LG Pro Lite D680
Boot On Charge
Non-generic feature
URGENT NEED! - REWARDED
What we need:
I am looking for an urgent solution to boot-on-charge LG D680 cell phone, I am asking for help to developers who have experience on this area. The subject is related to unlock the bootlaoder, fastboot and custom rom. I understand the task is not simple, I am looking forward to reward whoever hacks the non generic feature.
What we do:
We provide video service through LG D680 cell phone (Also known as LG Pro Lite D680), the phone has 3G connection and is plugged to the power supply when is working.
Problem:
Most of the day the phone is plugged and working properly, however when the weekend comes the cell phone is unplugged and the energy is completely consumed. Currently, when the power is back to the cell phone we need to start the cell phone MANUALLY by pressing the power on button.
Goal:
We need the phone to be booted into the OS automatically when is plugged into the power USB cable (the phone initial status is powered off).
Possible Solutions / Alternatives:
- Unlock the bootloader and run fastboot command fastboot oem off-mode-charge 0.
- Continue our research, based on the steps described below (see LG D680 experience)
- Replace charge animation with boot file command /system/bin/reboot (see Huawei experience below replacing ipod file).
- Finding a custom ROM that already contains a Boot on Charge behaviour.
- Finding a custom ROM that at least has “Power On Schedule” feature (AOSP certificate permissions level).
- Finding a generic Android vestion with “Power On Schedule”.
Cellphone specifications:
PLATFORM
OS - Android OS, v4.1.2 (Jelly Bean), upgradаble to v4.4.2 (KitKat)
Chipset - Mediatek MT6577
CPU - Dual-core 1 GHz Cortex-A9
GPU - PowerVR SGX531
Previous work and research:
We did this "boot on charge" research in two types of cell phones. One is HUAWEI G730 and the other is LG D680. Fortunately, it worked fine in G730, but we haven’t the same results up to now on LG D680.
- In Huawei G730, we replaced charging animation located at /system/bin/ipod with an ipod file containing “/system/bin/reboot” and worked like charm!
- LG D680, we could not find the animation file, but we found that it might be inside the boot image. We did some research in order to modify it, but we got blocked (someone might continue our steps if useful).
HUAWEI G730 Extended Procedure:
- Since this phone has a Mediatek chipset, the “battery animation” app is running on /system/bin folder. Is running with the filename ipod. The main task is to exchange ipod content (which is originally binary) to an ipod file with this content: /system/bin/reboot.
So, create a brand new file called ipod, and wrote the line in there. We transferred the file to the phone via adb push, as shown in next steps below. - Copy procedure: So, we set our phone to USB Debugging Mode, then we connected it to the PC, and run the following script:
- adb shell mkdir /storage/sdcard0/carga/ (We created a folder to store files being pushed from the PC to the phone)
- adb push ipod /storage/sdcard0/carga/ (We are pushing the file to the storage folder within the phone)
- adb shell "su -c 'mount -o rw,remount -t ext4 /dev/block/mmcblk0p5 /system'" (This step is very important, here we remount the /system folder with read-write permissions. Only doing this we will be able to copy programmatically the “hacked” file ipod to /system/app. Look out that we used mmcblk0p5 because the system folder is mapped there in this phone. You can check this running cat /proc/dumchar_info)
- adb shell "su -c 'chattr -i /system/bin/ipod'" (doing this we took out immutability to the original file ipod)
- adb shell "su -c 'cp /system/bin/ipod /storage/sdcard0/carga/ipod.old'" (just creating a backup file from the original ipod)
- adb shell "su -c 'rm /system/bin/ipod'" (here we are removing original ipod file)
- adb shell "su -c 'cp /storage/sdcard0/carga/ipod /system/bin/'" (now we copy the new file ipod to the destination folder)
- adb shell "su -c 'chmod 755 /system/bin/ipod'" (change the permission ro rwx-rx-rx)
- adb shell "su -c 'mount -o ro,remount -t ext4 /dev/block/mmcblk0p5 /system'" (we remount the /system folder with read-only permissions)
- adb shell "su -c 'reboot'" (Finally we reboot the phone)
- RESULT: Whenever you plug in the phone to the charger when it is off, it will try to boot on the battery animation, but instead, it will be redirected to a “reboot” command, which in turn will be redirecting execution to the O.S.
LG D680 Procedure:
- We found that this phone also has a Mediatek chipset. Moreover, it also has a file called ipod within /system/bin. But in this case, the bootloader image doesn’t call ipod whenever it displays the battery animation. So we had to check where is mapped the boot image on the phone by executing adb shell "cat /proc/dumchar_info". As the picture shows, the boot image (bootimg) is mapped in /dev/block/mmcblk0, from offset 0x1200000, and with size 0x900000.
- We tried the following steps, in order to test if we were able to download / upload booting without bricking the phone:
- We copy bootimg partition to boot.img by doing adb shell "su -c dd if=/dev/block/mmcblk0 of=/storage/sdcard0/boot.img bs=1024 skip=18432 count=9216’. (Skip and Count are measured on KBytes, and those values are offset and size translated from hexa to dec).
- Then we did the inverse operation by executing: adb shell "su -c dd if=/storage/sdcard0/boot.img of=/dev/block/mmcblk0 bs=1024 seek=18432”
- RESULT: The phone WASN’T bricked, and reboot normally (obviously without any change on bootimg).
- We copy bootimg partition to boot.img by doing adb shell "su -c dd if=/dev/block/mmcblk0 of=/storage/sdcard0/boot.img bs=1024 skip=18432 count=9216’. (Skip and Count are measured on KBytes, and those values are offset and size translated from hexa to dec).
- Because these steps worked, we went even further, this time by unpacking and repacking boot.img file. The steps done were:
- Same as (b)
- We pulled boot.img file from the phone to a folder within the PC, and then we unpacked the image with bootimg.exe as the picture shows below. One interesting fact is that the pulled file sized almost 9MB.
- Then we repacked it without any change inside the image, as the picture shows below. The “repacked” image is now on file “boot-new.img”, but its size is almost 7.4MB. We don’t know why we have this difference.
- Same as step (ii) on (b).
- RESULT: The phone resulted in a SECURITY_ERROR. It is weird because we didn’t change anything. We didn’t tried further since we are not able to unpack-repack the same image, and loading it successfully.
- Same as (b)
FastBoot Note LG:
Fastboot is a solution performing these commands, the problem is that the bootloader is locked for these operations on the generic vestion:
- fastboot oem unlock
- fastboot oem off-mode-charge 0
- fastboot oem lock
- fastboot reboot
The command "adb reboot bootloader" does not enter on fastboot upon reboot. There seems to be an opened option while booting on "Download Mode". What I did find out is that when you go into "Download Mode" a new ADB Device is detected on my computer however no driver matched the device. I assume fastboot could be avilable on Download Mode. I have been suggested by romulocarlos to Install the drivers on LG's website however did not work out.
Conclusion:
We have reached this spot and need help from more advanced hackers. As you guys can see, we have been working hard to trying to hack the boot-on-charge feature on the D680 however has not been yet possible. There is no precedent on this phone on custom CWM & TWRP and custom roms yet therefore the is no out of the box solution as on many other phones (i.e. cyanogen list). We have also tried XDA University practices with no results.
I am ready to reward whoever would help us in solving this problem, its an urgent matter that needs to be solved as soon as possible.
Appreciate very mcuh the help in advance and reading.
Best,
Jose
Aucun commentaire:
Enregistrer un commentaire