Because accumulated a bunch of hacked bootloaders from LG-smart phones, I have decided to create a theme, in order to streamline the bootloader:
So:
1) Compromised bootloader from LG Optimus L7 (P700 / P705) of the ICS EEPROM (L7BootloaderHackV2Final.rar)
2) Cracked bootloader from LG Optimus L5 (E612) of the ICS EEPROM (L5BootloaderHackV2Final.rar)
3) Cracked bootloader from LG Optimus Black (P970) of EEPROM ICS
4) Cracked bootloader from LG Optimus L5Dual (E615) from EEPROM ICS
5) Cracked bootloader from LG Optimus L7 (P700 / P705) of the JB EEPROM (L7BootloaderHackJellyBean.rar)
6) Hacked bootloader from the LG Optimus L3II (E435)
7) Cracked bootloader from LG Optimus L5 (E612) from JB EEPROM (L5_e612_BootloaderHackJellyBean.rar)
8) Hacked bootloader from the LG Optimus L7II Dual (P715)
9) Hacked bootloader from the LG Optimus L90 (D410) from v10d firmware
10) Hacked bootloader on LG Optimus L3 E431G
11) Breaking bootloader from L60 Dual X145 from participantssavagemessiahzine.com (link)


P.S. I do not take any responsibility for possible consequences, when using hacked bootloaders.
Use them at your own risk!

MiniFAQ for disassembling and hacking still unbroken bootloaders


OptimusBlackBootloaderUnlocked.rar(164.03 KB)
L7BootloaderHackV2Final.rar(139.18 KB)
L5BootloaderHackV2Final.rar(138.91 KB)
L5Dual_E615_BootloaderHackFinal.rar(130.77 KB)
L7BootloaderHackJellyBean.rar(153.37 KB)
L3-II_E435_BootloaderHack.rar(147.86 KB)
L5_e612_BootloaderHackJellyBean.rar(148.05 KB)
L7-II_Dual_P715_BootloaderHack.rar(155.48 KB)
L90HackV3.rar(249.23 KB)
E431g.rar(149.21 KB)


Post has been editedpayback - 12.02.15, 13:38

At the moment, from Bootloader breaks L9.
More precisely, it cracked, but not tested. Need wishing to test.
Protection L9, frankly, harder than L5, L7 and Black.
There's core signature is verified u-boot'om how to Optimus Black,
But the point is that the u-boot also signed: beee: !!!
Checks the x-loader, which also had to break.
If the x-loader is not checked nothing else, then everything should work.

If someone checks on the performance please write here in this thread.

P.S. However, and as always, use all of this at your own risk! For receiving bricks, etc. blame you entirely, and only you !!!

And so, there are daredevils?

People with XDA tried, did not work. Therefore, if someone wants to - can continue my research. I was tired. Spread disassemblenny my code in IDA Pro. now I think it is necessary to pick the boot loader, which loads the X-Loader


L9BootloaderHack.rar(293.28 KB)
L9disassm.rar(1.44 MB)


Post has been editedpayback - 28.02.13, 14:45

Now I have found interesting features in the bootloader of the L5 and L7:
You can do without disassembly and hacking of the bootloader.
How to do it? And like this:
There is a memory address:
The L5: 0x6D1B0
The L7: 0x6D410

If it write a value greater than 0, then the signature verification will no longer take place!
On the looks will stand attribute: lge.signed_image = false

Only here it is exactly at this address - I do not know. Can any table setting, or something else.

I hope this information can help in the subsequent break-ins of other models!



Post has been editedpayback - 28.02.13, 13:49

I made the final version of the bootloader for kryaknut Optimus L7.
In himsignature verification is turned off completely (In the first version of the signature was checked, but the download was regardless of the outcome)
It is possible to increase the loading rate of about 4 seconds.
Check for yourself, and it works. : Rolleyes:
New version in the cap!

Post has been editedpayback - 28.02.13, 15:52

payback
You just krasava and moderators sure to save the file in this topic!

but what about the optimus l9 as there is with butloderom? it turns out or not?

payback said - butlouder hacked, but no one to check it out ... no one wants to sacrifice. and suddenly brick :(
with the advent of jelly bean - will be open butlouder like as ....

and where the bootloader on hacking. e615

And never will be. There's too difficult to defend. If only she did not open the LG. :-(
And why should you? You and custom bikes as is.

Posted 03.03.2013, 2:25:


I'm afraid to disappoint, but probably will not be like that. All of the above bootloaders I broke due to sport.
I'm breaking them, and lost interest in sports. I shall not be obliged to break the bootloader on all models of LG.
I'm sorry.
Try to break yourself. The theme of L7 I was lecturing at the time to disassemble the source code from the L7.
If a little effort - and you can understand, by analogy break down and your.

Post has been editedpayback - 03.03.13, 02:30

I vetom neselon current nepaymu why dvuhsimachnye efforts. bypass unclear

I think it's not dvuhsimochny, and that does not have you people who want to understand this.
You even tried to disassemble the firmware on your device? Are you sure that your bootloader is different from the usual L5?
Maybe they all the same?
For example to fit L5 L7 bootloader from small glitches, however.
Yes, and you are sure that you will have someone to do the firmware, even if your bootloader is hacked?

Post has been editedpayback - 03.03.13, 11:14

one on xda also rumored that the L9 will not take your bare hands. All hope is that LG will open themselves, hopefully. Thank you for trying to at least. And about custom bikes on our device - it is only one and is developed incomprehensible wop. pichalka ...

Post has been editedsilverstoner - 04.03.13, 01:14

How are things going with the Optimus 4X?

Yes, we get it, you can. There's the difficulty, each loader subsequent checks on the electronic signature.
Uboot checks the kernel, X-Loader checks uboot, but a downloader checks xloader I did not understand.
And so it is necessary to break the chain is shorter than all the loaders, who check the following loaders.
Uboot and XLoader I Rushed (lie in this branch with disassemblennymi source). Then just tired.
The most difficult thing in this case is not disassemblit and calculate ImageBase source. When the U-boot, I figured
ImageBase about 15 minutes (turned 0x9D000000), then I figured xloader'a 2 days (turned 0x40304350).

Posted 04.03.2013, 9:09:


I did not even try to break it.

Post has been editedpayback - 04.03.13, 09:37

Can small knurled FAQ what to do. Look and enthusiasm among members of the forum on the increase. LG Optimus with a long time will stay in the market.
I would have poked your ...

1) It is necessary to know a little bit assembly.
2) Need a program-disassembler IDA Pro.

Small FAQ:
Loading disassembliruemy file previously recognized him BaseImage (memory address at which the file is downloaded), and specifying the offset (if any) on the first team. The first team is usually an unconditional jump to the main process, and looks like this: B locXX.
In QUALCOMah bootloader is in emmc_apps.bin file and loaded at address zero, with an offset in the file at 0x200 bytes.
In tiOMAP protection is in U-Boot, imagebase here there could be anything, but usually this type: 0xXX000000.
Processor Type choose: ARM. Team Type: Any.
Disassembliruem as much as possible by pressing C.

Now the point: there is in bootloader debug output lines in the UART.
We need to find Secure Boot Block.
Thus, in the bootloader from LG before secureboot displayed Entry UART: type "SecureBoot started".
We need to find this place. Usually output lines is as follows:
LDR R0, [a pointer to the string]
BL subXXXX
So, if the program is loaded on the right ImageBase, then when you move to [a pointer to a string], it is possible to look at the piece of memory where the line will be visible.
So, if this is the case found, then half the job done.

Now in this block (a block is small, so it can analyze and) somewhere will call hash verification procedures (BL subXXXX).
After her check result of the check, and jump on any mistake, or at the end of SecureBoot procedure.
It is necessary to patch so that a jump is made on the end SecureBoot procedure for any result of check hash.
Typically, the end of the procedure displays a successful completion of the UART string (e.g. "SecureBooting End").
Patches as we want, for example, put an end to unconditional transfers SecureBooting, NOPim, change the result returned by the hash verification procedure ... In general do everything that allows us to our imagination, if only passed on SecureBootEnd. Only now have to patch opcodes :-( After successfully patching get Respect and pros in turnip:. Rolleyes:, and then run for a good beer alive, because after disassemblinga starts to ache terribly noggin, and before the eyes of running mov command, the add, cmp and other nasty things:. rofl:



P.S. To start disassemble dig deeper source of L7, laid meHere



Post has been editedpayback - 05.03.13, 10:43

payback,
Class! In cap.

what programs are needed to create rekoveri. give me a link. bootloader. He hacked to LG_E615

Well, if the bootloader of L5 approached, then rekaveri from him and take it. Why reinvent the wheel?

Post has been editedpayback - 06.03.13, 14:05

Yes! there is! CN.9 and only then to mind no one can bring!


Posted on 06/03/2013, 16:26:

and about JB that you heard? when it comes out?

yes your! rekoveri come I want to try to create a firmware CM7 therefore need all the programs. and rekoveri works Harashi but bekup nedelaet until the flash drive folder nesozdash