Modify the kdz/dz files

Is it possible to modify the kdz files and upload them to the device? By modification I mean the rootfs and the vbmeta? Add some data and recalculate the root hash. Or just disable dm-verity itself. Could I change the boot.img itself?

all depends on if we talk about a locked or unlocked (i.e. secureboot off). for unlocked devices all the above would be possible while you can can flash partitions directly with SALT then.

so yes it should be possible to modify a kdz (not included in any of the repos I own - iirc) but flashing requires to have it properly signed (which you can't w/o the privkey by LG). Well if it would be that easy.... ;)

Do we know how the LGUP works?

we know a bit about LGup yes. The main things how the LAF protocol works are written here. The way this was reverse engineered was by wireshark while using LGup and a wireshark dissector. you likely need to adapt it for other models but should be straight forward (hopefully). Then you can do your own tests and traces.

Does it do checks on the device itself or maybe just on the host?

all happens between device and sender, no remote host involved (or if then it does not matter at all)

Does it take into account the Antirollback protection?

I guess with "it" you meant LGup?! Anyways the Antirollback protection is something LGup checks before flashing, yes. lglaf itself does not have such a pre-check before flashing directly implemented while SALT makes use of that in other areas though. SALT always fetches the current ARB value and does the same for a KDZ and warns when trying to flash a different ARB level. See also https://github.com/steadfasterX/SALT/issues/17 and https://github.com/steadfasterX/SALT/issues/41

steadfasterX / SALT

Modify the kdz/dz files #40