It's getting a little hard to keep track of everyones questions, so if I miss one please respond with the things you don't understand and I'll do my best to answer them.
We should probably get an irc channel set up somewhere to better keep in touch. I'll get to work on that and post here with the details.
So to start off,
The LG Source:
The LG Source for our and many devices is made freely available from LG
It is hosted on their webpage here,
OpenSource Code Distribution
And specifically our device here,
https://www.lg.com/global/support/opensource/opensourceList?types=NAME&search=ls840
These packages only contain the source for the system rom and kernel. Not the bootloader, modem, or any other compiled binaries. Most android bootloaders are based off of the littlekernel project at CAF. It may be possible to try and modify the vanilla lk project to work on our device but not without considerable effort.
LG Security error:
The security error is caused by a compiled binary run by the kernel in it's initramfs ramdisk.
On our phones it is called [SUP]"wallpaper"[/SUP][SUB](can differ on other lg devices)[/SUB], clever LG thought they could disguise it. If anyone is being malicous it's them hah!
A user on XDA named shelnutt2 had figured this out for the LG G2, I sent him our kernel in hopes to remove the security error and the locked bootloader, but I did not have the knowledge I currently have.
The kernel that he gave back has commented a part of the init script that starts the security program [SUP]"wallpaper"[/SUP] which should theoretically remove the lg securtiy error when editing the system rom.
Back then this was pretty much a useless effort because we had no way to get this on to the device with a locked bootloader, I shared this information with another user name progrande and he excitedly posted it on this forum. Though no one could make use of it at the time.
Here is that forum post:
http://forums.androidcentral.com/lg-viper-4g-lte/234978-ics-boot-image-no-lg-security-error.html
The "I AGREE" link is to a kernel image with the stock kernel but a modified ramdisk. If someone were to build a kernel with the modified script in the ramdisk. It could in theory prevent the lg security error. I have been building my kernels with it, but have not yet tested it out. If someone were to give me a sure fire way of testing the security error, I could do it right now.
Sinature checking in the bootloader:
The astute reader will have already noticed the design flaw present in the above program logic. Notice the order in which the steps are performed: first, aboot loads the kernel and ramdisk into memory at the addresses requested by the boot image header, and then signature validation is performed after this loading is complete. Because the boot image header is read straight from eMMC flash prior to any signature validation, it contains essentially untrusted data. As a result, it's possible to flash a maliciously crafted boot image whose header values cause aboot to read the kernel or ramdisk into physical memory directly on top of aboot itself!
When aboot reads the supposed ramdisk from eMMC flash, it actually overwrites the check_sig() function with my shellcode, and then invokes it. The shellcode simply patches up the boot image header to contain sane values, copies the actual kernel and ramdisk into appropriate locations in memory, and returns zero, indicating the signature verification succeeded. At this point, aboot continues the boot process and finally boots my unsigned kernel and ramdisk. Victory!
The simplest way to put this is, because of the way the bootloader works, it is possible to modify kernel and recoveries(things handled by the bootloader) so that they trick the bootloader into loading the kernel or recovery on top of the bootloader signature check and patches everything up for booting from there.
The way signature verification works, if you have say, a recovery and modifiy it in any way, even if it is the stock recovery, it will result in a differnt hash of the file and fail the boot process. Even if you take the stock recovery or kernel source and compile it, it will be a different hash because it was compiled by you.
Flashing roms & recovery images:
The way I understand it is you think that flashing something will overwrite your recovery right?
Well this can be true but only if the zip file has a script and recovery telling it to overwrite it with the one in the zip. It is possible to edit the script and disable the part wich replaces the recovery.
Just check what you're flashing before you flash.
You also don't need to loki roms, only things handled by the bootloader, recoveries or kernels.
If I missed any points or understood a question wrong please get back to me when you can, I would like to help you all where I can.
And we're up on freenode!
Server: irc.freenode.net
Channel: #ViperDev
Currently setting up a bouncer so that when I'm not there I can see the chat when i get reconnect