Related
I am still testing but... well another user gave us the info to the update file... and it gives us the radio.img, the boot.img, and an editable system folder... I wonder if it will let you update it if you change the files... Wonder if you can sign it yourself.
Well please do let us know!
It is too late to do it tonight (for me anyways) I will be deleting files and seeing if it keeps it signed status tomorrow (you know how HTC likes every signed a certain way LOL) will keep you informed. BTW there is another thread with the file.
You get hat Structure from the Following File
https://android.clients.google.com/updates/signed-kila-ota-115247-prereq.TC4-RC19+RC28.zip
Making the Customised Image is not an Issue though but how can we signed it to Possible load it on Device.
We must get Cracked Boot loader to flash Unsigned Object and file like we have done it so far to Windows Based HTC Devices.
Yeah, I think that the signature of those files (found in the MANIFEST.MF) is crucial to get it to flash.
If, however, you can get it to flash with those things changed - that'd be pretty awesome.
The easiest way to test it, I think, would be to leave the files intact but to alter one of the signatures in the MANIFEST.MF file so that you are effectively breaking the signing (which is the same thing changing one of those files would do) - once you have done that - if the device will still flash then you KNOW you are in business.
Just don't want to waste a lot of time building some sweet image only to find out you can't do anything with it.
Just my 2 cents.
The other question is - once you've run an update from the SD card with the RC29 update can you re-run the update?
RyeBrye said:
The easiest way to test it, I think, would be to leave the files intact but to alter one of the signatures in the MANIFEST.MF file so that you are effectively breaking the signing (which is the same thing changing one of those files would do) - once you have done that - if the device will still flash then you KNOW you are in business.
{...}
The other question is - once you've run an update from the SD card with the RC29 update can you re-run the update?
Click to expand...
Click to collapse
I can test it out for you. Just change any value in the file?
And someone else had stated that you can re-update, but I'll try it again with the file changed.
Okay... so you can run the update again, just confirming.
I removed a ringtone from the /system/media/audio/ringtones but didn't change anything in the MANIFEST.MF file.
"Verification failed
Installation aborted."
Next i'll try to change the value for it in the MANIFEST.MF file and see if it goes thru.
Changin the MANIFES.MF file failed because it checks with CERT.SF
Chaning CERT.SF to be the same.
Now I got the following
E:No signature (414 files)
E: Verification failed
Installation aborted.
Time to tinker away... If someone can guide me just a lil, that would be apreciated. I'm still going to waste my time doing whatever "I beleave" is progress in the mean time
quedijo said:
Now I got the following
E:No signature (414 files)
E: Verification failed
Installation aborted.
Time to tinker away... If someone can guide me just a lil, that would be apreciated. I'm still going to waste my time doing whatever "I beleave" is progress in the mean time
Click to expand...
Click to collapse
I wish i knew anything about linux permission, i would like to help
apatcas said:
I wish i knew anything about linux permission, i would like to help
Click to expand...
Click to collapse
Thoughts count aswell
I got to go do a job right quick... should be back in 4hrs or less, I hope
i'll try to help as much as i can
Ill look into how the manifest works, ill work on it as much as I can
Let's get this baby customized
The cert is referencing a checksum to the manifest. It seems that they are using sha1-digest as stated plainly in the manifest file but i believe it is further encoded by base32 encoding. Does anybody have a base32 encoder handy?
Digests and the Signature File JDK
I believe the second line in CERT.SF is a hash for MANIFEST.MF. You need that hash to match the hash for the actual file MANIFEST.MF. There could be something that also hashes CERT.SF to see if you messed with it, but I don't see that right now.
So, edit CERT.SF so the line:
SHA1-Digest-Manifest: lsGC/wXGYwKahxByTQdTNs2K5oY=
Matches the SHA1-Digest (in base32) of MANIFEST.MF and try again.
Just to clear up some things for those following this thread...
The update image is signed with a private key by either HTC or Google (honestly not sure which, probably google). When your phone receives the image it decrypts the signature with each of the public keys it has installed, if one matches it installs.
The keys are made in pairs, the private key (which only the signer has and we will not obtain) signs and the public key (which is installed on the device as trusted) is used to decrypt.
Of course if someone can manage root access to the phone through one of the processes running as root by using a buffer overflow or something of that nature we can simply add OUR OWN public key to the phone's repository, and sign our images with OUR OWN private key. This would allow a new image to be made that once installed could auto-check for updates and pull off the same kind of update process that we see with rc29...
netcmd said:
I believe the second line in CERT.SF is a hash for MANIFEST.MF. You need that hash to match the hash for the actual file MANIFEST.MF. There could be something that also hashes CERT.SF to see if you messed with it, but I don't see that right now.
So, edit CERT.SF so the line:
SHA1-Digest-Manifest: lsGC/wXGYwKahxByTQdTNs2K5oY=
Matches the SHA1-Digest (in base32) of MANIFEST.MF and try again.
Click to expand...
Click to collapse
It is the hash for MANIFES.MF
I did that and still gives the following:
E:No signature (414 files)
E:Verification failed
syrusfrost said:
Just to clear up some things for those following this thread...
The update image is signed with a private key by either HTC or Google (honestly not sure which, probably google). When your phone receives the image it decrypts the signature with each of the public keys it has installed, if one matches it installs.
The keys are made in pairs, the private key (which only the signer has and we will not obtain) signs and the public key (which is installed on the device as trusted) is used to decrypt.
Of course if someone can manage root access to the phone through one of the processes running as root by using a buffer overflow or something of that nature we can simply add OUR OWN public key to the phone's repository, and sign our images with OUR OWN private key. This would allow a new image to be made that once installed could auto-check for updates and pull off the same kind of update process that we see with rc29...
Click to expand...
Click to collapse
@syrusfrost: It's true that the zip is signed with a private key from HTC, however we can easily resign the package using our own key. The question is will the G1 accept this?
Has anyone tried resigning the application with the jarsigner? The errors people have been listing, and the files located in META-INF corrospond to the same errors you get after patching a dalvik-executable (dex file) and not resign the package.
If the system files are NOT verifying it to the the specific HTC key we should be able to resign and have it accept out own update file...
I'm currently not at my development machine but I'm thinking we might be able to get somewhere using the permissions.xml file located in /system/etc/ - though this is considered a 'read-only' file in both the emulator and in the G1 hardware so changing it has thus far been unable to happen... Possibly a minor change like the following;
Code:
<!-- Test to see if we can gain cache access by assigning permissions and getting new
update -->
<assign-permission name="android.permission.ACCESS_CACHE_FILESYSTEM" uid="shell" />
Then resigning the whole package would let us get access to the /data/dalvik-cache system? Any takers on my... Seemingly stretching assumption?
strazzere said:
Then resigning the whole package would let us get access to the /data/dalvik-cache system? Any takers on my... Seemingly stretching assumption?
Click to expand...
Click to collapse
Okay bare with me. I wan't instructions on how to get the SHA1-digest of a file.
I found some instructions to use PHP and I can boot a LiveUSB Distro of Fedora but i'm sitll a bit lost
I have installed CyoHash for vista and the SHA1 base64 are exactly the same as the ones in the MANIFEST.CF but different for CERT.CF
So are the hashes for MANIFEST.CF SHA1 base64 and SHA1-Digest base32 for CERT.CF?
quedijo said:
Okay bare with me. I wan't instructions on how to get the SHA1-digest of a file.
I found some instructions to use PHP and I can boot a LiveUSB Distro of Fedora but i'm sitll a bit lost
I have installed CyoHash for vista and the SHA1 base64 are exactly the same as the ones in the MANIFEST.CF but different for CERT.CF
So are the hashes for MANIFEST.CF SHA1 base64 and SHA1-Digest base32 for CERT.CF?
Click to expand...
Click to collapse
I think Manifest.cf is just a regular hash checking file to make sure all files are there. While Cert.cf is the one that makes sure they are signed by the RSA
EDIT: CERT.CF is signed with HMAC-SHA1 The RSA is the public Key used to decrypt the hash correctly. I believe this means we can definitely use our own private/public keys to sign the package.
Anyone wanna help me figure out how to sign a HMAC-SHA1?
Basically, the title says it all. My question is how to convert existing ROM image which is .zip file int .kdz file so it will become flashable with LG tools(emergency mode).
Is it possible at all?
Is it possible to create .kdz image? Does such tool exist?
Thanks!
BTW this will not require to root the phone!
Not saying it is impossible. But if it could happen, i am guessing that someone would of already done it... hope you find something though.
Please hit the thank you button if i helped!
in my mind nobody wants to spend to much time and/or effort to create LG specific tool. But if some day spec of kdz becomes available then don't think it'll take too long to make one
I'm interested in such a converter tool as well, which would be especially useful for installing custom ROMs using LG's own firmware upgrade tool.
I found the factory cab file for the LG Intuition, had to authenticate against the website and fool it to check as a device requesting an update for it to give up the location of the file since you can not browse direct.
Maybe this will help with further development since we should now be able to restore to factory incase of a mishap.
Link to download the file from LG servers (get it before it disappears) FILE is around 837mbs
http://csmgdl.lgmobile.com/swdata/WEBSW/LGVS950/AVRZBK/VS95010B_00/VS95010B_00.S10B_00.P58015.R5.cab
Any chance of getting that cab file?
Despite web searching and reading for a while before doing any rooting to this LG Intuition
I have, a few days ago I used a rooting script that does not have recovery... and like a bunch of
other people in posts I found in forums *after* I removed Google Music and Google
Movies and got the LG security error screen so a bricked device and am looking for ways to
get back to normal.
The cab file is no longer at the link you posted. Do you think that could be reloaded to the
device using the LG update utility? And if so, any chance you uploaded that cab to a file
site somewhere?
adb doesn't see the Intuition anymore, and the Windows explorer doesn't either, but it seemed
like the update utility did once I entered the model and IMEI, but of course there are no updates
yet.
afbcamaro said:
I found the factory cab file for the LG Intuition, had to authenticate against the website and fool it to check as a device requesting an update for it to give up the location of the file since you can not browse direct.
Maybe this will help with further development since we should now be able to restore to factory incase of a mishap.
Link to download the file from LG servers (get it before it disappears) FILE is around 837mbs
http://csmgdl.lgmobile.com/swdata/WEBSW/LGVS950/AVRZBK/VS95010B_00/VS95010B_00.S10B_00.P58015.R5.cab
Click to expand...
Click to collapse
Please POST link to the file you downloaded.
Here's the direct link for the 20a Oreo OTA update bin file used for LG V20 VS995. Not sure if it's of any use, just wanted to have some fun trying to find it
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
If anyone finds a way to extract the contents let me know. Can't figure it out :/
If you already have TWRP and want a flashable zip, have a look at NotYetADev's post.
https://forum.xda-developers.com/v20/development/vs995-verizon-lg-v20-stock-oreo-rooted-t3845669
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
And thank you for that little piece of info. I didn't know LG UP could flash OTA bin files. That is another attack vector
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
runningnak3d said:
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
Click to expand...
Click to collapse
How do you know the file isn't signed? I assumed it had the same type of validation as the KDZ files.
I'd be happy to share a USB capture, is that something wireshark can do?
---------- Post added at 01:03 AM ---------- Previous post was at 12:05 AM ----------
I'm sure there is some magic hash hidden somewhere in the file. I'll see if it's possible to flash an edited .up file.
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
I'll capture the flash when I got home
here are links for the other OTA updates, in case anyone is interested.
Code:
VS99512A_06 -> VS99513A_04
https://cdn.vzwdm.com/LG_VS995_12A_13A_04.bin
VS99513A_04 -> VS99514B_00
https://cdn.vzwdm.com/LG_VS995_13A_14B_00.bin
VS99514B_00 -> VS99515A_10
https://cdn.vzwdm.com/LG_VS995_14B_15A_10.bin
VS99515A_10 -> VS99516B_00
https://cdn.vzwdm.com/LG_VS995_15A_16B_00.bin
VS99516B_00 -> VS99517A_00
https://cdn.vzwdm.com/LG_VS995_16B_17A_00.bin
VS99517A_00 -> VS99518A_00
https://cdn.vzwdm.com/LG_VS995_17A_18A_00.bin
VS99518A_00 -> VS99519A_10
https://cdn.vzwdm.com/LG_VS995_18A_19A_10.bin
VS99519A_10 -> VS9951AA_01
https://cdn.vzwdm.com/LG_VS995_19A_1AA_01.bin
VS9951AA_01 -> VS9951BA_01
https://cdn.vzwdm.com/LG_VS995_1AA_1BA_01.bin
VS9951BA_01 -> VS9951CA_01
https://cdn.vzwdm.com/LG_VS995_1BA_1CA_01.bin
VS9951CA_01 -> VS99520A_03
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
runningnak3d said:
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
Click to expand...
Click to collapse
I've got the USB capture for you and any other developers who're interested.
I will download it just as soon as I get to work. Thanks
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
I have same error
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
justmike80386 said:
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
Click to expand...
Click to collapse
Step by Step
1. Add Extension file .up
2. Install LG UP MOD
3. Turn on USB Debugging in your phone and make sure your phone allow PC adb command via USB (adb devices > enter)
4. Open LG UP Mod, Choose file .up (step 1). Choose OTA Upgrade and START.
Note: backup your data before upgrade, maybe failed to upgrade and lost data
I'm from Viet Nam, sorry for bad English
Anyone can help me find the KDz for the LG K9, Canadian variant lmx210wm? Bricked it trying to crossbreed firmwares, and now need the original lmx210wm firmware so I can build a working qfil folder.. Any help would be greatly appreciated
****After an extensive search, i came up empty handed in finding firmware for lm-x210wm. the site exists on the LG website, but the firmware isn't downloadable. i would contact LG ... there were some other models listed, but i'm not sure if they're compatible with your system.
no luck in finding anything on 3rd party sites either, sorry****
I used the lg firmware exttaction.tool. lg-firmware-extract-tool ... Not able to post the link bcz of site restrictions.
If available, it should offer the kdz file, a way to extract the dz file and finally the bin files. Merging the system files yields a system.img file.
I didn't have luck w magisk and this file and don't know a way to convert just the boot.bin file to img.
**EDIT: renaming the boot.bin file to boot.img & then using the platform-tools and using the command
fastboot flash:raw boot boot.img (Finanly got my system rooted. supposedly the same method works w/ twrp, but that didn't throw an error and frankly i'm sick of working on this phone ... day 3.) ****
Twrp isn't compatible w my sys and no one click root methods work.
As your model is close to mine, lmx210cm ... I imagine you're going to have the same luck. No custom recovery and just a root.
****EDIT: Good luck and send me a pm if ya can figure out a way to convert bin to img. Hopefully, you will have better luck w the system.img. RESOLVED****
If there are multiple versions, start off w the ver closest to your security update. My info was in about/software.
jonathan dockery said:
****After an extensive search, i came up empty handed in finding firmware for lm-x210wm. the site exists on the LG website, but the firmware isn't downloadable. i would contact LG ... there were some other models listed, but i'm not sure if they're compatible with your system.
no luck in finding anything on 3rd party sites either, sorry****
I used the lg firmware exttaction.tool. lg-firmware-extract-tool ... Not able to post the link bcz of site restrictions.
If available, it should offer the kdz file, a way to extract the dz file and finally the bin files. Merging the system files yields a system.img file.
I didn't have luck w magisk and this file and don't know a way to convert just the boot.bin file to img.
**EDIT: renaming the boot.bin file to boot.img & then using the platform-tools and using the command
fastboot flash:raw boot boot.img (Finanly got my system rooted. supposedly the same method works w/ twrp, but that didn't throw an error and frankly i'm sick of working on this phone ... day 3.) ****
Twrp isn't compatible w my sys and no one click root methods work.
As your model is close to mine, lmx210cm ... I imagine you're going to have the same luck. No custom recovery and just a root.
****EDIT: Good luck and send me a pm if ya can figure out a way to convert bin to img. Hopefully, you will have better luck w the system.img. RESOLVED****
If there are multiple versions, start off w the ver closest to your security update. My info was in about/software.
Click to expand...
Click to collapse
Thank you very much sir. Appreciate all your effort. I'm close now I just have to finish editing the raw program XML file and start trying all these fire hose versions. I'm still not even sure if it's an 8909 or 8917. (