Better Mobile App

[DEV] Bootloader different approach

Hey Guys,
I have a wild idea and wanted to share the idea.
I was looking through quite a lot of bootloaders and I think we can use the wildfire bootloader and flash it on to our device. The thing is we might be able to intercept SEUS update and swap the wildfire bootloader into our device. I know what you are thinking how could the wildfire bootloader be any good to us? Well the thing it is compiled in ARMv6 as well as there still is the chance the configuration for the bootloader is stored onto flash. most bootloaders on ARM devices are configured via an JTAG board and create a configuration within the flash above bootloader code. usually this is exactly the same jump on all arm bootloaders. Developers later pull the first 1 MB or 2 MB of the nand and make this the bootloader image. which include configuration as well as the bootloader itself.
The trick would be to only flash bootloader from wildfire and leave configuration alone hoping it does the same jump to configuration as the seus does (which in fact is most likely)
So once the wildfire bootloader is ported and SE configuration is in there I think we should be able to flash it. The only thing that still could prevent is that bootloader is also checking if the new bootloader is signed by SE.
What do you guys think of this approach?

Im not a pro on Modding but i think it may work.
flashing only the boot loader will be a dificult thing.
and you may want to try to crack a sign... (yes it seems strange)
but think with me if you could make a clone of the SE sertificates and put it on the wild fire boot loader
you have a crackerd boot loader
BTW
Good luck.

slade87 said:
Hey Guys,
I have a wild idea and wanted to share the idea.
I was looking through quite a lot of bootloaders and I think we can use the wildfire bootloader and flash it on to our device. The thing is we might be able to intercept SEUS update and swap the wildfire bootloader into our device. I know what you are thinking how could the wildfire bootloader be any good to us? Well the thing it is compiled in ARMv6 as well as there still is the chance the configuration for the bootloader is stored onto flash. most bootloaders on ARM devices are configured via an JTAG board and create a configuration within the flash above bootloader code. usually this is exactly the same jump on all arm bootloaders. Developers later pull the first 1 MB or 2 MB of the nand and make this the bootloader image. which include configuration as well as the bootloader itself.
The trick would be to only flash bootloader from wildfire and leave configuration alone hoping it does the same jump to configuration as the seus does (which in fact is most likely)
So once the wildfire bootloader is ported and SE configuration is in there I think we should be able to flash it. The only thing that still could prevent is that bootloader is also checking if the new bootloader is signed by SE.
What do you guys think of this approach?
Click to expand...
Click to collapse
i don't think wildfire got a s1 bootloader right?

can't, I read in the x10 thread that this method will not work because the SE bootloader has its own security code(that's what they want to crack). Basically if you swap the wildfire bootloader, the phone won't boot up because it will reject the code.

Geohot has bought an x10 a few days ago to crack the bootloader (I think)... so maybe it can provide useful information if he manages it.

wow... great... idea!
Let's do that!
Let's flash booloader from MSM7225 chipset without SAKE enabled, to MSM7227 chipset with SAKE enabled chipset. Lets burn our chipsets ... Who is with me? Come on guys!

Chumby_666 said:
Let's do that!
Let's flash booloader from MSM7225 chipset without SAKE enabled, to MSM7227 chipset with SAKE enabled chipset. Lets burn our chipsets ... Who is with me? Come on guys!
Click to expand...
Click to collapse
sorry but will tht really burn the chipset???

newtron_b1 said:
sorry but will tht really burn the chipset???
Click to expand...
Click to collapse
well as the title said different approach.. that would be his approach haha ... lol it wont burn your chipset.

Biodegradable said:
well as the title said different approach.. that would be his approach haha ... lol it wont burn your chipset.
Click to expand...
Click to collapse
huff.. thanx.. i saw read smwhr abt boosting the CPU to 1.9GHz i know that device might be having cracked bootloader! but is that possible!! and really want some speed to this device! atleast 200Mhz more..!

Chumby_666 said:
Let's do that!
Let's flash booloader from MSM7225 chipset without SAKE enabled, to MSM7227 chipset with SAKE enabled chipset. Lets burn our chipsets ... Who is with me? Come on guys!
Click to expand...
Click to collapse
damn i didnt check that you are actually right. I thought both were the same chipset

//Delete if irrelevant
I somehow noticed that ZTE Blade has almost the same configuration with X10 mini pro...
Cpu: Qualcomm msm 7227 with ARM1136EJ-S cpu core on both devices
Adreno 200 graphics on both devices...
and many other similarities between them...
Info found on pdadb. net
Perhaps you could experiment with that...
//Delete if irrelevant

heh... isnt Geohot being sued by Sony?

morning_wood said:
heh... isnt Geohot being sued by Sony?
Click to expand...
Click to collapse
Yup, but he won't get sued because of hacking the phone. It's legal to mod your phone where he lived (United States) And beside with donations of his loyal fan, he had managed to put Sony at bay for now.

You sirs should take a look @ X10 forums, they already cracked Bootloader :O

D4rKn3sSyS said:
You sirs should take a look @ X10 forums, they already cracked Bootloader :O
Click to expand...
Click to collapse
and you sir!
should take a look date the date of the first post of this topic
when this topic was opend they didn't bypass the kernel
not even with bin4ry his files

owain94 said:
and you sir!
should take a look date the date of the first post of this topic
when this topic was opend they didn't bypass the kernel
not even with bin4ry his files
Click to expand...
Click to collapse
yah i know , just saying that they bypassed bootloader ! owain we all trust you !

Divr said:
can't, I read in the x10 thread that this method will not work because the SE bootloader has its own security code(that's what they want to crack). Basically if you swap the wildfire bootloader, the phone won't boot up because it will reject the code.
Click to expand...
Click to collapse
Someone has tried with data interrogation? Some CPU's check security codes a bit at a time. (RFID is notorious for this) You feed the possible code to them changing a bit at a time checking which clock cycle the CPU stops checking at thus which bit is wrong. Toggle the bit and repeat until you have the code.
(or we could read the entire thread before posting, sorry my bad)

I am sorry to resurrect this post, but I would really like to ask one small question. Has the bootloader been cracked?
It's been a while since I came here, and now I see true dual touch, and I wonder, has it been cracked?
From what I understand, we have custom ROMs, OC and undervolting possibility and now dual touch. Is there anything we can't do with this phone?
Thanks all for your help.

Johev said:
I am sorry to resurrect this post, but I would really like to ask one small question. Has the bootloader been cracked?
It's been a while since I came here, and now I see true dual touch, and I wonder, has it been cracked?
From what I understand, we have custom ROMs, OC and undervolting possibility and now dual touch. Is there anything we can't do with this phone?
Thanks all for your help.
Click to expand...
Click to collapse
The bootloader has not been cracked, but it has been bypassed. There is now a method to boot a 2nd kernel over the running one. But as far as I can tell, the devs are having trouble locating the root partition. (correct me if I am wrong)

+1 thank for the information. Well I still hope that someone is able to get the bootloader cracked, but at least this way some cool things came for the phone.

Bootloader Version after Mod

So I acquired a GTablet last night... and am looking to change the rom that's on it - however, the previous owner can't remember for certain which BL was originally listed and I want to figure it out before I do anything (granted, so long as I have my APX and such taken care of I can always go from soft brick back to working and will know which I have at that point)
My Question is:
Is it "safe" to assume it has the 1.1 bootloader since it has Cyanogenmod 7 (harmony) on it? Or is there another way to sort out what was originally on the device?

Yes, if it's running CM7 then you would be on the 1.1 bootloader. Might wanna give this thread and various other stickies a read through.
http://forum.xda-developers.com/showthread.php?t=1035983

Jboxmods said:
My Question is:
Is it "safe" to assume it has the 1.1 bootloader since it has Cyanogenmod 7 (harmony) on it? Or is there another way to sort out what was originally on the device?
Click to expand...
Click to collapse
See this thread.

rajeevvp said:
See this thread.
Click to expand...
Click to collapse
I get:
fgrep: permission denied
write: broken pipe

CM7 can be on BL 1.1 or BL 1.2, best way to burn a new ROM is to flash the tablet back to factory using Code Detox which will bring the tablet to BL 1.2, then you can use any of the nice BL 1.2 based ROMs.
http://viewsonic-gtablet-for-dummies.webs.com/
Read the Code Detox section.
Good luck.

tsukaza said:
CM7 can be on BL 1.1 or BL 1.2, best way to burn a new ROM is to flash the tablet back to factory using Code Detox which will bring the tablet to BL 1.2, then you can use any of the nice BL 1.2 based ROMs.
http://viewsonic-gtablet-for-dummies.webs.com/
Read the Code Detox section.
Good luck.
Click to expand...
Click to collapse
Thx... I love the nvflash devices (have the g2x).
So you recommend BL 1.2 over 1.1? I read in the BL thread that 1.2 was pulled and 1.1 was the more stable/preferred choice... with the newer roms is BL a moot point?

Most new ROMs are now based on BL (Boot Loader) version 1.2, so you will have a much larger choice on which ROM to try IMO.
This is the file I have been using the last few months.
gtab.nvflash.1.2.branch.20110508 with cwmv3028.zip
www.mediafire.com/?brd9u48iefdqcc7
Follow the gtablet for dummies instructions.
Good luck.

tsukaza said:
Most new ROMs are now based on BL (Boot Loader) version 1.2, so you will have a much larger choice on which ROM to try IMO.
This is the file I have been using the last few months.
gtab.nvflash.1.2.branch.20110508 with cwmv3028.zip
www.mediafire.com/?brd9u48iefdqcc7
Follow the gtablet for dummies instructions.
Good luck.
Click to expand...
Click to collapse
Yeah, I'm running Flashback 10.1 now... this tablet is sooooo much nicer now.
Thx everyone!

Jboxmods said:
I get:
fgrep: permission denied
write: broken pipe
Click to expand...
Click to collapse
Hmm--didn't the fgrep binary (ie. busybox) have the correct permissions on CM7?. You're now the second person who's reported that error. Can you run the same command on the current ROM and post the results?

rajeevvp said:
Hmm--didn't the fgrep binary (ie. busybox) have the correct permissions on CM7?. You're now the second person who's reported that error. Can you run the same command on the current ROM and post the results?
Click to expand...
Click to collapse
it doesn't do anything on my current rom (Flashback 10.1)

Jboxmods said:
it doesn't do anything on my current rom (Flashback 10.1)
Click to expand...
Click to collapse
You have to run the command line soon after you boot the tablet; if you wait longer the required line will get overwritten.

Dev Edition: Rooting, Roming and Recovering

A few of us purchased the Dev Edition and it appears there are some things where clarification is required concerning the three "R's":
1. Rooting: I understand this wonderful rooting exercise is successful: http://forum.xda-developers.com/showthread.php?t=2290798. I would think since the Dev Edition is unlocked, an owner would only utilize Step 3, and NOT the kernel exchange section. Correct?
2. ROMing: Since the ROMS were created using the Loki enabled system, does this affect ROMing the Dev Edition since it is already unlocked? What does a user need to do? Or, does it not matter? Do the Loki enabled ROMS work on a Dev Edition?
3. Recovery: Again, it appears TWRP and CWM are Loki adjusted, so does this affect recovery on the Dev Edition and restoring? Also, is there a Stock Factory Image which will NOT turn the phone back to a locked bootloader? Or, does the one which exists OK to use?
I only ask these questions since a few of us are somewhat confused.
Thanking you in advance!

markwebb said:
A few of us purchased the Dev Edition and it appears there are some things where clarification is required concerning the three "R's":
Click to expand...
Click to collapse
I've been thinking about buying the Verizon S4 Dev Edition phone, but have been hesitant due to not knowing how simple it would be to root. Is it as simple as just running MotoChopper? Or is there a better way?
Being that the bootloader on this phone is truly unlocked, can you install the current versions of CWM or TWRP that are LOKI enabled, and will it work on this phone? I haven't seen any compiled versions that were non-loki (standard).
Same question goes for kernels too.
The first batch of Dev phones sold out in less than 24 hours, so I'd expect some of the people that have them would start posting their experience with it here soon. At least, I hope so!

Root failed when just applying the Motochopper step! It says it installs correctly and then it reboots and SuperSu is installed and then I checked for an upgrade which it took. However, it says it cannot install binary, there is a problem and closes.
I uninstalled SuperSu and tried a few times to root again but it doesn't work.
My phone states:
Kernel Version: 3.4.0-562219 dated May 15th
Build Number: JDQ439.I545OYUAMDK
Baseband: I545OYUAMDK
Must be something we can do....

markwebb said:
Root failed when just applying the Motochopper step! It says it installs correctly and then it reboots and SuperSu is installed and then I checked for an upgrade which it took. However, it says it cannot install binary, there is a problem and closes.
I uninstalled SuperSu and tried a few times to root again but it doesn't work.
My phone states:
Kernel Version: 3.4.0-562219 dated May 15th
Build Number: JDQ439.I545OYUAMDK
Baseband: I545OYUAMDK
Must be something we can do....
Click to expand...
Click to collapse
I wonder if step 2 and 4 are still required? (swapping kernels)
Even though the bootloader is unlocked, the kernel may still have root blocked?

guyd said:
I wonder if step 2 and 4 are still required? (swapping kernels)
Even though the bootloader is unlocked, the kernel may still have root blocked?
Click to expand...
Click to collapse
It sounds like it. But wouldn't swapping kernels render the Dev Edition to a retail version? Kinda defeats the purpose, no? Or, am I missing something?
The question is: Does the Dev Edition have the same kernel as the Retail Edition? If so, then it would make sense to swap kernels. I think we need the devs to weigh in.

markwebb said:
It sounds like it. But wouldn't swapping kernels render the Dev Edition to a retail version? Kinda defeats the purpose, no? Or, am I missing something?
The question is: Does the Dev Edition have the same kernel as the Retail Edition? If so, then it would make sense to swap kernels. I think we need the devs to weigh in.
Click to expand...
Click to collapse
From what I've been able to gather, Samsung has put in place a SetUID restriction on the stock release kernel via CONFIG_SEC_RESTRICT_SETUID. Apparently the D2 prerelease kernel doesn't have this restriction in place. That seems to be why flashing that is required prior to using MotoChopper to gain root. What I can't figure out is why you can flash the release DK afterwards and still keep root?
On the T-Mobile and Sprint S4 they've been able to remove the SetUID restriction on their latest DL release kernel by recompiling the kernel source with the SetUID restriction commented out

Thanks for the thoughts and analysis. Hopefully someone will find an alternate
root method for the dev edition since it has been available for a week and it sold out in less than twenty four hours, somebody with know how must have purchased it and is tinkering as we speak.
I would hate to render it back to a retail version otherwise.
Sent from my SCH-I545 using xda app-developers app

markwebb said:
Thanks for the thoughts and analysis. Hopefully someone will find an alternate
root method for the dev edition since it has been available for a week and it sold out in less than twenty four hours, somebody with know how must have purchased it and is tinkering as we speak.
I would hate to render it back to a retail version otherwise.
Click to expand...
Click to collapse
I think I may have found a solution. With the Developer Edition we have an unlocked bootloader, so there is no need to use loki. I was looking for a non-loki patched (normal) recovery that could be flashed in Odin. I think I found one here http://forum.xda-developers.com/showthread.php?t=2322675. Look for the "Latest version can be found here" link, not the "loki patched" link. The filename is : Philz_touch_5.06.6-jfltevzw.tar.md5
If this works like it did in previous unlocked Samsung devices, then we should be able to flash the custom recovery in Odin, and then boot into recovery afterwards to flash SuperUser. From there, we're rooted.
If I had my dev edition S4, I'd test it out myself. But I'm still waiting for them to get back in stock!

Great..am somewhat game to try. Well report back. Thanks!!
Sent from my SCH-I545 using xda app-developers app

IT WORKED...somewhat!!! When it boots, I now get Samsung Custom and unlocked symbol and I am in Philz Touch Recovery backing up the image.
As expected, the backup image is 4GB+ (saved on external card of course).
However, I can't update binary for root.
You, sir, are a genius...thanks so much..almost there!

Not really rooted though. Can't update binary and when in Root Explorer I can explore most folders but Root checker says I am not rooted.
Now what do I do? LOL

markwebb said:
IT WORKED...somewhat!!! When it boots, I nLet me know how it goes ow get Samsung Custom and unlocked symbol and I am in Philz Touch Recovery backing up the image.
As expected, the backup image is 4GB+ (saved on external card of course).
However, I can't update binary for root.
You, sir, are a genius...thanks so much..almost there!
Click to expand...
Click to collapse
Did you flash SuperSU from recovery via the zip file? (from this thread) http://forum.xda-developers.com/showthread.php?t=1538053. Look for the UPDATE-SuperSU-v1.41.zip file in the download section.
This should give you root after flashing in recovery! If you can't get root in a root app after flashing this file, then the kernel is blocking root. You can thank Samsung for adding that in the DK kernel.
You can easily work around this by flashing a custom kernel!
Let me know how it goes.

guyd said:
Did you flash SuperSU from recovery via the zip file? (from this thread) http://forum.xda-developers.com/showthread.php?t=1538053. Look for the UPDATE-SuperSU-v1.41.zip file in the download section.
This should give you root after flashing in recovery! If you can't get root in a root app after flashing this file, then the kernel is blocking root. You can thank Samsung for adding that in the DK kernel.
You can easily work around this by flashing a custom kernel!
Let me know how it goes.
Click to expand...
Click to collapse
BINGO!!!!!!!!!!!! THANKS!!!!
Now we need a thread/tutorial started for the Dev Edition Owners on how to do this!!

markwebb said:
BINGO!!!!!!!!!!!! THANKS!!!!
Now we need a thread/tutorial started for the Dev Edition Owners on how to do this!!
Click to expand...
Click to collapse
Do you now have root with the stock DK kernel, or did you flash a custom kernel?

Root with stock kernel.
Sent from my SCH-I545 using xda app-developers app

markwebb said:
Root with stock kernel.
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
Now I know exactly what I need to do when I get mine!
Thanks for testing it out on your device

guyd said:
Now I know exactly what I need to do when I get mine!
Thanks for testing it out on your device
Click to expand...
Click to collapse
You are welcome. Now, the next question: Can we flash the ROM's which are Loki adjusted?

markwebb said:
You are welcome. Now, the next question: Can we flash the ROM's which are Loki adjusted?
Click to expand...
Click to collapse
Good question. From what I have seen thus far, the recovery is the piece that has to be Loki adjusted to allow it to be flashed on a locked bootloader. I don't think the ROM cares one way or the other. The only thing I still have questions about is the kernel. Is the kernel in the Developer Edition different than the carrier version?

guyd said:
Good question. The only thing I still have questions about is the kernel. Is the kernel in the Developer Edition different than the carrier version?
Click to expand...
Click to collapse
How do I/we find out? If you have any suggestions, let me know. I have gone this far and sweated.

markwebb said:
How do I/we find out? If you have any suggestions, let me know. I have gone this far and sweated.
Click to expand...
Click to collapse
If we could get an MD5 of the Developer DK kernel (boot.img), and compare it to the MD5 of a completely stock DK kernel (boot.img). Or maybe compare the kernel build numbers? I dunno, just throwing some ideas out.

(dev+hack) note 3 bootloader unlock

Idell

cool nice to see no one has gave up on this yet hopefully you can get some devs to chime in on this

Thank you for continuing to work on this and hopefully someone will step up and assist. This is my first locked phone.
Sent from my SM-N900V using XDA Premium 4 mobile app

Nice! good work, hopefully someone like hash can chime in. I love to see devices that are locked down get hacked into freedom. F U Samsung!

dhufford81 said:
Nice! good work, hopefully someone like hash can chime in. I love to see devices that are locked down get hacked into freedom. F U Samsung!
Click to expand...
Click to collapse
no its FU verizon

krazy_smokezalot said:
no its FU verizon
Click to expand...
Click to collapse
Exactly! T-mobile and Sprint are unlocked.

Friend
* not flood.
* communicate only topic

Has anyone contacted Hashcode on this

I wonder perhaps if there is some kind of security check on at least MJ9 or even MJE retail that verifies the kernel in use which is causing the issue. Especially since it's seeing its the dev edition kernel. Just guessing here. This is huge progress however and hopefully we'll be able to get it unlocked soon. Way to go hobbit19!

AngryManMLS said:
I wonder perhaps if there is some kind of security check on at least MJ9 or even MJE retail that verifies the kernel in use which is causing the issue. Especially since it's seeing its the dev edition kernel. Just guessing here. This is huge progress however and hopefully we'll be able to get it unlocked soon. Way to go hobbit19!
Click to expand...
Click to collapse
Tomorrow I will try to flash the firmware engineering
http://forum.xda-developers.com/showthread.php?t=2567394
and try to apply it loki
http://forum.xda-developers.com/showthread.php?t=2292157
although it seems to me that the hole uses Loki already fixed there

Hopefully another dev can help you out. This would be amazing progress and would finally allow us to have the phone we deserve, I really wish VZW would knock this crap off. Looks like I'll be holding out on upgrading and rerooting MJE. I'll just hang out on MI9 and see where this goes.

I believe
* while those who have older versions of the firmware is worth staying on them
because I could not sew dev bootloaders where there was the latest firmware.
* possible for them will then flash dev bootloaders from 4.4 dev firmware
* which we do not have.

hobbit19 said:
Hello everyone .
I have long been engaged in an attempt to break the bootloader and it seems to me found a way .
Recently I got the retail version of the note 3 with the old firmware MI9.
And I was able to correctly flash it with testbit
, then dev version bootloaders
https://dl.dropboxusercontent.com/u/59757245/Step2_DevEdition_Bootchain.tar.md5
https://dl.dropboxusercontent.com/u/59757245/Step1_TestBoot.tar.md5
that I gave one a developer xda and at the end of firmware MJE for dev version
( before on recent firmware on another note3 it was not possible to flash dev bootloader ) .
At the same time I did not get any errors and phone worked .
But when trying to flash a custom recovery through Odin - it produce errors .
I did root and installed Safestrap Recovery , they managed to flash recovery and modifying kernel and no errors. But after restarting the phone won't work with them pointing me to the kernel error .
But I have no problem I can roll back to dev version of the firmware and the phone works . I believe that retail version has some other protection, than those in boot.
And I would like to ask the advice to other developers that I can do now to try to break other protection from boot and firmware.
Click to expand...
Click to collapse
You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you to the right direction. Hashcode has a note 3 (retail).
Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of post.

2swizzle said:
You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you into the right direction. Hashcode has a note 3 (retail).
Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of threads.
Click to expand...
Click to collapse
Actually..... Hashcode sold his retail Note 3 on swappa, and now has a Dev Edition Note 3 :good:

2swizzle said:
You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you into the right direction. Hashcode has a note 3 (retail).
Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of threads.
Click to expand...
Click to collapse
He was able to flash the leaked engineering firmware. It was only a debugging bootloader. Although if you are still on MI9 I have some ideas. The engineering aboot I believe did not have security checks, which means Loki may be possible. I'm going to try to patch the old aboot and see if it works. Even if it did, we have no way of getting back to MI9 at the moment.
Sent from my SM-N900V using Tapatalk

you MI9?
you're kind of wrote in another topic that pierced the new firmware
* and you are unable to flash dev bootloader

Hello @hobbit19,
I want to sort of walk through your process and clarify with questions:
hobbit19 said:
And I was able to correctly flash it with testbit
Click to expand...
Click to collapse
1. Using this file https://dl.dropboxusercontent.com/u/59757245/Step1_TestBoot.tar.md5 (which contains engineering versions of sbl1, aboot, tz. rpm and sdi partitions) you were able to set testbit? Can you go into download mode and print out the values shown there for me?
hobbit19 said:
, then dev version bootloaders
https://dl.dropboxusercontent.com/u/59757245/Step2_DevEdition_Bootchain.tar.md5
Click to expand...
Click to collapse
2. On step 2 here, you are flashing the dev ed. partitions which match up to the previous files + NON-HLOS.bin (for the firmware partition).
hobbit19 said:
I did root and installed Safestrap Recovery , they managed to flash recovery and modifying kernel and no errors. But after restarting the phone won't work with them pointing me to the kernel error .
Click to expand...
Click to collapse
And for this last bit: Which recovery file did you try? I believe there's nothing to stop you from actually flashing the partitions, but the signature checks will fail during the next boot (as you've seen) Did you try booting into recovery mode? (Like don't flash boot.img yet)

Yes, I now can flash testbit and phone starts with it.
You want what flashed boot writes?
Yes, I understand in structure of firmware and understand how it works. I flashed MJE_insecure_Kernel.zip http://d-h.st/AR6
and http://goo.im/devs/philz_touch/CWM_Advanced_Edition/hltevzw/philz_touch_6.08.9-hltevzw.zip
After flash and phone won't start I roll back to full dev firmware.
Tomorrow I can try to re-flash and try to open recovery.
Also I have idea - try to flash old dev build what exist in other thread and use loki exploit on it.
But I afraid that flash of dev build may brick phone and require jtag.

Now in boot mode I see
odin mode
POroduct Name SN-900V
Current binary Samsung Official
System status Official
KNOX Kernel Lock 0x0
knox warranty void 0x1
qualcomm secure boot Enable csb
RP swrev s1 , t1 ,r1, a1, p1
Write protection Enable
You have dev version? Can you show what your bootloader says?

Dev Ed. Download Mode:
ODIN MODE
PRODUCT NAME: SM-N900V
CURRENT BINARY: Custom
SYSTEM STATUS: Custom
KNOX KERNEL LOCK: 0x0
KNOX WARRANTY VOID: 0x1
QUALCOMM SECUREBOOT: ENABLE (CSB)
RP SWREV: S1, T1, R1, A1, P1
WRITE PROTECTION: Enable
MODE: Developer
(NOTE: I'm currently testing / debugging CM11 which explains the "Custom" items)

Is this of any use for a boot loader unlock?

http://forum.xda-developers.com/lg-g3/orig-development/bump-unlock-lg-g3-twrp-d852-d852g-f400-t2900614?nocache=1
The LG G3 recently got a bootloader unlock. It consists of modifying boot images in some way to make sure they boot. I think this is worth a look guys.
There is going to be a guide up on how they modify the bootloader signature soon.

Demonoid111 said:
http://forum.xda-developers.com/lg-...lg-g3-twrp-d852-d852g-f400-t2900614?nocache=1
The LG G3 recently got a bootloader unlock. It consists of modifying boot images in some way to make sure they boot. I think this is worth a look guys.
There is going to be a guide up on how they modify the bootloader signature soon.
Click to expand...
Click to collapse
It is not useful for an unlock, but may be useful for a bypass. They haven't stated whether or not it is LG-specific or Qualcomm SoC specific. If it is Qualcomm SoC specific, then it should work on the HDX as it has a Spandragon 800 and the G3 has an 801. I have been interested in how this exploit works since day one. When they release the method, I may be able to cook something up and ask a few people to test. An unlock would be better, though, so people could get into fastboot mode if something goes horribly wrong.

r3pwn said:
It is not useful for an unlock, but may be useful for a bypass. They haven't stated whether or not it is LG-specific or Qualcomm SoC specific. If it is Qualcomm SoC specific, then it should work on the HDX as it has a Spandragon 800 and the G3 has an 801. I have been interested in how this exploit works since day one. When they release the method, I may be able to cook something up and ask a few people to test. An unlock would be better, though, so people could get into fastboot mode if something goes horribly wrong.
Click to expand...
Click to collapse
Well, I asked on their IRC channel and — sure enough — it's LG specific.
<+invisiblek> EncryptedCurse: lg specific
Click to expand...
Click to collapse

EncryptedCurse said:
Well, I asked on their IRC channel and — sure enough — it's LG specific.
Click to expand...
Click to collapse
Ah, well, back to the drawing board.

The only other similar type of bypass is for the fire TV, which now allows for custom kernels too. Maybe someone can go ask rbox to see if his signature bypass is something that can be used?

Demonoid111 said:
The only other similar type of bypass is for the fire TV, which now allows for custom kernels too. Maybe someone can go ask rbox to see if his signature bypass is something that can be used?
Click to expand...
Click to collapse
I've just sent him a message.