csc.country_code]: [Russia]
[ro.csc.sales_code]: [SER]
[ril.ICC_TYPE]: [2]
[ril.rildReset]: [1]
[debug.sf.nobootanimation]: [0]
[EXTERNAL_STORAGE_STATE]: [mounted]
[init.svc.bootanim]: [stopped]
[ril.lac]: [0066]
[ril.cid]: [02bd45d9]
[hw.keyboards.65537.devname]: [europa_keypad0]
[hw.keyboards.0.devname]: [europa_headset]
[sys.settings_secure_version]: [10]
[init.svc.wpa_supplicant]: [running]
[sys.settings_system_version]: [41]
[dev.bootcomplete]: [1]
[dhcp.wlan0.result]: [ok]
[init.svc.dhcpcd]: [running]
[dhcp.wlan0.pid]: [18943]
[ro.runtime.started]: [1288831305799]
[dhcp.wlan0.reason]: [BOUND]
[gsm.version.ril-impl]: [Samsung RIL(IPC) v2.0]
[dhcp.wlan0.dns1]: [192.168.1.254]
[dhcp.wlan0.dns2]: []
[gsm.sim.operator.numeric]: []
[gsm.sim.operator.alpha]: []
[gsm.sim.operator.iso-country]: []
[gsm.eons.name]: []
[dhcp.wlan0.dns3]: []
[dhcp.wlan0.dns4]: []
[gsm.sim.state]: [SIM_SERVICE_PROVIDER_LOCKED]
[gsm.current.phone-type]: [1]
[dhcp.wlan0.ipaddress]: [192.168.1.94]
[dhcp.wlan0.gateway]: [192.168.1.254]
[dhcp.wlan0.mask]: [255.255.255.0]
[dhcp.wlan0.leasetime]: [86400]
[dhcp.wlan0.server]: [192.168.1.254]
[net.dns1]: [192.168.1.254]
[net.dnschange]: [39]
[ril.prl_num]: [0]
[ril.sw_ver]: [I5500XWJG3]
[ril.hw_ver]: [MP 0.700]
[ril.rfcal_date]: [2010.09.18]
[ril.product_code]: [GT-I5500YKAVDP]
[ril.model_id]: []
[ril.bt_macaddr]: [101DC0D3380F]
[ril.wifi_macaddr]: [10:1D:C0:D3:38:10]
[ril.IMEI]: [.........263228]
[gsm.wifiConnected.active]: [true]
[dev.bootdone]: [1]
[init.svc.qcom-post-boot]: [stopped]
[gsm.version.baseband]: [I5500XWJG3]
[gsm.STK_SETUP_MENU]: [Fun & info]
[gsm.STK_USER_SESSION]: [0]
[ril.ecclist]: [112,911,112,911]
[gsm.network.type]: [UMTS]
[gsm.operator.alpha]: []
[gsm.operator.numeric]: [20404]
[gsm.operator.iso-country]: [nl]
[gsm.operator.isroaming]: [false]
[ril.rildSerial]: [..........g4kzu1ox]
[gsm.sim.state]: [SIM_SERVICE_PROVIDER_LOCKED] is what I don't want to see
Mount table:
Code:
# mount
mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
/dev/stl14 /cache rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/stl13 /data rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/stl12 /system rfs ro,vfat,log_off,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0602,allow_utime=0020,codepage=cp437,iocharset=is
o8859-1,shortname=mixed,utf8 0 0
Already looked in /init.rc for some efs reference but not found.
Should I look into the ril app for some refrences to efs?
Cheers
EDIT1: Already got more http://forum.samdroid.net/f28/complete-imei-restore-how-1817/#post28598
I do have a character device (terminal?) /dev/ttyEFS0
Can one do anything with that?
With the adb logcat -b radio I got the log file for the ril/radio.
My attention was drawn to /system/etc/spn-conf.xml and after googling I found this file:
Code:
<?xml version="1.0" encoding="utf-8"?>
<spnOverrides>
<!-- @Author: HTC Shawn Ku @Date: 2010/02/23
This is a list for operator specific SPNs.
We will use below SPN for instead if numeric is matched.
Format is listed as below:
<spnOverrides
numeric="MCC+MNC"
spn="SPN Name"/>
-->
<spnOverride numeric="44020" spn="SoftBank"/>
</spnOverrides>
For my own sim that would be t-mobile NL: 20416 T-Mobile
Does that mean that I can override my locked provider?
I will try.
An interesting piece from the log radio file (also attached)
Code:
D/RILJ ( 1325): < iccIO: 0x90 0x0 0000000a2fe2040000ffff01020002
D/RILJ ( 1325): [0008]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): [0013]> iccIO: SIM_IO 0xb0 0x2fe2 path: 3F00,0,0,10
I/RILJ ( 1325): num:1 lock_type:3 lock_key:1 num_of_retry:3
D/RILJ ( 1325): [0009]< LOCK_INFO [email protected]
I/RILJ ( 1325): num:1 lock_type:9 lock_key:3 num_of_retry:3
D/RILJ ( 1325): [0010]< LOCK_INFO [email protected]
D/RILJ ( 1325): [0011]< GET_SIM_STATUS [email protected]
I/GSM ( 1325): PIN1 Status PINSTATE_ENABLED_NOT_VERIFIEDPIN2 Status PINSTATE_UNKNOWN
I/GSM ( 1325): Neither PIN2 nor PUK2 is blocked.
E/GSM ( 1325): updateStateProperty() : PIN_REQUIRED
D/RILJ ( 1325): [0014]> iccIO: SIM_IO 0xc0 0x6fb7 path: 3F007F105F3A,0,0,15
D/GSM ( 1325): [IccCard] Notify SIM pin or puk locked.
D/GSM ( 1325): [IccCard] Broadcasting intent ACTION_SIM_STATE_CHANGED LOCKED reason PIN
D/RILJ ( 1325): [0012]< QUERY_FACILITY_LOCK {1}
D/RILJ ( 1325): < iccIO: 0x90 0x0 981302360010773977ff
D/RILJ ( 1325): [0013]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): < iccIO: 0x90 0x0 0000005a6fb7040000ffff01020112
D/RILJ ( 1325): [0014]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/GSM ( 1325): [IccCard] Query facility lock : true
D/RILJ ( 1325): [0015]> iccIO: SIM_IO 0xb2 0x6fb7 path: 3F007F105F3A,1,4,18
D/GSM ( 1325): iccid: 893120630001779377
D/GSM ( 1325): checkSimChanged enter
I/GSM ( 1325): old iccid is 893120630001779377 current is 893120630001779377
D/RILJ ( 1325): < iccIO: 0x90 0x0 ffffffffffffffffffffffffffffffffffff
D/RILJ ( 1325): [0015]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): [0016]> iccIO: SIM_IO 0xb2 0x6fb7 path: 3F007F105F3A,2,4,18
D/RILJ ( 1325): < iccIO: 0x90 0x0 ffffffffffffffffffffffffffffffffffff
D/RILJ ( 1325): [0016]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): [0017]> iccIO: SIM_IO 0xb2 0x6fb7 path: 3F007F105F3A,3,4,18
D/RILJ ( 1325): < iccIO: 0x90 0x0 ffffffffffffffffffffffffffffffffffff
D/RILJ ( 1325): [0017]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): [0018]> iccIO: SIM_IO 0xb2 0x6fb7 path: 3F007F105F3A,4,4,18
D/RILJ ( 1325): < iccIO: 0x90 0x0 ffffffffffffffffffffffffffffffffffff
D/RILJ ( 1325): [0018]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
D/RILJ ( 1325): [0019]> iccIO: SIM_IO 0xb2 0x6fb7 path: 3F007F105F3A,5,4,18
D/RILJ ( 1325): < iccIO: 0x90 0x0 ffffffffffffffffffffffffffffffffffff
D/RILJ ( 1325): [0019]< SIM_IO IccIoResponse sw1:0x90 sw2:0x0
Anyone knows what "iccid: 893120630001779377" is. I tried it as unlock code but no avail.
Unlock codes ar always 8 numbers.
From the COM8 (in my system) I get the following info.
Code:
ATI
Manufacturer: SAMSUNG ELECTRONICS CORPORATION
Model: GT-I5500
Revision: I5500XWJG3
IMEI: 359763034......
+GCAP: +CGSM,+DS,+ES
Cheers
Okay. It is quiet here but lets continue. Now I found the service menu of the phone.
*#*#197328640#*#* (works on more phones?)
MAIN MENU
[1] DEBUG SCREEN
[2] VERSION INFORMATION
[3] UMTS RF NV
[4] GSM RF NV
[5] AUDIO
[6] COMMON
[7] QXDM LOGGING
When entering into COMMON sub menu I have
[1] FTM
[2] DEBUG INFO
[3] RF SCANNING
[4] DIAG CONFIG
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
NV in the menu's stand for Non Volatile RAM I suppose.
Menus control can be clicked or use the menu button for BACK
2Bcontinued...
Some codes for typing in from the firmware:
Code:
#*2886#
*#*#28346#*#*
*#0*# lcd test
*#0002*28346#
*#0002*28347#
*#0011#
*#0228#
*#0283#
*#0289#
*#03# NAND Flash uniek nummer (80590001238648)
*#0368# FM Radio test
*#0588# Proximity test
*#0589#
*#0599#
*#06#
*#0673# MelodyTest
*#07# Test History
*#0782# PDA RTC Get
*#0842# Vibration Test
*#1*#
*#1111#
*#1234# Version
*#1472365# Gps2 setup
*#147852#
*#1478963# Test app settings
*#1575# Gps setup
*#197328640# Main Menu Service Mode
*#2222#
*#2263#
*#22736224# Acc calibration
*#232331# BT Test
*#232332# BT On
*#232337# BT Mac
*#232338# WLAN Mac
*#232339# WLAN Engineering mode Tx Rx Status
*#2424#
*#2454# Ram dump mode (ARM9) take battery out
*#2580# Integrity control
*#2663# Touch screen version
*#2664# Little paint programm
*#272*
*#273283*255*3282*# Data create, fill up sms phonebook callog etc
*#273283*255*663282*# Data create, fill user/systemspace image mp3 video voice memo
*#2767*2878# servicemode nothin?
*#3214789# GcfMode settings
*#32489# Ciphering control
*#3264# Ram version
*#3282*727336*# overview data usage
*#34971539#
*#367#
*#3695147#
*#369852#
*#4238378# GCF settings
*#42663# Brightness setting
*#44336# Internal version build time changelist
*#46744674#
*#4736767*738# Acc sensor min/max
*#4986*2650468# Version
*#526# WLAN test
*#528# WLAN tes
*#6854123#
*#6984125*#
*#7263867*6633# RAM Dump mode Enable/disable
*#7284# DIAG config serial/usb
*#7298#
*#7412365#
*#742690#
*#745# Sec Ril Dump !!! log en mms settings
*#746# Debug Dump
*#7465625#
*#7594# Enable Shutdown on End call Long press
*#7780# Standaard gegevens herstellen
*#80# Factory Test
*#865625#
*#872564# USB (DM) Logging En/Disable CP AP CP+AP
*#9090# DIAG config serial/usb
*#9900# SysDump RIL Ramdump mode Off
*2767*3855# factory reset !!!
*2767*4387264636# Sellout SMS PCode Mode:Test
*2767*738767633#
*2767*73876766#
*2767*7387677763#
*2767*7387678378#
*7465625*27*#
*7465625*638*#
*7465625*77*#
*7465625*782*#
#7465625*27*#
#7465625*638*#
#7465625*77*#
#7465625*782*#
tweakradje said:
Hi, Can anyone help me with this question? I have never had the original SIM card in it. Does that help?
Finally i have I5500XWJJ6 rom installed, rooted the phone and used "adb shell su" to get into the shell. Now I cannot find the /efs file system? Why not?
I am looking for the nv_data.bin
Did something change with the newer firmwares?
Read somewhere that it is /dev/bml11
I copied it with dd if=/dev/bml11 of=/sdcard/bml11.img Then it only shows SER in the editor.
With getprop I get (some numbers are deleted for privacy what can be set with setprop?
Code:
# getprop
getprop
[ro.secure]: [1]
[ro.allow.mock.location]: [0]
[ro.debuggable]: [0]
[persist.service.adb.enable]: [1]
[ro.factorytest]: [0]
[ro.serialno]: []
[ro.bootmode]: [unknown]
[ro.baseband]: [unknown]
[ro.carrier]: [unknown]
[ro.bootloader]: [unknown]
[ro.hardware]: [GT-I5500]
[ro.revision]: [0]
[ro.emmc]: [0]
[wifi.interface]: [wlan0]
[ro.build.id]: [ERE27]
[ro.build.display.id]: [ERE27]
[ro.build.version.incremental]: [XWJJ6]
[ro.build.version.sdk]: [7]
[ro.build.version.codename]: [REL]
[ro.build.version.release]: [2.1-update1]
[ro.build.date]: [Thu Oct 21 18:41:03 KST 2010]
[ro.build.date.utc]: [1287654063]
[ro.build.type]: [user]
[ro.build.user]: [root]
[ro.build.host]: [SE-S611]
[ro.build.tags]: [test-keys]
[ro.product.model]: [GT-I5500]
[ro.product.brand]: [Samsung]
[ro.product.name]: [GT-I5500]
[ro.product.device]: [GT-I5500]
[ro.product.board]: [GT-I5500]
[ro.product.cpu.abi]: [armeabi]
[ro.product.manufacturer]: [Samsung]
[ro.product.locale.language]: [en]
[ro.product.locale.region]: [GB]
[ro.wifi.channels]: []
[ro.board.platform]: [msm7k]
[ro.build.PDA]: [I5500XWJJ6]
[ro.build.hidden_ver]: [I5500XWJJ6]
[ro.build.changelist]: [650697]
[ro.build.product]: [GT-I5500]
[ro.build.description]: [GT-I5500-user 2.1-update1 ERE27 XWJJ6 release-keys]
[ro.build.fingerprint]: [Samsung/GT-I5500/GT-I5500/GT-I5500:2.1-update1/ERE27/XWJJ6:user/release-keys]
[rild.libpath]: [/system/lib/libsec-ril.so]
[rild.libargs]: [-d /dev/smd0]
[persist.rild.nitz_plmn]: []
[persist.rild.nitz_long_ons_0]: []
[persist.rild.nitz_long_ons_1]: []
[persist.rild.nitz_long_ons_2]: []
[persist.rild.nitz_long_ons_3]: []
[persist.rild.nitz_short_ons_0]: []
[persist.rild.nitz_short_ons_1]: []
[persist.rild.nitz_short_ons_2]: []
[persist.rild.nitz_short_ons_3]: []
[DEVICE_PROVISIONED]: [1]
[debug.sf.hw]: [0]
[ro.sf.lcd_density]: [120]
[dalvik.vm.heapsize]: [24m]
[ro.url.legal]: []
[ro.url.legal.android_privacy]: []
[ro.com.google.locationfeatures]: [1]
[ro.setupwizard.mode]: [DISABLED]
[ro.com.google.gmsversion]: [2.1_r10]
[ro.config.alarm_alert]: [Alarm_Classic.ogg]
[ro.opengles.version]: [131072]
[net.bt.name]: [Android]
[net.change]: [net.dnschange]
[ro.config.sync]: [yes]
[dalvik.vm.stack-trace-file]: [/data/anr/traces.txt]
[ro.com.google.clientidbase]: [android-samsung]
[ro.com.google.clientidbase.yt]: [android-samsung]
[ro.com.google.clientidbase.am]: [android-samsung]
[ro.com.google.clientidbase.vs]: [android-samsung]
[ro.com.google.clientidbase.gmm]: [android-samsung]
[ro.csc.homescreen.defaultscreen]: [0]
[ro.csc.homescreen.screencount]: [7]
[ro.config.notification_sound]: [OnTheHunt.ogg]
[ro.config.ringtone]: [Club_Cubano.ogg]
[persist.sys.country]: [NL]
[persist.sys.localevar]: []
[persist.sys.timezone]: [Europe/Amsterdam]
[persist.sys.language]: [nl]
[audioflinger.bootsnd]: [0]
[ro.FOREGROUND_APP_ADJ]: [0]
[ro.VISIBLE_APP_ADJ]: [1]
[ro.SECONDARY_SERVER_ADJ]: [2]
[ro.BACKUP_APP_ADJ]: [2]
[ro.HOME_APP_ADJ]: [4]
[ro.HIDDEN_APP_MIN_ADJ]: [7]
[ro.CONTENT_PROVIDER_ADJ]: [14]
[ro.EMPTY_APP_ADJ]: [15]
[ro.FOREGROUND_APP_MEM]: [1536]
[ro.VISIBLE_APP_MEM]: [2048]
[ro.SECONDARY_SERVER_MEM]: [4096]
[ro.BACKUP_APP_MEM]: [4096]
[ro.HOME_APP_MEM]: [4096]
[ro.HIDDEN_APP_MEM]: [5120]
[ro.CONTENT_PROVIDER_MEM]: [6144]
[ro.EMPTY_APP_MEM]: [8960]
[net.tcp.buffersize.default]: [4096,87380,110208,4096,16384,110208]
[net.tcp.buffersize.wifi]: [4095,87380,110208,4096,16384,110208]
[net.tcp.buffersize.umts]: [4094,87380,110208,4096,16384,110208]
[net.tcp.buffersize.edge]: [4093,26280,35040,4096,16384,35040]
[net.tcp.buffersize.gprs]: [4092,8760,11680,4096,8760,11680]
[init.svc.playlogo]: [stopped]
[init.svc.servicemanager]: [running]
[init.svc.vold]: [running]
[init.svc.debuggerd]: [running]
[init.svc.ril-daemon]: [running]
[init.svc.DR-daemon]: [running]
[init.svc.mobex-daemon]: [running]
[init.svc.cnd]: [restarting]
[init.svc.zygote]: [running]
[init.svc.media]: [running]
[init.svc.dbus]: [running]
[init.svc.wlan_tool]: [stopped]
[init.svc.installd]: [running]
[init.svc.keystore]: [running]
[init.svc.memsicd]: [stopped]
[init.svc.adbd]: [running]
[wlan.driver.status]: [ok]
[ril.dataoff_nwk_op]: [false]
[ro.csc.country_code]: [Russia]
[ro.csc.sales_code]: [SER]
[ril.ICC_TYPE]: [2]
[ril.rildReset]: [1]
[debug.sf.nobootanimation]: [0]
[EXTERNAL_STORAGE_STATE]: [mounted]
[init.svc.bootanim]: [stopped]
[ril.lac]: [0066]
[ril.cid]: [02bd45d9]
[hw.keyboards.65537.devname]: [europa_keypad0]
[hw.keyboards.0.devname]: [europa_headset]
[sys.settings_secure_version]: [10]
[init.svc.wpa_supplicant]: [running]
[sys.settings_system_version]: [41]
[dev.bootcomplete]: [1]
[dhcp.wlan0.result]: [ok]
[init.svc.dhcpcd]: [running]
[dhcp.wlan0.pid]: [18943]
[ro.runtime.started]: [1288831305799]
[dhcp.wlan0.reason]: [BOUND]
[gsm.version.ril-impl]: [Samsung RIL(IPC) v2.0]
[dhcp.wlan0.dns1]: [192.168.1.254]
[dhcp.wlan0.dns2]: []
[gsm.sim.operator.numeric]: []
[gsm.sim.operator.alpha]: []
[gsm.sim.operator.iso-country]: []
[gsm.eons.name]: []
[dhcp.wlan0.dns3]: []
[dhcp.wlan0.dns4]: []
[gsm.sim.state]: [SIM_SERVICE_PROVIDER_LOCKED]
[gsm.current.phone-type]: [1]
[dhcp.wlan0.ipaddress]: [192.168.1.94]
[dhcp.wlan0.gateway]: [192.168.1.254]
[dhcp.wlan0.mask]: [255.255.255.0]
[dhcp.wlan0.leasetime]: [86400]
[dhcp.wlan0.server]: [192.168.1.254]
[net.dns1]: [192.168.1.254]
[net.dnschange]: [39]
[ril.prl_num]: [0]
[ril.sw_ver]: [I5500XWJG3]
[ril.hw_ver]: [MP 0.700]
[ril.rfcal_date]: [2010.09.18]
[ril.product_code]: [GT-I5500YKAVDP]
[ril.model_id]: []
[ril.bt_macaddr]: [101DC0D3380F]
[ril.wifi_macaddr]: [10:1D:C0:D3:38:10]
[ril.IMEI]: [.........263228]
[gsm.wifiConnected.active]: [true]
[dev.bootdone]: [1]
[init.svc.qcom-post-boot]: [stopped]
[gsm.version.baseband]: [I5500XWJG3]
[gsm.STK_SETUP_MENU]: [Fun & info]
[gsm.STK_USER_SESSION]: [0]
[ril.ecclist]: [112,911,112,911]
[gsm.network.type]: [UMTS]
[gsm.operator.alpha]: []
[gsm.operator.numeric]: [20404]
[gsm.operator.iso-country]: [nl]
[gsm.operator.isroaming]: [false]
[ril.rildSerial]: [..........g4kzu1ox]
[gsm.sim.state]: [SIM_SERVICE_PROVIDER_LOCKED] is what I don't want to see
Click to expand...
Click to collapse
Did you try the setprop on the gsm.sim.state by setting it to null/empty.
SP unlock your i5500 (probably more)
EDIT: Phones has been bricked with this stl5 method. Do use supersafe bml5 method.
http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334
Since I can't give up on this one I digged a little further into my i5500 memory.
Guess what? I f.ckin did it. Big hoora. I'am good I know Thank you!
Code:
- root your phone
- adb shell
- su
- cd /
- mount -o remount,rw -t rootfs rootfs / (or do it before adb with root explorer)
- mkdir /efs
- mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
- cat /efs/mits/perso.txt
- umount /efs
- reboot
EDIT: stl5 is es-tee-el-five (like STL5)
EDIT: /efs on the Galaxy the /etc/fstab says: mount rfs /dev/block/stl5 /efs nosuid nodev check=no
You will see some numbers: In my case 20404 for Vodafone NL.
Then you will see your SP unlock code followed by some 000000000 codes and another
code. Write the first one (and second just in case) down.
Shut down the phone and put it a "locked" sim. Start your phone, input the pin, and when asked for a unlock code give it the first code. Your phone is now unlocked.
Cheers
EDIT:
Rooting: http://blog.23corner.com/2010/08/30/universal-androot-1-6-2-beta-5/
Rooting newer roms: http://forum.xda-developers.com/showthread.php?t=803682. Need reboot after.
Adb and USB drivers: see attachement
EDIT: possible fix for bad imei after doing above procedure:
http://forum.xda-developers.com/showpost.php?p=15408191&postcount=4
EDIT: nice tutorial for my method - http://forum.xda-developers.com/showthread.php?p=16597429
tweakradje said:
Since I can't give up on this one I digged a little further into my i5500 memory.
Guess what? I f.ckin did it. Big hoora. I'am good I know Thank you!
- adb shell
- su
- mount root rw (did it with root explorer)
- mkdir /efs
- mount -t vfat /dev/block/stl5 /efs
- cat /efs/mits/perso.txt
You will see some numbers: In my case 20404 for Vodafone NL.
Then you will see your SP unlock code followed by some 000000000 codes and another
code. Write the first one (and second just in case) down.
Shut down the phone and put it a "locked" sim. Start your phone, input the pin, and when asked for a unlock code give it the first code. Your phone is now unlocked.
Cheers
Click to expand...
Click to collapse
Mine is a bunch of 01234567s
using dd command on stl5 is bricking the phone: UNSAFE METHOD
Ok. For good comparison I attached both perso.txt: before and after unlock.
Perhaps that helps. My network was locked to 20404 and the unlock code is 61493638
and there is another code in the file: 92427358 but I don't know what that one does.
Perhaps it is better practise to follow this road for getting the codes:
- adb shell
- su
- dd if=/dev/block/stl5 of=/sdcard/stl5.rfs bs=4096
Then use winimage or similar to examine /sdcard/stl5.rfs as FAT16 image file.
Cheers
- mount root rw (did it with root explorer)
Cannot get passed this step. It only gives me cmd line help. Please describe in more detail on how you did it. Thanks!
Root explorer is a program I installed. It has a "Mount R/W" button for the root.
But you can also use a complete other folder that is already mounted rw.
Type command mount in adb shell. Think /data is rw mounted.
So create /data/efs folder and mount -t vfat /dev/block/stl5 /data/efs
Cheers
For my problem this cmd worked:
mount -o remount,rw /data /system
Let's see if it really works for me 2.
After doing all the steps, my phone cannot turn on Phone, Wifi, cannot do any kind of format, install a new firmware (does not go to step 2 - pass the CS, even if odin reports it Passed). Half bricked it!
WARNING
Strange and sounds dangerous. Better not mount /dev/block/stl5 then and
use dd if=/dev/block/stl5 of=/sdcard/stl5.rfs and use windows program winimage (or similar)
to get the info from mits/perso.txt
But did you unlock?
Cheers
I already did that. No effect, because my WIFI, data, network connections and all audio (don't know about music) do not respond in any way, so, now, my great phone is at Vodafone Romania for repairs. Hope they did not notice any meddling with the firmware and re-flash it to it's original state. It didn't matter if i inserted another network sim or the one registered.
Thanks for this useful info, tweakradje.
Albeit I had run into the same problem as kill3r000, I managed to restore my phone back on track by simply running dd if=/sdcard/stl5.rfs of=/dev/block/stl5.
It ain't relevant at all, but when I retrieved the stl5.rfs from the phone I just did it from a root terminal on the phone, not via adb.
Anyways, thanks again for helping me unlock my phone.
kill3r000, daca aia de la vodafone iti cer bani, nu le da si ia-ti telefonu' ca si eu tot de la voda il am si aceeasi figura mi-a facut-o.
How come i didn't think of backtracking that command? ( I suppose i was too tired of trying endless methods.
Block240 - Multumesc mult de tot pentru sprijin. Asa am sa fac. Mai tii minte cam cat ti-au cerut? Niste maralni.
Pe mine m-au sunat de la Regenersis ca il mai tin pentru mai multe teste amanuntite Pe bune... Va hotarati cat sa taxeze (nici nu se mai pune problema; deja au hotarat: IESIT DIN GARANTIE scrie pe saracutul meu)!
tweakradje said:
SAFE METHOD
Ok. For good comparison I attached both perso.txt: before and after unlock.
Perhaps that helps. My network was locked to 20404 and the unlock code is 61493638
and there is another code in the file: 92427358 but I don't know what that one does.
Perhaps it is better practise to follow this road for getting the codes:
- adb shell
- su
- dd if=/dev/block/stl5 of=/sdcard/stl5.rfs
Then use winimage or similar to examine /sdcard/stl5.rfs as FAT16 image file.
Cheers
Click to expand...
Click to collapse
Worked like a charm!
Thank you very much for this. Finally, 2.2.
Thanks for the feedback.
Hy ... Block can u make a little tutorial for Romania Vodafone users ...step by step or can u contact me on PM and tell me exact steps
Multumesc,
It's better, IF he or other wants to do that, to post it on the topic so can others see it. When i'll have it back from service (if they want money for repairs) i'll try again and then i will ask somebody here for a little tutorial for all this not happend again.
(Multe) Multumiri anticipate!
kill3r000 said:
How come i didn't think of backtracking that command? ( I suppose i was too tired of trying endless methods.
Block240 - Multumesc mult de tot pentru sprijin. Asa am sa fac. Mai tii minte cam cat ti-au cerut? Niste maralni.
Pe mine m-au sunat de la Regenersis ca il mai tin pentru mai multe teste amanuntite Pe bune... Va hotarati cat sa taxeze (nici nu se mai pune problema; deja au hotarat: IESIT DIN GARANTIE scrie pe saracutul meu)!
Click to expand...
Click to collapse
Nu am ajuns in punctul in care sa trimit telefonul la garantie. Am stat o noapte sa-i scriu diferite ROM-uri si sa-i sterg efs-ul pana mi-am amintit si multumit ca aveam stl5.rfs si pe calculator si pe /sdcard. Fiind un utilizator cat de cat obisnuit cu unix-urile, mi-am dat seama ca un dd salveaza bit cu bit totul. Acum daca as sti si de ce or aparea figurile astea cand e citit efs-ul as fi un om fericit.
Nonetheless, there's nothing special regarding VF Ro users or any other network carriers. I just followed these steps:
Code:
su
dd if=/dev/block/stl5 of=/sdcard/stl5.rfs
Copied the stl5.rfs on my computer, opened it up with WinImage (obviously, any other application that can read FAT images would work just as good) and went to /mits/perso.txt.
It's full of gibberish, but do keep in mind that the 8-digit number is the unlock code. Note it down on a paper or something, power down the phone, get its sim out, power it on (don't insert any other sim). Mine went to ARM11 recovery mode (shows the samsung logo and says that on the top left). Should it do that, just throw the battery out and back in, then power it up again. The phone will boot up normally and now run
Code:
su
dd if=/sdcard/stl5.rfs of=/dev/block/stl5
wait for it to end, power down the phone, insert a sim that would send the phone in its network locked mode, and se that 8-digit number. That's all about it, you now have an unlocked gt-i5500.
Thank you again, tweakradje.
(dati o bere )
Code:
-----------------------------------------------LOGCAT-----------------------------------------------
D/ConnectivityService( 334): handleInetConditionHoldEnd: net=1, condition=100, published condition=0
I/CheckinTask( 642): Checkin success: https://android.clients.google.com/checkin (1 requests sent)
D/CAT ( 526): CatService: SIM ready. Reporting STK service running now...
D/MccTable( 526): updateMccMncConfiguration: mcc=505, mnc=2
D/MccTable( 526): locale set to en_au
D/MccTable( 526): WIFI_COUNTRY_CODE set to au
I/WifiService( 334): WifiService trying to set country code to au with persist set to true
I/ActivityManager( 334): Config changed: {1.15 505mcc2mnc en_AU sw320dp w320dp h455dp nrml port finger -keyb/v/h -nav/h s.5 themeResource=null}
D/SystemClock( 526): Setting time of day to sec=1358505394
D/AlarmManagerService( 334): Kernel timezone updated to -660 minutes west of GMT
V/AlarmClock( 724): AlarmInitReceiver finished
I/CheckinService( 642): Preparing to send checkin request
I/EventLogService( 642): Accumulating logs since 1358505385569
I/CheckinTask( 642): Sending checkin request (2128 bytes)
I/CheckinTask( 642): Checkin success: https://android.clients.google.com/checkin (1 requests sent)
W/ThrottleService( 334): unable to find stats for iface rmnet0
On boot, this happens. And it just hangs here. No bootloop, no crashing, just waiting for something I don't understand.
Cm10 Beta 2, Linux 3.0.16
Nothing interesting in dmesg.
EDIT: re-flashed rom and fixed, but still, I'd to know what happened.
What's wrong? Logcat states no error or warning
Can't get your point!
Sent from my HTC Explorer A310e using xda premium
DanceOff said:
What's wrong? Logcat states no error or warning
Can't get your point!
Sent from my HTC Explorer A310e using xda premium
Click to expand...
Click to collapse
It starts some process during boottime, and just waits for it, and never actually boots, because it is waiting for a response. No errors reported anywhere.
gnustomp said:
It starts some process during boottime, and just waits for it, and never actually boots, because it is waiting for a response. No errors reported anywhere.
Click to expand...
Click to collapse
You mean there is no loop bit still phone doesn't boot !
Now I get you
What rom/mod are you flashing ?
Sent from my HTC Explorer using xda premium
EDIT: 2018-08-14
Wow -- re-reading this, whoa, what a bunch of assumptions / misinformation.
Note to self, update this post with the ACTUAL findings, and the ACTUAL way that the *current* (as of Nougat and Oreo) works. Also, add in the way that Google is going to F**K us all in the A** by adding AVB to the boot, and recovery, (and then LG can very easily add it to laf) in 9.0 (Pie). Pie in the face. A**holes.
LAF Is the LG Advanced Flash. When you hold vol up and insert your USB cable to get into download mode, aboot loads a partition called LAF.
It is just a boot image, but instead of the ramdisk (initrd) doing things like mounting system, so Android boots, it loads download mode.
As part of my research on the Boot Chain of Trust (BCT), it occurred to me that if you have an unlocked boot loader, you can flash whatever you want to the recovery partition. The only LG V20s that have unlockable boot loaders WITHOUT using the engineering aboot are the US996 (unlock.bin from LG), and the H918 (fastboot oem unlock). This wouldn't really be needed by the US996 since it has all fastboot commands available, the H918 however, does not.
In the thread about rooting the H918, I came up with the idea of patching LG UP to ignore ARB (Anti-RollBack). When a phone has an unlocked boot loader, aboot (applications boot) doesn't do RSA verification on the boot image. In addition, the boot image doesn't talk to the QFPROM to increment ARB. Heck, the boot image doesn't even have the code needed to write to QFPROM (ARB qfuse). So, the only thing stopping us from flashing an older kernel and system image is that LG UP checks the KDZ to see what ARB version it is at, and it checks QFPROM to see what ARB version the phone is at. If the KDZ is less -- it fails.
So, that is one way. Patch LG UP to ignore ARB, and then flash boot and system from an older KDZ. Unfortunately, my reverse engineering skills aren't great. On the other hand, my ability to read packet dumps and figure out protocols is much better (worked on -- and still work on World of Warcraft emulation). So I got to thinking, LG UP talks to LAF, so time to load up some wireshark, and start sniffing the USB bus to figure out what exactly is being said.
After working on this for a couple of days, I thought that there HAS to be someone else out there that thought of this same thing. Turns out I was correct: link.
As you can see it is a little old, but it put me much farther ahead than I would have been. I think the project was dropped, because as stated above, you need an unlocked boot loader -- and I think T-Mobile is the only one that still does.
BUT we have an engineering aboot. So, this tool is of use to ALL V20s, since we can just push the engineering aboot, and twrp just like back when dirtycow worked.
Finally to the point of this post. I would like some help updating the protocol. It appears that dmesg works no matter what:
Code:
<snip>
pseudo_chg_ui[0]
<3>[ 3132.160144 / 01-01 01:06:45.539][1] LGE charging scenario : state 0 -> 0(0-0), temp=31, volt=3804, BTM=0, charger=1, cur_set=0/0, chg_cur = -232
<6>[ 3132.160154 / 01-01 01:06:45.539][1] [LGE-CC] lge_monitor_batt_temp_work : otp_ibat_current=0
<6>[ 3132.160177 / 01-01 01:06:45.539][1] [LGE-CC] lge_monitor_batt_temp_work : Reported Capacity : 17 / voltage : 3804
<6>[ 3133.448127 / 01-01 01:06:46.819][3] FG: update_sram_data: soc:[17], soc_raw[1863], voltage:[3804909], ocv:[3749062], current:[-232542], batt_temp:[310], charge_raw [374287 / 3167000]
<12>[ 3136.173937 / 01-01 01:06:49.549][3] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000004
<12>[ 3136.174137 / 01-01 01:06:49.549][3] [LAF] read property item = ATT
<12>[ 3136.289486 / 01-01 01:06:49.659][2] [LAF] execvp failed. error = 2
<6>[ 3136.560128 / 01-01 01:06:49.939][3] pet_watchdog [enable : 1, jiffies : 4295250952, delay_time : 1000]
<6>[ 3137.006156 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] USB_PRESENT[1], PARALLEL_STATUS[2], USB_TYPE[SDP]
<6>[ 3137.006165 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] TOTAL_IUSB[500], PMI_IUSB[1700], SMB_IUSB[0]
<6>[ 3137.006172 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] TOTAL_IBAT[3100/3100(vote)], PMI_IBAT[3000], SMB_IBAT[1000]
<6>[ 3137.006179 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] CABLE_ID [OPEN], CABLE_INFO[SDP], USBIN_VOL[4973]
<6>[ 3137.006185 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] BATT_SOC[17], BATT_VOL[3804], BATT_TEMP[310], BATT_CUR[-232542]
<6>[ 3137.006193 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] CHG_EN[Enable], CHG_STATE[CHARGING/500MA/CC], SAFTY_STATE[Set/Not yet]
<6>[ 3137.006199 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] XO_tHERM[36], PA_THERM[33], BOARD_THERM[32] VTS[333]
<6>[ 3142.000053 / 01-01 01:06:55.379][2] [bm] monitoring
<12>[ 3142.384450 / 01-01 01:06:55.759][3] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000004
<12>[ 3142.384664 / 01-01 01:06:55.759][3] [LAF] read property item = ATT
<12>[ 3142.498642 / 01-01 01:06:55.869][3] [LAF] dmesg!!
Enough to let me know that at the very least, the protocol version has changed.
So, once the missing pieces are back in place, we will be able to once again root any model, on any security patch.
Why can't they plug this hole? They could actually. They could force all phones to require OTA updates -- no more download mode. Until they do, they can change the protocol all they want, but as long as LG UP can talk to the phone, then it can be figured out once again. As for the engineering aboot. That can of worms can't be closed -- they have no way of updating the RSA key in the CPU. Well they could have, if they didn't decide to go the full on / locked down / method. There are slots for 4 keys in QFPROM, but they made the mistake of locking the CPU so that no new keys can be written. The advantage to them was that people like myself can't write my own key. The disadvantage is that if something like the eng aboot leaks, they can't do a thing about it.
So -- WHO'S WITH ME?!?
-- Brian
You bet your gosh dang angus beef I'm with you, but I've got a US996UCL so bootloader unlocking is a nono, but I hope this works... That said, I'm not a developer, but you have all my moral support and potentially monetary if needed and if possible.
same bro I'm with you if you could get this to work that'll be amazing and finally a 10p root
Also, if you need a lab rat, tell me, I've got my ways to unbrick and I'm completely willing to help anyway I can.
Hey Brian
It's great that you're doing this and I really hope you'll get some help from other able computer geniuses
I myself don't have the skills for this sort of thing.
On another note; I now using a G5, so I'm back sort of
I'm with you Brian. Thanks for your hard work.
runningnak3d said:
LAF Is the LG Advanced Flash. When you hold vol up and insert your USB cable to get into download mode, aboot loads a partition called LAF.
It is just a boot image, but instead of the ramdisk (initrd) doing things like mounting system, so Android boots, it loads download mode.
As part of my research on the Boot Chain of Trust (BCT), it occurred to me that if you have an unlocked boot loader, you can flash whatever you want to the recovery partition. The only LG V20s that have unlockable boot loaders WITHOUT using the engineering aboot are the US996 (unlock.bin from LG), and the H918 (fastboot oem unlock). This wouldn't really be needed by the US996 since it has all fastboot commands available, the H918 however, does not.
In the thread about rooting the H918, I came up with the idea of patching LG UP to ignore ARB (Anti-RollBack). When a phone has an unlocked boot loader, aboot (applications boot) doesn't do RSA verification on the boot image. In addition, the boot image doesn't talk to the QFPROM to increment ARB. Heck, the boot image doesn't even have the code needed to write to QFPROM (ARB qfuse). So, the only thing stopping us from flashing an older kernel and system image is that LG UP checks the KDZ to see what ARB version it is at, and it checks QFPROM to see what ARB version the phone is at. If the KDZ is less -- it fails.
So, that is one way. Patch LG UP to ignore ARB, and then flash boot and system from an older KDZ. Unfortunately, my reverse engineering skills aren't great. On the other hand, my ability to read packet dumps and figure out protocols is much better (worked on -- and still work on World of Warcraft emulation). So I got to thinking, LG UP talks to LAF, so time to load up some wireshark, and start sniffing the USB bus to figure out what exactly is being said.
After working on this for a couple of days, I thought that there HAS to be someone else out there that thought of this same thing. Turns out I was correct: link.
As you can see it is a little old, but it put me much farther ahead than I would have been. I think the project was dropped, because as stated above, you need an unlocked boot loader -- and I think T-Mobile is the only one that still does.
BUT we have an engineering aboot. So, this tool is of use to ALL V20s, since we can just push the engineering aboot, and twrp just like back when dirtycow worked.
Finally to the point of this post. I would like some help updating the protocol. It appears that dmesg works no matter what:
Code:
<snip>
pseudo_chg_ui[0]
<3>[ 3132.160144 / 01-01 01:06:45.539][1] LGE charging scenario : state 0 -> 0(0-0), temp=31, volt=3804, BTM=0, charger=1, cur_set=0/0, chg_cur = -232
<6>[ 3132.160154 / 01-01 01:06:45.539][1] [LGE-CC] lge_monitor_batt_temp_work : otp_ibat_current=0
<6>[ 3132.160177 / 01-01 01:06:45.539][1] [LGE-CC] lge_monitor_batt_temp_work : Reported Capacity : 17 / voltage : 3804
<6>[ 3133.448127 / 01-01 01:06:46.819][3] FG: update_sram_data: soc:[17], soc_raw[1863], voltage:[3804909], ocv:[3749062], current:[-232542], batt_temp:[310], charge_raw [374287 / 3167000]
<12>[ 3136.173937 / 01-01 01:06:49.549][3] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000004
<12>[ 3136.174137 / 01-01 01:06:49.549][3] [LAF] read property item = ATT
<12>[ 3136.289486 / 01-01 01:06:49.659][2] [LAF] execvp failed. error = 2
<6>[ 3136.560128 / 01-01 01:06:49.939][3] pet_watchdog [enable : 1, jiffies : 4295250952, delay_time : 1000]
<6>[ 3137.006156 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] USB_PRESENT[1], PARALLEL_STATUS[2], USB_TYPE[SDP]
<6>[ 3137.006165 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] TOTAL_IUSB[500], PMI_IUSB[1700], SMB_IUSB[0]
<6>[ 3137.006172 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] TOTAL_IBAT[3100/3100(vote)], PMI_IBAT[3000], SMB_IBAT[1000]
<6>[ 3137.006179 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] CABLE_ID [OPEN], CABLE_INFO[SDP], USBIN_VOL[4973]
<6>[ 3137.006185 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] BATT_SOC[17], BATT_VOL[3804], BATT_TEMP[310], BATT_CUR[-232542]
<6>[ 3137.006193 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] CHG_EN[Enable], CHG_STATE[CHARGING/500MA/CC], SAFTY_STATE[Set/Not yet]
<6>[ 3137.006199 / 01-01 01:06:50.379][2] SMBCHG: lgcc_charger_reginfo: [STATUS] XO_tHERM[36], PA_THERM[33], BOARD_THERM[32] VTS[333]
<6>[ 3142.000053 / 01-01 01:06:55.379][2] [bm] monitoring
<12>[ 3142.384450 / 01-01 01:06:55.759][3] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000004
<12>[ 3142.384664 / 01-01 01:06:55.759][3] [LAF] read property item = ATT
<12>[ 3142.498642 / 01-01 01:06:55.869][3] [LAF] dmesg!!
Enough to let me know that at the very least, the protocol version has changed.
So, once the missing pieces are back in place, we will be able to once again root any model, on any security patch.
Why can't they plug this hole? They could actually. They could force all phones to require OTA updates -- no more download mode. Until they do, they can change the protocol all they want, but as long as LG UP can talk to the phone, then it can be figured out once again. As for the engineering aboot. That can of worms can't be closed -- they have no way of updating the RSA key in the CPU. Well they could have, if they didn't decide to go the full on / locked down / method. There are slots for 4 keys in QFPROM, but they made the mistake of locking the CPU so that no new keys can be written. The advantage to them was that people like myself can't write my own key. The disadvantage is that if something like the eng aboot leaks, they can't do a thing about it.
So -- WHO'S WITH ME?!?
-- Brian
Click to expand...
Click to collapse
Btw engineering BL dont work on TMO. insta brick. This method had already been figured out. Look in the G5 forums. I believe the guys name is fluffymittens or something.
I found this thread will this help https://forum.xda-developers.com/lg-g5/development/uppercut-lgup-loader-g5-variants-t3511295
Been sick as crap for a few days so this project (and pretty much everything else) got put on hold.
@me2151 I know the eng aboot doesn't work on H918. Those have a different key. The H918 doesn't need the eng aboot since they are able to unlock their boot loaders. I looked in the G5 forums, and I couldn't find anything that pertains to this. A link would sure be nice so that efforts aren't duplicated.
-- Brian
How can we use the eng aboot?
---------- Post added at 03:53 AM ---------- Previous post was at 03:43 AM ----------
I found something. *#546368#*996# (Use the number after your US/VS/H) and type that into your dialer, Go to SVC Menu and let's compare some things and see if there's anything we can use there.
---------- Post added at 04:01 AM ---------- Previous post was at 03:53 AM ----------
Oh, and what's this LGODM thing? Is there anything we can use from there?
---------- Post added at 04:03 AM ---------- Previous post was at 04:01 AM ----------
Is the US Open Market codename also Elsa_Nao? Or just Elsa
@JerichoAbles If you have a rooted v20 other than a US996 or H918 then you are using the engineering aboot. In order to root a modern Android phone, you need to be able to unlock the boot loader because if it isn't unlocked, then it does all kinds of nasty things like verify the integrity of the boot partition, and the recovery partition. So, if you have a locked boot loader, and you can't unlock it, you can't root your phone. The closest you are going to be able to come, is a root shell IF you can disable dm-verity without having the kernel stop booting. With an unlocked boot loader, you can flash whatever you want to your boot partition, and the phone will at least TRY to boot it. With a locked boot loader, the boot process would halt the minute the boot partition fails the RSA check.
So, what about the poor shmoes that can't unlock their boot loaders (everyone besides H918 and US996 owners raise your hands) -- well -- that is where the engineering boot loader comes into play. It is unlocked "from the factory".
Also, LG made a huge mistake and used the same RSA key in just about every variant of the V20. So, that is why the LS997, VS995, H910, H915, H990, H990DS can all use the engineering aboot. So the rest of us get to flash the eng aboot, and then we are free to flash twrp, a custom kernel, etc -- because it is unlocked, and does no verification.
If you have one of the above mentioned models that doesn't have a KDZ, and are still on ARB 0, dump your phone, flash a KDZ from one of the other models that is still rootable, and have fun. See my thread on how to root the H910 on v10m for an example.
Bottom line though -- it doesn't need to be that hard. We crack the LAF protocol, and we can send whatever we want, so for an H918 with an unlocked boot loader, only need to send TWRP to recovery and viola -- root (or possibility of root). Right now the only thing that is preventing that is the fact that we don't understand the LAF protocol.
So what about the other model. Well, we send the eng aboot and TWRP -- and viola -- root (or the possibility).
So with that said -- back to sniffing I go.
-- Brian
Oh -- now this is interesting. Massive qfuse debug incoming:
[QFUSE]qfusing_show start
[QFUSE]qfprom_verify_data start
[QFUSE]qfprom_secdat_read start
[QFUSE]qfprom_secdat_read : secdata file already loaded
[QFUSE]qfprom_result_check_data start
[QFUSE]qfprom_result_check_data: 0x70150 check complete
[QFUSE]qfprom_result_check_data: 10 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70158 check complete
[QFUSE]qfprom_result_check_data: 10 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70160 check complete
[QFUSE]qfprom_result_check_data: 50 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70188 check complete
[QFUSE]qfprom_result_check_data: 54 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70190 check complete
[QFUSE]qfprom_result_check_data: 55 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70190 check complete
[QFUSE]qfprom_result_check_data: 55 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70190 check complete
[QFUSE]qfprom_result_check_data: 75 fusing_verification
[QFUSE]qfprom_result_check_data: 0x701c8 check complete
[QFUSE]qfprom_result_check_data: f5 fusing_verification
[QFUSE]qfprom_result_check_data: 0x70378 check complete
[QFUSE]qfprom_result_check_data: f7 fusing_verification
[QFUSE]qfprom_result_check_data: 0x703b0 check complete
[QFUSE]qfprom_result_check_data: ff fusing_verification
[QFUSE]qfprom_result_check_data end
[QFUSE]qfprom_verification_blow_data start
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70150, value:0xe000000
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70154, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70150 check complete
[QFUSE]qfprom_verification_blow_data: 10 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70158, value:0x6f007c3c
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7015c, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70158 check complete
[QFUSE]qfprom_verification_blow_data: 10 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70160, value:0xf000000
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70164, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70160 check complete
[QFUSE]qfprom_verification_blow_data: 50 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70188, value:0x104000
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7018c, value:0xf7bfbde0
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70188 check complete
[QFUSE]qfprom_verification_blow_data: 54 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70194, value:0x26c0031
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70190 check complete
[QFUSE]qfprom_verification_blow_data: 55 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70194, value:0x26c0031
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70190 check complete
[QFUSE]qfprom_verification_blow_data: 75 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70198, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7019c, value:0xf
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70198 check complete
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701c8, value:0x9a61f72c
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701cc, value:0x7268d27
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x701c8 check complete
[QFUSE]qfprom_verification_blow_data: f5 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701d0, value:0x79ea7e3f
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701d4, value:0x794b7fbb
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x701d0 check complete
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701d8, value:0x4821c249
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701dc, value:0x8e05ea7f
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x701d8 check complete
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701e0, value:0xfecf72a0
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x701e4, value:0x9614ce38
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x701e0 check complete
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70378, value:0x303030
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7037c, value:0x69000000
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x70378 check complete
[QFUSE]qfprom_verification_blow_data: f7 fusing_verification
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x703b0, value:0x73
[QFUSE]qfprom_read end
[QFUSE]qfprom_verification_blow_data: 0x703b0 check complete
[QFUSE]qfprom_verification_blow_data end
[QFUSE]verification_blow_value = ff
[QFUSE]qfprom_verify_data: verification success
[QFUSE]qfprom_verify_data end
[QFUSE]qfusing_show end
[LAF] read property item = H91810j
[LAF] read property item = V10j
[LAF] read property item = 0
[LAF] read property item = user
[LAF] read property item = LG-H918
[LAF] read property item = 7.0
[LAF] read property item = US
[LAF] read property item = TMO
[LAF] read property item = msm8996
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70198, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7019c, value:0xf
[QFUSE]qfprom_read end
[QFUSE]qfprom_is_version_enable : Anti-rollback fuse is blowed
[LAF] AR status? = E
[QFUSE]qfprom_read_version_show : Check rollback version
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70198, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7019c, value:0xf
[QFUSE]qfprom_read end
[QFUSE]qfprom_is_version_enable : Anti-rollback fuse is blowed
[QFUSE]qfprom_read_version_show : Selected version name <appsb
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x70168, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_read start
[QFUSE]qfprom_read address:0x7016c, value:0x0
[QFUSE]qfprom_read end
[QFUSE]qfprom_version_check : Version - 0
This validates a couple of my theories on how / when the QFPROM is updated, but also opens up some ideas as to how we can get around it (them).
-- Brian
And some more interesting....
<6>[ 1.165317 / 01-01 00:00:01.159][3] -------------------------------------------------
<6>[ 1.165323 / 01-01 00:00:01.159][3] below logs are got from bootloader
<6>[ 1.165329 / 01-01 00:00:01.159][3] -------------------------------------------------
<6>[ 1.165335 / 01-01 00:00:01.159][3]
<6>[ 1.165394 / 01-01 00:00:01.159][3] B - 460763 - DPE_MEMC_STATUS_0: DDR0 0x0000FFFF, DDR1 0x0000FFFF
<6>[ 1.165432 / 01-01 00:00:01.159][3] B - 460794 - ch 2, cs 1, mr8 0x08080808
<6>[ 1.165489 / 01-01 00:00:01.159][3] B - 460794 - DPE_MEMC_STATUS_0: DDR0 0x0000FFFF, DDR1 0x0000FFFF
<6>[ 1.165561 / 01-01 00:00:01.159][3] B - 461038 - ddr_info: SKH ver=21914 ch=0x3 cs=0x3 rev1=0x4 rev2=0x0 mr8=0x8 hwrev=12
<6>[ 1.165595 / 01-01 00:00:01.159][3] B - 461038 - ddr_trained[36c,0x3]
<6>[ 1.165634 / 01-01 00:00:01.159][3] B - 461038 - ddr_initialize_device, Delta
<6>[ 1.165683 / 01-01 00:00:01.159][3] B - 461068 - DDR ID, Rank 0, Rank 1, 0x6, 0x400, 0x400
<6>[ 1.165720 / 01-01 00:00:01.159][3] B - 461129 - [DDR] remap_size: 4096MB
<6>[ 1.165770 / 01-01 00:00:01.159][3] B - 461129 - [DDR] remap_info CS0: 0x80000000, CS1: 0x0
<6>[ 1.165803 / 01-01 00:00:01.159][3] B - 461251 - Basic DDR tests done
<6>[ 1.165839 / 01-01 00:00:01.159][3] B - 517219 - boot_pre_longkey_check
<6>[ 1.165874 / 01-01 00:00:01.159][3] B - 517219 - powerkey release state
<6>[ 1.165905 / 01-01 00:00:01.159][3] B - 525149 - Image Load, Start
<6>[ 1.165940 / 01-01 00:00:01.159][3] B - 525240 - bootLUN:1, currentLUN:1
<6>[ 1.165978 / 01-01 00:00:01.159][3] B - 525240 - xbl is matched with bootLUN
<6>[ 1.166028 / 01-01 00:00:01.159][3] D - 976 - LGE SBL Image Loaded, Delta - (51579 Bytes)
<6>[ 1.166059 / 01-01 00:00:01.159][3] B - 526094 - clock_init, Start
<6>[ 1.166089 / 01-01 00:00:01.159][3] B - 526430 - Image Load, Start
<6>[ 1.166145 / 01-01 00:00:01.159][3] D - 3843 - QSEE Dev Config Image Loaded, Delta - (46200 Bytes)
<6>[ 1.166176 / 01-01 00:00:01.159][3] B - 530669 - Image Load, Start
<6>[ 1.166223 / 01-01 00:00:01.159][3] D - 2562 - APDP Image Loaded, Delta - (7768 Bytes)
<6>[ 1.166255 / 01-01 00:00:01.159][3] B - 533262 - Image Load, Start
<6>[ 1.166305 / 01-01 00:00:01.159][3] D - 55266 - QSEE Image Loaded, Delta - (1640900 Bytes)
<6>[ 1.166335 / 01-01 00:00:01.159][3] B - 588497 - Image Load, Start
<6>[ 1.166373 / 01-01 00:00:01.159][3] B - 589260 - QFPROM flag != QFPROMblown
<6>[ 1.166419 / 01-01 00:00:01.159][3] D - 762 - SEC Image Loaded, Delta - (4116 Bytes)
<6>[ 1.166460 / 01-01 00:00:01.159][3] B - 589809 - sbl1_efs_handle_cookies, Start
<6>[ 1.166500 / 01-01 00:00:01.159][3] D - 91 - sbl1_efs_handle_cookies, Delta
<6>[ 1.166531 / 01-01 00:00:01.159][3] B - 589931 - Image Load, Start
<6>[ 1.166580 / 01-01 00:00:01.159][3] D - 12139 - QHEE Image Loaded, Delta - (254184 Bytes)
<6>[ 1.166611 / 01-01 00:00:01.159][3] B - 602100 - Image Load, Start
<6>[ 1.166660 / 01-01 00:00:01.159][3] D - 11193 - RPM Image Loaded, Delta - (223932 Bytes)
<6>[ 1.166691 / 01-01 00:00:01.159][3] B - 613294 - Image Load, Start
<6>[ 1.166735 / 01-01 00:00:01.159][3] D - 0 - STI Image Loaded, Delta - (0 Bytes)
<6>[ 1.166765 / 01-01 00:00:01.159][3] B - 614087 - cable type is 8
<6>[ 1.166818 / 01-01 00:00:01.159][3] B - 789096 - pm_app_smbchg: TA/USB attached, battery present
<6>[ 1.166864 / 01-01 00:00:01.159][3] B - 789157 - Charger source: SDP before APSD rerun
<6>[ 1.166914 / 01-01 00:00:01.159][3] B - 790011 - [ADC][mvol=1789][hw_rev_table[12]=[1700]
<6>[ 1.166958 / 01-01 00:00:01.159][3] B - 798002 - [Display] SW49407_QHD_DSC_CMD_PANEL
<6>[ 1.166992 / 01-01 00:00:01.159][3] B - 798032 - panel_type = CMD_PANEL
<6>[ 1.167025 / 01-01 00:00:01.159][3] B - 805352 - Panel power on done
<6>[ 1.167060 / 01-01 00:00:01.159][3] B - 805352 - soc_version:0x00030001
<6>[ 1.167092 / 01-01 00:00:01.159][3] B - 850431 - Panel pre init done
<6>[ 1.167154 / 01-01 00:00:01.159][3] [0] logbuf_relocate_sbl_log: log_start=0x85e11040, log_size=0x815, end_time=0
<6>[ 1.167173 / 01-01 00:00:01.159][3] [0] welcome to lk
<6>[ 1.167179 / 01-01 00:00:01.159][3]
<6>[ 1.167200 / 01-01 00:00:01.159][3] [10] platform_init()
<6>[ 1.167219 / 01-01 00:00:01.159][3] [10] target_init()
<6>[ 1.167239 / 01-01 00:00:01.159][3] [10] RPM GLink Init
<6>[ 1.167271 / 01-01 00:00:01.159][3] [10] Opening RPM Glink Port success
<6>[ 1.167302 / 01-01 00:00:01.159][3] [10] Opening SSR Glink Port success
<6>[ 1.167347 / 01-01 00:00:01.159][3] [10] Glink Connection between APPS and RPM established
<6>[ 1.167393 / 01-01 00:00:01.159][3] [10] Glink Connection between APPS and RPM established
<6>[ 1.167450 / 01-01 00:00:01.159][3] [20] bootmode_set_board_revision: board revision value is 12 from smem
<6>[ 1.167479 / 01-01 00:00:01.159][3] [20] HW Rev(12), vol_up gpio(2)
<6>[ 1.167501 / 01-01 00:00:01.159][3] [30] UFS init success
<6>[ 1.167538 / 01-01 00:00:01.159][3] [70] SW3800_Authentication [vendor code: 1]
<6>[ 1.167571 / 01-01 00:00:01.159][3] [120] set_dload_mode: download_mode:0
This verifies the order that parts of the firmware are loaded in. It also invalidates that I thought they weren't loaded when in download mode. I can now verify download mode will still load even if they fail verification.
This also validates that booting from SD card is no longer possible:
Code:
<6>[ 1.165940 / 01-01 00:00:01.159][3] B - 525240 - bootLUN:1, currentLUN:1
<6>[ 1.165978 / 01-01 00:00:01.159][3] B - 525240 - xbl is matched with bootLUN
<6>[ 1.166028 / 01-01 00:00:01.159][3] D - 976 - LGE SBL Image Loaded, Delta - (51579 Bytes)
bootLUN is pulled from QFPROM, so they COULD have had SD card support, because ...... notice that SBL is a delta of XBL.
EDIT: my understanding of this was backwards. I now not only think it is possible to boot from SD card, but with a little more work, I am sure I can get it.
-- Brian
Oh now this is promising:
<12>[ 1725.910810 / 01-08 00:52:31.299][0] [LAF] default access list.
<12>[ 1725.910904 / 01-08 00:52:31.299][0] [LAF] use write protection for /dev/block/sda
<12>[ 1725.910945 / 01-08 00:52:31.299][0] [LAF] Not protected partition!!! /dev/block/sda
<12>[ 1725.911067 / 01-08 00:52:31.299][0] [LAF] success to open the flash driver, dev = /dev/block/sda, fd = 39
Unfortunately I don't want to flash an entire block device, I want to flash a partition. But this is a start. Heck, I could flash the entire block device as long as it was valid. That would mean pulling down sda, loopback mount the image so that I would have the partitions. Change them locally, and then send sda back to the phone.
More to come! But I can tell you that this IS happening. ANY LG phone will be rootable between this research, and the research on unlocking bootloaders on phones that don't have fastboot.
-- Brian
Well, I am still missing something that makes this writable:
/dev/block/sde1 is boot (IE: the kernel). It doesn't like me trying to write to that. UGH!!! Back to looking at packet sniffs. If LG UP can write to it, *I* can write to it.
<12>[ 590.222848 / 01-01 00:09:52.629][1] [LAF] Not protected partition!!! /dev/block/sde1
<5>[ 590.222992 / 01-01 00:09:52.629][1] audit: type=1400 audit(1451606992.629:5): avc: denied { read } for pid=483 comm="lafd" name="sde1" dev="tmpfs" ino=15965 scontext=u:r:vold:s0 tcontext=ubject_r:boot_block_device:s0 tclass=blk_file permissive=0
<12>[ 590.223035 / 01-01 00:09:52.629][1] [LAF] try open, fn = /dev/block/sde1, error = Permission denied, fd = -1, flag = 0
<12>[ 590.223098 / 01-01 00:09:52.629][1] [LAF] open failed, fn = /dev/block/sde1, error = Permission denied, fd = -1, flag = 0
<12>[ 590.223165 / 01-01 00:09:52.629][1] [LAF] laf_message.command = 0x4e45504f(OPEN)
<12>[ 590.223217 / 01-01 00:09:52.629][1] [LAF] laf_message.arg0 = 0x0
<12>[ 590.223264 / 01-01 00:09:52.629][1] [LAF] laf_message.arg1 = 0x0
<12>[ 590.223311 / 01-01 00:09:52.629][1] [LAF] laf_message.arg_opt0 = 0x0
<12>[ 590.223355 / 01-01 00:09:52.629][1] [LAF] laf_message.arg_opt1 = 0x0
<12>[ 590.223400 / 01-01 00:09:52.629][1] [LAF] laf_message.data_length = 0x10
<12>[ 590.223444 / 01-01 00:09:52.629][1] [LAF] laf_message.data_check = 0x5b2d
<12>[ 590.223487 / 01-01 00:09:52.629][1] [LAF] laf_message.magic = 0xb1baafb0
-- Brian
Rhanks for your effort i rooted same day dirty santa came out but now its gotten old and laggy asf due to rtcd and i get shut it off linux is too hard for me to set up
runningnak3d said:
Oh now this is promising:
<12>[ 1725.910810 / 01-08 00:52:31.299][0] [LAF] default access list.
<12>[ 1725.910904 / 01-08 00:52:31.299][0] [LAF] use write protection for /dev/block/sda
<12>[ 1725.910945 / 01-08 00:52:31.299][0] [LAF] Not protected partition!!! /dev/block/sda
<12>[ 1725.911067 / 01-08 00:52:31.299][0] [LAF] success to open the flash driver, dev = /dev/block/sda, fd = 39
Unfortunately I don't want to flash an entire block device, I want to flash a partition. But this is a start. Heck, I could flash the entire block device as long as it was valid. That would mean pulling down sda, loopback mount the image so that I would have the partitions. Change them locally, and then send sda back to the phone.
More to come! But I can tell you that this IS happening. ANY LG phone will be rootable between this research, and the research on unlocking bootloaders on phones that don't have fastboot.
-- Brian
Click to expand...
Click to collapse
That is just amazing. Your a genius... Thank you so much for your devotion and time.
You welcome, but the genius work is still to come
Unfortunately it looks like I am going to have to pay for Hopper (the arm64 decompiler). The trial only gives you 30 minutes and then you have to reload -- and that is a PAIN.
[LAF] not found access list. 0000g
That right there is why I am going to have to reverse lafd. It appears that there is an access list that is stored, but it doesn't appear to be per partition. I sent a valid access list straight from an LG UP dump, and I can't get it to write. 0000 above was just me testing something....
Anyway -- more to come.
-- Brian
Thank you for giving the rest of us V20 owners hope
So - step1 - DONE! I can pull an image off a phone.
I know -- not really the way we want to go, but getting the ability to DUMP partitions is just as important as being able to write them. Also, I don't risk blowing up my phones by dumping data. I am going to have to do this a couple of times and do diffs of dumps that I make the "normal" way to make sure that they are identical all the time and there isn't some weird timing thing that I missed. Also, can't just issue an OPEN command, and then a READ command and have it go -- YEA! HERE have a partition. Even after all the setup is done for the READ to start, you can only read 4megs at a time. I could probably crank that up to 8megs, but anything over 8 megs locks up lafd. I am guessing it is some kind of buffer limit. Anyway, have to read, and then concatenate, wash / rinse / repeat. But there is another PITA. I know how big a partition is because I already have rooted phones so once I figured out that you can't read past the end of the block or ERRRR lafd locks up. I still have to find a way (and I KNOW it is there because when LG UP runs lafd dumps out all kinds of size info) to read the size. But I still have megs and megs of packet dumps to go through. Once I have the ability to get the size of partitions, then it will be time to start working on writing them. That actually won't be as hard now that I know how to read them.
Once we have all three, I am now 100% confident that every single LG phone currently on the market will be rootable. Some will require a little more research. For example, trial and error getting a boot loader unlocked. The good news is that as long as you have a KDZ you won't brick your phone, and when it is figured out for one model, it is for all of the same version. So, for example, I did for the H910 -- so all V20s can have their boot loaders unlocked without the engineering aboot.
Anywho -- that is enough playing tonight.
EDIT: I will open up a github and add ALL kinds of documentation to the wiki, but for now, just a little insight as to what is needed:
You have a handful of commands:
HELO
EXEC
READ
OPEN
KILO CENT
KILO METR
INFO GPRO
INFO SPRO
CLSE
SIGN
OPCM CHEK
MISC WRTE
CHCK CLER
WRTE
-- Brian
Hi,
I updated my phone to the June 2019 security patch via factory image.
I then rooted the phone via patched boot image method.
Root is working (Safetynet passes, Magisk Hide is working etc) but I am having two major issues.
1. If I try to hide Magisk Manager (repackeg apk) I lose root. Uninstalling Magisk Manager and reinstalling fixes the issue
2. If I click the superuser tab, Magisk crashes.
Any ideas? I also posted in the general Magisk help thread.
Thanks in advance!
EDIT: I was able to fix 2 by force stopping Magisk Manager, deleting cache/app data and restarting. I dont really have a need for 1 at the moment so I think i'll leave it as is for now.
EDIT 2: Seems like the issue only happens when using the light theme? I am using the dark theme now and dont experience the same issues.
EDIT 3: NVM... the issue is back. Doesnt matter if I clear cache/app data or which theme I use.. it keeps randomly crashing when going to the superuser tab
Below is the logcat if its at all helpful
Code:
[ 06-19 19:07:14.546 1162: 1200 I/ActivityManager ]
Start proc 4487:com.google.android.apps.maps/u0a101 for broadcast com.google.android.apps.maps/com.google.android.apps.gmm.navigation.service.detection.StartDetectionReceiver
--------- beginning of crash
[ 06-19 19:07:14.701 2386: 2386 E/AndroidRuntime ]
FATAL EXCEPTION: main
Process: com.topjohnwu.magisk, PID: 2386
java.lang.IndexOutOfBoundsException: Inconsistency detected. Invalid view holder adapter positionViewHolder{348cd71 position=1 id=-1, oldPos=0, pLpos:0 scrap [attachedScrap] tmpDetached not recyclable(1) no parent} androidx.recyclerview.widget.RecyclerView{9833892 VFED..... ......ID 0,0-1080,1868 #7f09016f app:id/superuser_content}, adapter:[email protected], layout:[email protected], context:[email protected]
at androidx.recyclerview.widget.RecyclerView$v.a(SourceFile:55)
at androidx.recyclerview.widget.RecyclerView$v.b(SourceFile:1)
at androidx.recyclerview.widget.LinearLayoutManager$c.a(SourceFile:4)
at androidx.recyclerview.widget.LinearLayoutManager.a(Unknown Source:0)
at androidx.recyclerview.widget.LinearLayoutManager.a(SourceFile:3)
at androidx.recyclerview.widget.LinearLayoutManager.c(SourceFile:22)
at androidx.recyclerview.widget.RecyclerView.e(SourceFile:2)
at androidx.recyclerview.widget.RecyclerView.d(Unknown Source:29)
at androidx.recyclerview.widget.RecyclerView.onLayout(Unknown Source:5)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.FrameLayout.layoutChildren(FrameLayout.java:323)
at android.widget.FrameLayout.onLayout(FrameLayout.java:261)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.FrameLayout.layoutChildren(FrameLayout.java:323)
at android.widget.FrameLayout.onLayout(FrameLayout.java:261)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at a.w60.b(SourceFile:2)
at a.x60.a(Unknown Source:0)
at androidx.coordinatorlayout.widget.CoordinatorLayout.onLayout(Unknown Source:42)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at androidx.drawerlayout.widget.DrawerLayout.onLayout(Unknown Source:56)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.FrameLayout.layoutChildren(FrameLayout.java:323)
at android.widget.FrameLayout.onLayout(FrameLayout.java:261)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.LinearLayout.setChildFrame(LinearLayout.java:1812)
at android.widget.LinearLayout.layoutVertical(LinearLayout.java:1656)
at android.widget.LinearLayout.onLayout(LinearLayout.java:1565)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.FrameLayout.layoutChildren(FrameLayout.java:323)
at android.widget.FrameLayout.onLayout(FrameLayout.java:261)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.LinearLayout.setChildFrame(LinearLayout.java:1812)
at android.widget.LinearLayout.layoutVertical(LinearLayout.java:1656)
at android.widget.LinearLayout.onLayout(LinearLayout.java:1565)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.widget.FrameLayout.layoutChildren(FrameLayout.java:323)
at android.widget.FrameLayout.onLayout(FrameLayout.java:261)
at com.android.internal.policy.DecorView.onLayout(DecorView.java:753)
at android.view.View.layout(View.java:20672)
at android.view.ViewGroup.layout(ViewGroup.java:6194)
at android.view.ViewRootImpl.performLayout(ViewRootImpl.java:2799)
at android.view.ViewRootImpl.performTraversals(ViewRootImpl.java:2316)
at android.view.ViewRootImpl.doTraversal(ViewRootImpl.java:1463)
at android.view.ViewRootImpl$TraversalRunnable.run(ViewRootImpl.java:7190)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:949)
at android.view.Choreographer.doCallbacks(Choreographer.java:761)
at android.view.Choreographer.doFrame(Choreographer.java:696)
[ 06-19 19:07:14.701 2386: 2386 E/AndroidRuntime ]
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:935)
at android.os.Handler.handleCallback(Handler.java:873)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6718)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
[ 06-19 19:07:14.705 1162: 1911 W/ActivityManager ]
Force finishing activity com.topjohnwu.magisk/a.b
[ 06-19 19:07:14.731 1162: 3000 I/ActivityManager ]
Process com.topjohnwu.magisk (pid 2386) has died: vis +99TOP
I've been tracing down an issue related to double tap to wake and my OP6 screen and maybe the proximity sensor. I originally thought it was just an app misbehaving or one of the custom roms (crdroid 7.x and 6.x) coding, but after trying a bunch of stock OOS 9.x and 10.x ROMs, as well as other custom ROMs, and doing full recovery/restores w/ msmdownload tool, the problem now seems more hardware related than software.
It began when I realized that when dt2w (or gestures) was enabled in settings, not only didn't those features work (ever), but I also experienced very high battery drain through the night when the phone was supposed to be in deep doze mode. Double-tap-to-sleep works fine. Otherwise, screen and phone are behaving normally. I've been investigating everything from wakelocks to the light/deep doze modes (deviceidle) to sensors to synaptics stuff. The problem is definitely not wakelock related. Upon deeper investigation, I've narrowed it down to a few things.
When dt2w is enabled, the phone actually IS going into both light and deep doze modes. But the battery drain per hour is similar to normal/active (app 2.5%/hr). Obviously something (the screen?) is still draining battery despite the phone being in doze mode ('dumpsys deviceidle' confirms the display is off and locked). I can just keep the d2tw disabled, so it's not a huge problem, but I would very much like to get that feature (and gestures) working, and understand wtf is going on.
I've read that it could be a proximity sensor calibration issue. I've run some testing apps on the sensors and they seem ok. Proximity sensor definitely fires on/off while testing and watching logs in realtime. (Also the screen turns off when I am on phone call, and back on again when moving phone further away - as it should). I should have done the calibration thing in engineering mode when I rolled back to 9.0.2. But now I'm back at 10.3.9. I did a msmdownloadtool upgrade, which went fine, but had no impact on the problem. The synaptics firmware is obviously involved. OOS 10.3.9 uses fw_synaptics_17819.img. The logs were flooded with synaptics-related entries and errors.
I would like to compare my logs against other OP6's logs. Just need to confirm a couple of things.
1) Upon reboot, this dmesg log shows that the synaptics driver is attempting to update (flash) its firmware! It tries twice, fails, and moves on. Is this normal behaviour on OP6 boot?
OnePlus6:/ # dmesg -Tw | grep syna
Code:
[Wed May 5 22:07:01 2021] synaptics,s3320: tpd_driver_init enter
[Wed May 5 22:07:01 2021] synaptics,s3320: before on cpu [4]
[Wed May 5 22:07:01 2021] synaptics,s3320: check CPU[0] is [online]
[Wed May 5 22:07:02 2021] synaptics,s3320: after on cpu [0]
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_ts_probe is called
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_parse_dts ts->support_hw_poweroff =1
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics,tx-rx-num is 15 30
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptic:ts->irq_gpio:125 irq_flags:8200 max_num 10
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_parse_dts: avdd current = 20000
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_parse_dts:avdd_vmin=3008000,avdd_vmax=3008000
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_parse_dts: Failed to get regulator vdd current
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_parse_dts: Failed to get regulator vdd voltage
[Wed May 5 22:07:02 2021] synaptics,s3320: F12_2D_QUERY_BASE = 4a \x0a \x09\x09\x09F12_2D_CMD_BASE = 0 \x0a\x09\x09\x09F12_2D_CTRL_BASE\x09= 13 \x0a\x09\x09\x09F12_2D_DATA_BASE\x09= 8 \x0a\x09\x09\x09
[Wed May 5 22:07:02 2021] synaptics,s3320: F34_FLASH_QUERY_BASE = 23 \x0a\x09\x09\x09F34_FLASH_CMD_BASE\x09= 0 \x0a\x09\x09\x09F34_FLASH_CTRL_BASE\x09= c \x0a\x09\x09\x09F34_FLASH_DATA_BASE\x09= 0 \x0a\x09\x09\x09
[Wed May 5 22:07:02 2021] synaptics,s3320: F54_QUERY_BASE = 43 \x0a\x09\x09\x09F54_CMD_BASE = 42 \x0a\x09\x09\x09F54_CTRL_BASE\x09= e \x0a\x09\x09\x09F54_DATA_BASE\x09= 0 \x0a\x09\x09\x09
[Wed May 5 22:07:02 2021] synaptics,s3320: before fw update bootloader_mode[0x0]
[Wed May 5 22:07:02 2021] synaptics,s3320: CURRENT_FIRMWARE_ID = 0xad00902100000000
[Wed May 5 22:07:02 2021] synaptics,s3320: max_x = 1080,max_y = 2280; max_x_ic = 1079,max_y_ic = 2279
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_soft_reset !!!
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_tpedge_limitfunc limit_enable =1,mode:0x41 !
[Wed May 5 22:07:02 2021] input: synaptics,s3320 as /devices/platform/soc/a90000.i2c/i2c-3/3-0020/input/input2
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptic:ts->irq is 377
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics_ts_probe 3203: normal end
[Wed May 5 22:07:02 2021] synaptics,s3320: synaptics bootmode 0 !
[Wed May 5 22:07:09 2021] synaptics,s3320: changer_write_func:ts->changer_connet = 1
[Wed May 5 22:07:10 2021] synaptics,s3320: synaptics bootmode 0 !
[Wed May 5 22:07:10 2021] synaptics,s3320: start update ******* fw_name:tp/fw_synaptics_17819.img,ts->manu_name:S3706B
[Wed May 5 22:07:10 2021] synaptics,s3320: enter version 17819 update mode
[Wed May 5 22:07:10 2021] synaptics,s3320: FW_ID:2744099--CONFIG_ID FW_NAME:tp/fw_synaptics_17819.img
[Wed May 5 22:07:10 2021] synaptics,s3320_firmware: fwu_start_reflash: Start of reflash process
[Wed May 5 22:07:10 2021] synaptics,s3320_firmware: fwu_go_nogo: Device firmware ID = 2744099
[Wed May 5 22:07:10 2021] synaptics,s3320_firmware: fwu_go_nogo: Image firmware ID = 2827775
[Wed May 5 22:07:10 2021] synaptics,s3320_firmware: fwu_go_nogo: Updating UI firmware and config
[Wed May 5 22:07:11 2021] synap rmidev_create_attr
[Wed May 5 22:07:11 2021] synaptics,s3320_firmware: fwu_enter_flash_prog: BL mode not entered
[Wed May 5 22:07:11 2021] synaptics,s3320_firmware: fwu_start_reflash: End of reflash process
[Wed May 5 22:07:11 2021] synaptics,s3320: FW update not success try again
[Wed May 5 22:07:11 2021] synaptics,s3320: FW_ID:2744099--CONFIG_ID FW_NAME:tp/fw_synaptics_17819.img
[Wed May 5 22:07:11 2021] synaptics,s3320_firmware: fwu_start_reflash: Start of reflash process
[Wed May 5 22:07:11 2021] synaptics,s3320_firmware: fwu_go_nogo force update firmware
[Wed May 5 22:07:11 2021] synaptics,s3320_firmware: fwu_go_nogo: Updating UI firmware and config
[Wed May 5 22:07:12 2021] synaptics,s3320_firmware: fwu_enter_flash_prog: BL mode not entered
[Wed May 5 22:07:12 2021] synaptics,s3320_firmware: fwu_start_reflash: End of reflash process
[Wed May 5 22:07:12 2021] synaptics,s3320: FW update failed twice, quit updating process!
[Wed May 5 22:07:34 2021] synaptics,s3320: start get base data:1
[Wed May 5 22:07:34 2021] synaptics,s3320: set_doze_time: set doze time: 1
[Wed May 5 22:07:34 2021] synaptics,s3320: reset doze time
[Wed May 5 22:07:34 2021] synaptics,s3320: synaptics_tpedge_limitfunc limit_enable =1,mode:0x41 !
[Wed May 5 22:07:34 2021] synaptics,s3320: all finger up
[Wed May 5 22:07:37 2021] synaptics,s3320: all finger up
[Wed May 5 22:07:42 2021] synaptics,s3320: all finger up
2) When dt2w is enabled, watching dmesg in realtime, the phone starts generating (spamming the log) with the following error messages non-stop, but ONLY when in an inactive state (screen is off, etc). As soon as the state becomes active (screen on), the errors stop.
Code:
[Wed May 5 22:44:21 2021] synaptics,s3320 3-0020: synaptics_rmi4_i2c_read_block: I2C read over retry limit
[Wed May 5 22:44:21 2021] synaptics,s3320: Synaptic:ret = -5
[Wed May 5 22:44:21 2021] synaptics,s3320: synaptics_hard_reset !!!
Also get some of these: ("dose mode" lol)
Code:
[19677.286066] synaptics,s3320: synaptics_hard_reset !!!
[19677.306065] synaptics,s3320: synaptics_enable_interrupt_for_gesture: select page failed ret = -5
[19677.306715] i2c_geni a90000.i2c: i2c error :-107
[19677.306877] i2c_geni a90000.i2c: i2c error :-107
[19677.306894] synaptics,s3320: synaptics_mode_change: set dose mode[0xb0] err!!
3) With dt2w disabled, when awakened from screen off, it generates these two messages:
Code:
synaptics,s3320: synaptics_mode_change: set dose mode[0xb0] err!!
synaptics_tpedge_limitfunc limit_enable =1,mode:0x7f !
4) Can you confirm that you have /system/vendor/etc/firmware/tp/fw_synaptics_17819.img and that that is what the boot dmesg log is showing?
5) Proximity sensor:
Code:
05-06 19:06:56.550 9209 9209 I Dialer : AudioModeProvider.getApproximatedAudioRoute - Routing to earpiece
05-06 19:06:56.619 860 860 I sensors-hal: batch:183, android.sensor.proximity/6, period=200000000, max_latency=0
05-06 19:06:56.619 860 860 I sensors-hal: batch:192, android.sensor.proximity/6, period=200000000, max_latency=0 request completed
05-06 19:06:56.619 860 860 I sensors-hal: activate:150, android.sensor.proximity/6 en=1
05-06 19:06:56.623 860 860 I sensors-hal: activate:161, android.sensor.proximity/6 en=1 completed
05-06 19:06:56.655 860 19060 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=0, distance=5.000000, raw_adc=11, crosstalk=0, timestamp=67223704860956
05-06 19:06:58.719 860 860 I sensors-hal: activate:150, android.sensor.proximity/6 en=0
05-06 19:06:58.719 860 860 I sensors-hal: activate:161, android.sensor.proximity/6 en=0 completed
05-06 19:07:09.529 860 900 I sensors-hal: batch:183, android.sensor.proximity/6, period=200000000, max_latency=0
05-06 19:07:09.529 860 900 I sensors-hal: batch:192, android.sensor.proximity/6, period=200000000, max_latency=0 request completed
05-06 19:07:09.529 860 900 I sensors-hal: activate:150, android.sensor.proximity/6 en=1
05-06 19:07:09.544 860 900 I sensors-hal: activate:161, android.sensor.proximity/6 en=1 completed
05-06 19:07:09.577 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=1, distance=0.000000, raw_adc=255, crosstalk=0, timestamp=67236625352206
05-06 19:07:10.388 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=0, distance=5.000000, raw_adc=33, crosstalk=0, timestamp=67237433905227
05-06 19:07:11.487 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=1, distance=0.000000, raw_adc=123, crosstalk=0, timestamp=67238531122831
05-06 19:07:12.525 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=0, distance=5.000000, raw_adc=28, crosstalk=0, timestamp=67239570519081
05-06 19:07:13.626 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=1, distance=0.000000, raw_adc=117, crosstalk=0, timestamp=67240667706320
05-06 19:07:14.430 860 19105 E sensors-hal: handle_sns_client_event:69, prox_event: near_far=0, distance=5.000000, raw_adc=19, crosstalk=0, timestamp=67241476122102
05-06 19:07:15.430 860 900 I sensors-hal: activate:150, android.sensor.proximity/6 en=0
05-06 19:07:15.432 860 900 I sensors-hal: activate:161, android.sensor.proximity/6 en=0 completed
05-06 19:07:16.109 1046 1046 I Telecom : ProximitySensorManager: All calls removed, resetting proximity sensor to default state: CSW.rC->[email protected]
Thank you.
No love?
C'mon OP6 owners! It'll take you 5 minutes. A simple dmesg log right after boot.
Code:
dmesg -T | grep synaptics
Nobody? Can't post a simple log?
Geez. This site has changed a lot over the years. Back in the day, there would have been plenty of people replying to help with such a simple request. Seems like now, xda is mostly posts about one feature or another of a custom rom not working as expected.