Help on EDL Mode

[Baddad23]

This in NOT specifically related to EDL utility but I'm sorta out of options. I have an LG Velvet 2 Pro (LG v70). This phone was never released to the public. It uses the sd888 (sm8350) soc. This phone also has sensor (not physical) volume plus-minus buttons that have proven useless when trying to do the button dance to enter in edl (9008). The phone aslo does not respond to any adb/fastboot reboot edl commands. I think I've tried 'em all.

There was a guy way back 10 years or so ago who modified fastboot to send a command to enter edl on a xiaomi mi 3 (very old). This is a programming solutions. I'm just wondering if anyone has a suggestion that might help here. As of right now (not desperate enough), I don't want to open the phone up to short the testpoints.

Help!

[RenateUSB]

If you can pull abl you can search for undocumented commands. Then you'll need a modified fastboot or a little utility to send the command (if it's not an oem one).

[Baddad23]

First, thanks for responding.

I already have what is purported be an eng abl. I'm not sure if it's good because I can't get into edl mode to flash it. As far as "a modified fastboot" or "little utiltiy" do you have a link or any place to go to find out how to modify fastboot or anything else? As most are, that are familiar with the Bkerler edl utility, I'm very reluctant to do any modifications (writing to) on the phone without first doing a complete dump with --genxml. I don't like working without a way to restore the phone.

This is an interesting paper outlining the aboot process. https://blog.inoki.cc/2021/10/17/android-bootloader-analysis-aboot-en/ I'm still trying to understand the process in hopes of insight as to how to modifiy? Thoughts?

Again thanks for your help.

[RenateUSB]

A replacement abl will have to be signed correctly. Is it?

A modified abl will not load if Secure Boot is on.

You don't need --genxml. You can just dump it all in one big file.

[Baddad23]

Thanks for the info.

Right now though I really need a way to get into edl mode, be it through a modified fastboot or adb command or some other program/utility.

Here's more info on XDA>

https://xdaforums.com/t/guide-how-to-reboot-to-edl-from-fastboot.3394292/#:~:text=The%20simplest%20way%20to%20do,constant%20string%20to%20the%20device.

[RenateUSB]

If you post the abl I can say something intelligent about it. Any OEM can put in wacky things to go to EDL, fastboot or recovery. I know of one device that if you hit Backspace into the console UART between 50 to 99 times (at the right time) it will go to EDL.

[Baddad23]

Ok, Here is the original abl and the engineering abl. Typically most lg phone are bl locked with no way to get to fastboot. The normal method of unlocking a bootloader is/was:

1 You needed 2 files, a firehose (EDL loader) and an Engineering ABL.

2 Put phone in edl mode

3. Run edl.py rl dumps --memory=ufs --skip=userdata --loader=Loaders/LG/000c30e100310000_e746e34f737403f4_fhprg.bin --genxml (example) NOW THERE IS A BACKUP which can be restored if anything fucks up.

4 flash existing abl with Eng Abl. This would allow the command adb reboot bootloader to boot phone to fastboot. Where as without the eng abl phone would just reboot to Android.

5 fastboot flashing unlock or fastboot oem unlock. This is of course after changing developer option to allow BL unlock.

Again, all of this is mute unless I can somehow execute #2. I've attached both eng abl (seperate souce) and abl extracted from stock .kdz. One thing you might notice right off the bat is the difference in file sizes. Again, this being a unreleased phone there's not a lot of info to be found. Also, on the lg v60. the files sizes for eng abl and stock abl are the exactly the same. Hence the reason I;m not sure of what the new eng abl really is and why I must make a backup of the phone before changing anything.

abl.zip

[Baddad23]

I didn't realize your background with abl. Again, thanks for your help.

[RenateUSB]

I don't know which you've actually got. The first ablimage has nothing for EDL. The other ENG has fastboot oem edl and:

oem assert
oem device-info
oem disable-adb-skip-auth
oem disable-charger-screen
oem disable-log-service
oem disable-usb-path-change
oem edl
oem enable-adb-skip-auth
oem enable-charger-screen
oem enable-log-service
oem enable-usb-path-change
oem exception
oem lock
oem off-mode-charge
oem select-display-panel
oem sha1sum
oem unlock
oem warm

[Baddad23]

So if I understand correctly this is very good news. It's very late here but I'd like to re-extract the stock abl from the lg a11 restore .kdz file in the morning. I'll send it to you then.

But just to be clear, you think if I flashed the engineering abl the phone would,

1 boot successfully? 2 boot to fastboot when using cmd "adb reboot bootloader"? 3 Once in fastboot I could use the cmd "fastboot oem edl" to get to 9008(edl) mode? 4 Also use any of the other fastboot commands you listed above?

Btw, again thank you for all your help!

On Sat, Jan 27, 2024, 8:41 PM RenateUSB @.***> wrote:

I don't know which you've actually got. The first ablimage has nothing for EDL. The other ENG has fastboot oem edl and:

oem assert oem device-info oem disable-adb-skip-auth oem disable-charger-screen oem disable-log-service oem disable-usb-path-change oem edl oem enable-adb-skip-auth oem enable-charger-screen oem enable-log-service oem enable-usb-path-change oem exception oem lock oem off-mode-charge oem select-display-panel oem sha1sum oem unlock oem warm

— Reply to this email directly, view it on GitHub https://github.com/bkerler/edl/issues/494#issuecomment-1913404550, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG3HR55ZR7OZTNY2C3PCELYQWUEXAVCNFSM6AAAAABCMWC3HKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGQYDINJVGA . You are receiving this because you authored the thread.Message ID: @.***>

[RenateUSB]

I think that our messages crossed. I said:

Hey, wait a minute. Those two are not signed at all the same. The first is LG, the second is Qualcomm. The PK hashes are different. Are you telling me this thing does not have Secure Boot enabled? Want to sell me one?

So try fastboot oem edl. If it returns remote error then you know that you're on ablimage... If you use fastboot to flash ENG and Secure Boot is enabled then you'll need test point EDL to unflash it. You can try fastboot getvar all or fastboot getvar secure. But I'm not sure that's reliable?

[Baddad23]

OK maybe we're crossing paths. I understand that the file abl_a.image is signed by LG and the second, ENG_ABL_VELVET_2_PRO_V700.bin, is capable of the all the fastboot commands you listed above and is signed by Qualcomm. Also, It might not boot due to secure boot = yes?

More info This phone is somewhat tricky because it's a Korean phone, the difference being "released in Korea" as opposed to LG phones made for US/Canadian markets. The Korean phones were typically easier to BL unlock. This phone when running stock a11 software does not reboot to bootloader (adb reboot bootloader). It just boots back into a11. But when given "adb reboot fastboot" it will reboot to "fastbootd". I never tried to flash ENG_ABL_VELVET_2_PRO_V700.bin to abl_a from fastbootd because I didn't have a working backup.

I've taken the liberty of attaching the Engneering abl and stock abl for the LG V60, the last publicly release phone before LG announced they were getting out of the phone business. Btw, that's why the LG Velvet 2 pro (LG V70) is so sought after. It is the phone that never was. Only 3000 were produced and those were supposedly only sold to LG employees. I would give you my seller in Hong Kong but he's suddenly disappeared. As soon as I have, you have.

Also, see how these abl file are both the same size?

LG V60 Stock - Engineering abl.zip

[RenateUSB]

Well, I don't want to get involved with decoding all the firmware of LG. Which abl does your device have? Does your device have Secure Boot enabled?

[Baddad23]

I understand. My device has the first two abl files I gave you and yes it's in secure boot = yes state. As I said, I haven't tested the engineering abl but have seen pics on another velvet 2 pro thanks been rooted with magisk which tells me that they were somehow able to flash boot.img.

Again, do you think that eng_ abl will fail with secure boot = yes?

[RenateUSB]

If it's not using ENG_ abl then you're using something else and if the PK hash is not the same you won't have any fastboot and you'll only have EDL. If you ran EDL you could see what PK hash you do have.