Hey guys!
I'm not an experienced dev or programmer and messing with aboot partition and stuff is certainly a risky thing. But im annoyed by Samsung's new Firmware Architekture, in detail the new locked Bootloader.
After days of excessive Google'ing i found this impressive posting: http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
I'm not really a programmer so we will need experienced Dev's to step forward and to get rid off this damn Knox Bootloader.
@dev' s
What do you think ?
Launched in April 2013, the Samsung Galaxy S4 is expected to be one of the top-selling smartphones of the year, having sold 10 million units in its first month of sales. While the majority of released models include an unlocked bootloader, which allows users to flash custom kernels and make other modifications to the software on their own devices, AT&T and Verizon branded devices ship with a locked bootloader that prevents these types of modifications. In this post, I'll provide details on how Samsung implement this locking mechanism, and publish a vulnerability in the implementation that allows bypassing the signature checks to run custom unsigned kernels and recovery images.
Both the AT&T (SGH-I337) and Verizon (SCH-I545) models utilize the Qualcomm APQ8064T chipset. As described in my previous blog post on Motorola's bootloader, Qualcomm leverages software-programmable fuses known as QFuses to implement a trusted boot sequence. In summary, each stage of the boot process cryptographically verifies the integrity of the subsequent stage, with the trust root originating in QFuse values. After the early boot stages bootstrap various hardware components, Samsung's APPSBL ("Application Secondary Bootloader") is loaded and run. This bootloader differs between "locked" and "unlocked" variants of the Galaxy S4 in its enforcement of signature checks on the boot*and*recovery*partitions.
A quick glance at aboot*(adopting the name of the partition on which this bootloader resides) revealed that it is nearly identical to the open source lk*("Little Kernel") project, which undoubtedly saved me many hours of tedious reverse engineering. By locating cross-references to strings found in both lk*and aboot, I was able to quickly identify the functions that implement signature verification and booting of the Linux kernel.
The central logic to load, verify, and boot the Linux kernel and ramdisk contained in either the boot*or recovery*partitions is implemented in the boot_linux_from_mmc()*function. First, the function determines whether it is booting the main boot*partition, containing the Linux kernel and ramdisk used by the Android OS, or the recovery*partition, which contains the kernel and ramdisk used by the Android recovery subsystem. Then, the first page of the appropriate partition is read into physical memory from the eMMC flash storage:
Code:
if (!boot_into_recovery) {
index = partition_get_index("boot");
ptn = partition_get_offset(index);
if (ptn == 0) {
dprintf(CRITICAL, "ERROR: No boot partition found\n");
return -1;
}
}
else {
index = partition_get_index("recovery");
ptn = partition_get_offset(index);
if (ptn == 0) {
dprintf(CRITICAL, "ERROR: No recovery partition found\n");
return -1;
}
}
if (mmc_read(ptn + offset, (unsigned int *) buf, page_size)) {
dprintf(CRITICAL, "ERROR: Cannot read boot image header\n");
return -1;
}
This code is straight out of lk's implementation. Next, after performing some sanity-checking of the boot image, which contains a custom header format, the function loads the kernel and ramdisk into memory at the addresses requested in the boot image header:
Code:
hdr = (struct boot_img_hdr *)buf;
image_addr = target_get_scratch_address();
kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask) + 0x200;
imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
memcpy(image_addr, hdr, page_size);
offset = page_size;
/* Load kernel */
if (mmc_read(ptn + offset, (void *)hdr->kernel_addr, kernel_actual)) {
dprintf(CRITICAL, "ERROR: Cannot read kernel image\n");
return -1;
}
memcpy(image_addr + offset, hdr->kernel_addr, kernel_actual);
offset += kernel_actual;
/* Load ramdisk */
if (mmc_read(ptn + offset, (void *)hdr->ramdisk_addr, ramdisk_actual)) {
dprintf(CRITICAL, "ERROR: Cannot read ramdisk image\n");
return -1;
}
memcpy(image_addr + offset, hdr->ramdisk_addr, ramdisk_actual);
offset += ramdisk_actual;
This is still essentially identical to lk's implementation, with the addition of code to copy the individual pieces of the boot image to the image_addr*location. Finally, the function performs signature verification of the entire image. If signature verification succeeds, the kernel is booted; otherwise, a tampering warning is displayed and the device fails to boot:
Code:
if (check_sig(boot_into_recovery))
{
if (!is_engineering_device())
{
dprintf("kernel secure check fail.\n");
print_console("SECURE FAIL: KERNEL");
while (1)
{
/* Display tampered screen and halt */
...
}
}
}
/* Boot the Linux kernel */
...
The is_engineering_device()*function simply returns the value of a global variable that is set at an earlier stage in the boot process based on whether or not the chipset ID (an unchangeable hardware value) of the device indicates it is an engineering or production device.
Examining the check_sig()*function in more detail revealed that*aboot*uses the open-source mincrypt*implementation of RSA for signature validation. The bootloader uses an RSA-2048 public key contained in aboot*to decrypt a signature contained in the boot image itself, and compares the resulting plaintext against the*SHA1 hash of the boot image. Since any modifications to the boot image would result in a different SHA1 hash, it is not possible to generate a valid signed boot image without breaking RSA-2048, generating a specific SHA1 collision, or obtaining Samsung's private signing key.
The astute reader will have already noticed the design flaw present in the above program logic. Notice the order in which the steps are performed: first, aboot*loads the kernel and ramdisk into memory at the addresses requested by the boot image header, and then signature validation is performed after this loading is complete. Because the boot image header is read straight from eMMC flash prior to any signature validation, it contains essentially untrusted data. As a result, it's possible to flash a maliciously crafted boot image whose header values cause aboot*to read the kernel or ramdisk into physical memory directly on top of aboot*itself!
Exploitation of this flaw proved to be fairly straightforward. I prepare a specially crafted boot image that specifies a ramdisk load address equal to the address of the check_sig() function in aboot physical memory. In my malicious boot image, I place shellcode where the ramdisk is expected to reside. I flash this image by leveraging root access in the Android operating system to write to the boot block device. When aboot reads the supposed ramdisk from eMMC flash, it actually overwrites the check_sig() function with my shellcode, and then invokes it. The shellcode simply patches up the boot image header to contain sane values, copies the actual kernel and ramdisk into appropriate locations in memory, and returns zero, indicating the signature verification succeeded. At this point, aboot continues the boot process and finally boots my unsigned kernel and ramdisk. Victory!
Click to expand...
Click to collapse
Regards
You do realize this has been for a whileee now, right? This is djrbliss' loki exploit.
http://forum.xda-developers.com/showthread.php?t=2292157
... yes i do. Question is: will this work in similar ways on a international gt-i9505/ i9500 ?
*Hier könnte ihre Werbung stehen* *
Try it. But only on the qualcomm variants.
Does aboot still allow a boot.img to be loaded from emmc before signiture checks? If so another loki-like exploit is possible. Could use qpst and flash a custom emmc maybe and change the modem back to MDK but another exploit would need to be found first.
Sent from my cm_tenderloin using xda app-developers app
silentscreamer said:
Hey guys!
I'm not an experienced dev or programmer and messing with aboot partition and stuff is certainly a risky thing. But im annoyed by Samsung's new Firmware Architekture, in detail the new locked Bootloader.
After days of excessive Google'ing i found this impressive posting: http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
I'm not really a programmer so we will need experienced Dev's to step forward and to get rid off this damn Knox Bootloader.
@dev' s
What do you think ?
Regards
Click to expand...
Click to collapse
A few people have already pointed this out but LOKI is actually a bootloader exploit that was used for AT&T MDB and MDL firmwares so LOKI'd custom recoveries and Kernels could be put onto the phone. You can find more information about it in the bootloader exploit thread in original development. This exploit also worked (after a little modification) on earlier Verizon S4s and is now being ported to other phones with locked bootloaders. However, the MF3 firmware update from AT&T patched the LOKI exploit so it can no longer be used with MF3 bootloaders.
So, for MF3 S4s, LOKI is not an option any more, however, the idea of still trying to get the bootloader unlocked is an ongoing process. You can do a search for the topic and you should see several existing threads present themselves. It is important to read the information in those threads in order to better understand where the process is at. And before you think, "well maybe this will work...or can this be tried...", understand, it probably has been tried an did not work.
This isn't to say it is a lost cause or shouldn't be pursued, it's just about realistic expectations. Basically, without Samsung's encrypted signing Key, or a means to generate it, or a reliable way to put a separate bootloader on the phone, it is a stuck project. SafeStrap, creates an entirely new environment for a ROM(S) to exist on a phones internal SD card, therefore, once again, sidestepping the original bootloader.
Search for other threads (about this subject) and contact some of the people that have similar interests from those threads. I won't drop any names because I'm not sure who is still investing time and who has moved on. That will be for you to decide. But please, before posting anything else about this or asking any more questions, search, read, and learn about what has already been done and you will find yourself with a much better understanding about what can be done. Good luck.
Exploit for local Linux Kernel (K2.6.37-3.8.9)
scott14719 said:
A few people have already pointed this out but LOKI is actually a bootloader exploit that was used for AT&T MDB and MDL firmwares so LOKI'd custom recoveries and Kernels could be put onto the phone. You can find more information about it in the bootloader exploit thread in original development. This exploit also worked (after a little modification) on earlier Verizon S4s and is now being ported to other phones with locked bootloaders. However, the MF3 firmware update from AT&T patched the LOKI exploit so it can no longer be used with MF3 bootloaders.
So, for MF3 S4s, LOKI is not an option any more, however, the idea of still trying to get the bootloader unlocked is an ongoing process. You can do a search for the topic and you should see several existing threads present themselves. It is important to read the information in those threads in order to better understand where the process is at. And before you think, "well maybe this will work...or can this be tried...", understand, it probably has been tried an did not work.
This isn't to say it is a lost cause or shouldn't be pursued, it's just about realistic expectations. Basically, without Samsung's encrypted signing Key, or a means to generate it, or a reliable way to put a separate bootloader on the phone, it is a stuck project. SafeStrap, creates an entirely new environment for a ROM(S) to exist on a phones internal SD card, therefore, once again, sidestepping the original bootloader.
Search for other threads (about this subject) and contact some of the people that have similar interests from those threads. I won't drop any names because I'm not sure who is still investing time and who has moved on. That will be for you to decide. But please, before posting anything else about this or asking any more questions, search, read, and learn about what has already been done and you will find yourself with a much better understanding about what can be done. Good luck.
Click to expand...
Click to collapse
hey guys, are these two links new methods or just more links to the Loki method?
http://m.h-online.com/open/news/ite...irculation-Update-1863892.html?from-classic=1
and
https://patchwork.kernel.org/patch/2441281/
What you want to achieve by this exploit?
This exploit has been designed to boot modified and thus unacceptable boot.img/recovery.img because of security enforcement on ATT/VZW models.
I9505 allows to boot any modified boot.img/recovery.img, thus there is no point for this explorer.
As for KNOX flag: it's set before aboot.img and affects TrustedZone. You cannot affect this flag from even aboot.img context.
Since Knox Bootloader : aboot downgrade does not work anymore *
silentscreamer said:
Since Knox Bootloader : aboot downgrade does not work anymore *
Click to expand...
Click to collapse
on Qualcomm devices, downgrade usually prohibited by qFuse. If you will find the way to flash an older aboot then you will end up with hard brick because qFuse is checking not only while flashing, but also while booting. Signatures of all bootloaders include status of qFuse set. Blown qFuse invalidates all previous valid signatures.
I don't recommend to find the other way to downgrade tz, sbl1-3, rpm and aboot parts if it's not possible to do in Odin. Risk of hard brick is very high!
And, by the way, as i've mentioned above, Knox flag is checked on much earlier stage (TZ) than aboot. You won't gain anything by replacing aboot to an older version.
I could really use something if you guys have it... im hard bricked and vzw model s4 isnt supported my any of the regular " unlock boxes" i mean i checked Riff, easy Jtag, Medusa, NS Pro, octopus!!! nothing... so I need some support. something I can throw on my phone when I wire it up to at least get me to the bootloader?>?? thx a bunch guys.
I think best buy can flash latest firmware on crapped out phone..
lgkahn said:
I think best buy can flash latest firmware on crapped out phone..
Click to expand...
Click to collapse
they probably can. AT&T did it on my bricked s4 now im mf3 though...
Guys, this horse is already well dead and apparently still being beaten.
Short of some astounding exploit being found this may not ever happen if you ever went past the original release firmware.
As jcase and others have said, it comes with the device and most/all knew going in - eyes wide open.
The alternative is to wait for a dev device and pay for it when it is made available.
(Doesn't work for Sprint but we don't seem to face these issues... yet.)
Edit:
By request the thread has been re-opened as it is a central point to collaborate on S4 bootloaders.
Things have also changed with 4.3 that now include more than Verizon and AT&T.
For example, Sprint is now seeing similar restrictions as the Note 3.
I would though kindly request this: Let's keep it relevant and on topic.
Let's not let this turn into a "Can I haz an unlocked bootloader" thread. We all have better things to do.
Ill start taking the RSA way
Okay,
So I can start cracking, this might take months or years, idk, but its worth a shot.
If I do crack it, Ill get 80% of that nice fat bounty
Whoever patches it gets 20% of that nice fat bounty
So first ill need, the rsa certificate/key (doesnt matter) that verifies aboot.mbn, or if you can, sbl1.mbn (stored in PBL, so prob not unless u can dump it)
Next Ill need the signature u want me to crack (for sbl1.mbn, u cant miss the 256 bytes). This is so I can verify it if I do get it cracked)
Finally, the offset of where to sign.
And thats all
Also, if u patch it, I sign it, and u test it, because i have no verizon, nor a Galaxy S4.
There, thxs!
sir best of luck to you, i have been wanting to run aosp based roms, but cant. i hope to look forward to testing this
tcf38012 said:
Okay,
So I can start cracking, this might take months or years, idk, but its worth a shot.
Click to expand...
Click to collapse
Why do you need an unlocked bootloader if you have already have a quantum computer
We dont want this thread to get locked again. Read garwynn's post.
Has anyone been able to resurrect/boot off their sdcard by using a debrick image or by writing an entirely new emmc to their sdcard? The reason I ask is because im pretty sure its the sbl2 located in modem.bin thats causing aboot to fail the revision check. If you dump mmcblk0p2 then mount modem.bin by using:
Code:
adb shell su 'dd if=/dev/block/mmcblk0p2 of=/mnt/extSdCard/backup/mdm.bin bs=512'
adb pull /mnt/extSdCard/backup/mdm.bin
Then mount in linux using:
mount -o loop mdm.bin /mnt/mkdirhere
You can compare sbl1 and sbl2 inside the mounted modem to the sbl1 and sbl2 in mmcblk0p3 and mmcblk0p4 from the odin image of whatever build your on. I think sbl2 is calling aboot. Anyone have more info? If we dd the sbl1 and sbl2 from an unlockable builds odin image and get the corresponding apps.mbn maybe we can figure something out. Also I checked the mounted modem's sbl1 and sbl2 from the dev edition vs consumer and the RSA encryption of the dev edition is referred to in the modem sbl2, which might explain the different odin failure messages one recieves when trying to flash an aboot from the dev edition vs a consumer edition see here http://forum.xda-developers.com/showthread.php?t=2483619
Sent from my SCH-I535 using xda app-developers app
Hello,
I wonder if the I9505 has the same functionality to boot from a special prepared SD-Card , like a newer I9300 I just had in my hands...
http://forum.xda-developers.com/showthread.php?p=47234165#post47234165
In this case we accidently managed to access SDCARD MODE by only a key combination, without shorteing the internal resistor.
If yes, this maybe could be a possibility to downgrade the I9505 bootloader.
However, DO NOT test this without a special prepared SD-Card or you will brick your device immediately cause your working bootloader will be overwritten.
Maybe someone with I9505 and a JTAG can test this procedure on I9505 and report back...
BR
Robert
Rob2222 said:
Hello,
I wonder if the I9505 has the same functionality to boot from a special prepared SD-Card , like a newer I9300 I just had in my hands...
http://forum.xda-developers.com/showthread.php?p=47234165#post47234165
In this case we accidently managed to access SDCARD MODE by only a key combination, without shorteing the internal resistor.
If yes, this maybe could be a possibility to downgrade the I9505 bootloader.
However, DO NOT test this without a special prepared SD-Card or you will brick your device immediately cause your working bootloader will be overwritten.
Maybe someone with I9505 and a JTAG can test this procedure on I9505 and report back...
BR
Robert
Click to expand...
Click to collapse
i would say you can use a "sd card" that you have nothing on, i'll go and see if i have one somewhere
and i think we also need sboot.bin but we ain't having that file
Related
I am writing this to provide further understanding on how Samsung is preventing tools such as Triangle Away from tricking the Service Centers employees into thinking that your phone only ever ran Samsung approved binaries/roms.
This protection is enabled on newer Exynos based devices such as the GT-I9500, the Qualcomm chipset based devices seem to have been spared from it at the moment, most likely because the eMMC hardware is different.
The GT-I9500 bootloader is now setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.
This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone)
While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.
Because this is set in the bootloader long before a kernel starts, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)
Seems like a lot of trouble just to be keeping a warranty intact.
I hope this post shed some more light on the matter, this may also give you an idea of what awaits in the future in terms of security on future handsets.
mathieulh said:
I am writing this to provide further understanding on how Samsung is preventing tools such as Triangle Away from tricking the Service Centers employees into thinking that your phone only ever ran Samsung approved binaries/roms.
This protection is enabled on newer Exynos based devices such as the GT-I9500, the Qualcomm chipset based devices seem to have been spared from it at the moment, most likely because the eMMC hardware is different.
The GT-I9500 bootloader is now setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.
This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone)
While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.
Because this is set in the bootloader long before a kernel starts, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)
Seems like a lot of trouble just to be keeping a warranty intact.
I hope this post shed some more light on the matter, this may also give you an idea of what awaits in the future in terms of security on future handsets.
Click to expand...
Click to collapse
So are you saying there is no way that we can reset the counter going forward or are you saying That one of our Smart XDA Developers are going to crack it ?
matrix.bharath said:
So are you saying there is no way that we can reset the counter going forward or are you saying That one of our Smart XDA Developers are going to crack it ?
Click to expand...
Click to collapse
Nah, i saw too many complicated things get Cracked,Hacked... Moded... its only a matter of time
basicly a bootloader exploit is a solution but on the other hand its always too risky to flash them as not every I9500 is 100% identical to another some behave in a good way other make trouble depends on the chip.
still the best solution is to disable that mechanism protection so that the counter is never set. in one way you won't mind any custom ROM installation and you can be happy counter doesn't raise up the one thing is the users which are already running custom and have a binary lock these can't do a thing for now, the only issue here is the SU being place on the system partition triggers is, and basicly any app such as TriangleAway requires it so even if you think to restore stock and it works you can't reset counter since it needs root --> and again LOCK.
I wouldn't worry about it ...
> still the best solution is to disable that mechanism protection so that the counter is never set. in one way you won't mind any custom ROM installation and you can be happy counter doesn't raise up the one thing is the users which are already running custom and have a binary lock these can't do a thing for now, the only issue here is the SU being place on the system partition triggers is, and basicly any app such as TriangleAway requires it so even if you think to restore stock and it works you can't reset counter since it needs root --> and again LOCK.
well, not really correct. you can temproot system, using some android exploit.
you install stock after using triangleaway on rooted rom = counter is 0
if you temproot wthout kernel flash - counter is 0
So if I'm reading this correctly, there is no way at this stage to reset counter.
I have a faulty i9500 that I need to send back under warranty but I have flashed a custom ROM.
Does this mean I have a brand new S4 that is useless & no way to fix it?
KTM690 said:
So if I'm reading this correctly, there is no way at this stage to reset counter.
I have a faulty i9500 that I need to send back under warranty but I have flashed a custom ROM.
Does this mean I have a brand new S4 that is useless & no way to fix it?
Click to expand...
Click to collapse
Read post #4 ...
Sent from my GT-I9500
Gillion said:
Read post #4 ...
Sent from my GT-I9500
Click to expand...
Click to collapse
I did, but not sure what Chainfire meant by "I wouldn't worry about it ..."
Hopefully he means he will have a fix shortly
Hope, ChainFire could resolve :fingers-crossed:
KTM690 said:
I did, but not sure what Chainfire meant by "I wouldn't worry about it ..."
Hopefully he means he will have a fix shortly
Click to expand...
Click to collapse
If he said we don't need to worry everything is under control
Chainfire said:
I wouldn't worry about it ...
Click to expand...
Click to collapse
Please break the suspense .. is there a way ?
actually, i've posted similar article sometime ago:
http://forum.xda-developers.com/showthread.php?t=2290238
But since i've asked for workaround, moderators threw away my thread to Q/A section and made that topic orphaned >8-E
Engineering bootloader works fine and allows to write to boot block and reset the counter.
Not sure what Chainfire means. Is there a way to cycle power on eMMC to reset the flag? Otherwise, only engineering bootloader will allow to reset counter and flags.
I've got the feeling. This is the last ever Samsung phone I've bought I will happily move to other manufacturer now. No reason to love Samsung phones now. HUGE DISAPPOINTMENT.. Spent like $800 for this device and it has very very less REAL DEVELOPMENT ROOM.. No sources, crap architecture engineering, unfinished ROMS.. Nothing is good..
hardware is damn good but Samsung failed it
Rahulrulez said:
I've got the feeling. This is the last ever Samsung phone I've bought I will happily move to other manufacturer now. No reason to love Samsung phones now. HUGE DISAPPOINTMENT.. Spent like $800 for this device and it has very very less REAL DEVELOPMENT ROOM.. No sources, crap architecture engineering, unfinished ROMS.. Nothing is good..
hardware is damn good but Samsung failed it
Click to expand...
Click to collapse
To be honest, the same things happen on the htc one, if you want to unlock its bootloader, you forfeit its warranty. Nothing new here.
Sent from my GT-I9505 using xda premium
sorg said:
actually, i've posted similar article sometime ago:
http://forum.xda-developers.com/showthread.php?t=2290238
But since i've asked for workaround, moderators threw away my thread to Q/A section and made that topic orphaned >8-E
Engineering bootloader works fine and allows to write to boot block and reset the counter.
Not sure what Chainfire means. Is there a way to cycle power on eMMC to reset the flag? Otherwise, only engineering bootloader will allow to reset counter and flags.
Click to expand...
Click to collapse
Oh ! I never saw that thread before. I was just wondering back then why TA wouldn't work on the phone and started looking.
It's nice to see that someone else has researched this issue
To be quite honest with you though, I use the GT-I9505 as my daily driver.
Sent from my GT-I9500 using xda premium
Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device
sorg said:
Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device
Click to expand...
Click to collapse
Wowww Great.. Can you Give us some detailed setup i or Ash will Probably make a Tutorial Video of it with the right info, for now its all thanks to you.. can you also provide links to the above Custom Recovery Files etc. that are needed to get the above working?
matrix.bharath said:
Wowww Great.. Can you Give us some detailed setup i or Ash will Probably make a Tutorial Video of it with the right info, for now its all thanks to you.. can you also provide links to the above Custom Recovery Files etc. that are needed to get the above working?
Click to expand...
Click to collapse
That's rough walk-through, using some quick-made kernel and perform most steps in command line through adb in shell. I believe there are some kernels with mmcblk0boot0 are floating around. It needs to be polished and easier to repeat for generic user. I'm sure someone will make more user-friendly guide with all necessary files.
sorg said:
Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device
Click to expand...
Click to collapse
Great work sorg.
Any chance of a noobs guide to this?
Bytheway, is it possible to flash bootloader(sboot.bin) on cwm recovery?
I've tried to include bl in rom zip
Sent from my SHV-E300S using XDA Premium HD app
I've always had trouble finding a definitive answer for this question.
In general, are bootloaders backwards compatible? For example, if I flash a JB 4.2 bootloader, will flashing a JB 4.1 or ICS ROM work as expected, or does the bootloader need to be downgraded too? I know that some newer phones (like the S4) have an efuse that prevents going backwards (at least for stock), but does that concept hold true for all phones?
I have an S2 that I just replaced with an S4, so I'm going to play around with it some now (currently on stock 2.3.4 KH7 with rooted kernel). It's been a while since I've flashed an entire ROM (usually I just work on getting root), but since this won't me my primary phone anymore, I can play around with it a bit.
I can't give you a definitive answer. We have established that even though the file size for the boot loaders remains consistent from Gingerbread through jelly bean, there are differences between the files when examined as hex code. So the engineers do perform modifications with each version. I have never seen any discussion of the boot loaders not being backward compatible. So, since we have lots of stock and custom firmware on the forum that does not contain boot loaders, I would assume that you could flash a Gingerbread or ICS over JB or KitKat boot loaders without problems. And even if there were issues, it would be no problem to flash a full stock distribution to get the correct boot loaders. But again, this is only my surmise, and not based on direct knowledge.
There have been some statements by at least one developer that you must upgrade the boot loaders for the latest versions of Jelly Bean or KitKat. I would think it advisable to have matching boot loaders on your daily driver.
(apologies ahead of time that my initial post was probably in the wrong forum).
Well, at least I'm not the only one who hasn't been able to find a definitive answer.
Speaking specifically about the S2 (since that seems to be one of your specialties), if I need to update the bootloader to ICS or JB (since I'm on gingerbread) and something goes wrong, will it hard brick the phone or can I still get into the ODIN download mode to recover/reflash? Is the download mode on this phone considered part of the bootloader? I get a little confused sometimes in regards to what is included in the "module".
For example, it seems like (at least for this phone), the recovery image is built into the kernel as opposed to a separate image like my ASUS Transformer TF300T. Is that correct? On my TF300T, I can flash the recovery image separately through fastboot without touching the kernel, bootloader, or anything else, but it seems like the recovery image for the S2 always comes with a kernel.
Basically, I want to do anything I can ahead of time to reduce the risk of a brick (and know what I should avoid to reduce bricking the phone). Based upon what you said, it sounds like the best way to upgrade my bootloader is to flash a stock ROM that includes the bootloader. If that is the case, since JB 4.1 was the last version release by AT&T, should I just go to that bootloader and hope it works if I install a JB 4.2/4.3 or KitKat based ROM? I assume if I reflashed the stock KH7 ROM, it would just replace everything (including bootloader) and get me back to where I am now?
I have a lot of experience in the Linux world, so I'm trying to map over the Android concepts to the Linux concepts, but I still get tripped up sometimes (recovery, bootloader, kernel, ROM, etc). Sometimes people don't seem to use the terms the same way.
From a technical standpoint, it doesn't surprise me too much that the bootloaders are the same size. It's probably similar to the MBR code for hard drives that just does a minimalistic job of getting the hardware in an accessible state so it can later boot the kernel (like GRUB).
jpasher said:
(apologies ahead of time that my initial post was probably in the wrong forum).
Click to expand...
Click to collapse
Yes, questions are usually supposed to go in the Q&A forum, but there is not so much activity in this phone's forum any more, so it really doesn't matter much. And this information is more of a general nature anyway.
Well, at least I'm not the only one who hasn't been able to find a definitive answer.
Speaking specifically about the S2 (since that seems to be one of your specialties), if I need to update the bootloader to ICS or JB (since I'm on gingerbread) and something goes wrong, will it hard brick the phone or can I still get into the ODIN download mode to recover/reflash? Is the download mode on this phone considered part of the bootloader?
Click to expand...
Click to collapse
1. Hard brick on an android phone generally means that one of the boot loaders is corrupt, or it might mean that the memory module section that contains the boot loaders or other low level code is damaged. In general, the main thing you have to be careful about is when flashing a boot loader to make sure that the flash is not interrupted. For instance, say the power goes out, or the dog pulls out the usb cord, right in the middle of the flash, and after the boot loader partition is wiped, only part of the code is copied back to the partition. The good news is that the individual bootloaders are fairly small, so the time of vulnerability is a matter of seconds.
If you need to update to ICS or JB boot loaders, you would have to flash the full stock distribution that has the boot loaders included. No one has made Odin flashable tars of either of those. The UCKH7 Gingerbread secondary boot loader is available in tar, and that is the only separate tar I know of.
2. I don't know software engineering, only a little programming. I don't know where the code that puts the phone into download mode is located. It seems likely that it is in the secondary boot loader, but that is only speculation. I do know that you can enter download mode, and then flash both boot.bin and/or sbl.bin.
I get a little confused sometimes in regards to what is included in the "module". For example, it seems like (at least for this phone), the recovery image is built into the kernel as opposed to a separate image like my ASUS Transformer TF300T. Is that correct? On my TF300T, I can flash the recovery image separately through fastboot without touching the kernel, bootloader, or anything else, but it seems like the recovery image for the S2 always comes with a kernel.
Click to expand...
Click to collapse
1. The memory is partitioned. Each chunck of code is loaded into its specific partition. I don't have a partition table handy for the S2, but essentially you have: primitive boot loader (boot.bin), secondary boot loader (sbl.bin), parameters (param.lfs), kernel (zImage or boot.img), cache (cache.img), system (factoryfs.img), hidden (hidden.img), modem (modem.img) and several others like PIT, EFS, CSC and I don't remember what. But the ones I named are what is included in a full firmware distribution, and the AT&T model does not allow for the changing of the CSC like on the international S2 so that is not used. I'm not a Linux person, but if my understanding is correct, the img files install like a block device, but the boot loaders and param at a lower level.
2. There may be a recovery partition, but I'm not sure of that. If there is, it isn't used. Anyway, you are correct that the recovery is compiled into the kernel and is installed as a unit on the S2. You can not install a separate recovery on the S2. Many Android phones, maybe most as far as I know, do have a separate partition for the recovery. The S3 and S4 do also.
3. If you are interested, I have attached a partition table for the S4, which you might want to look at just for interest and learning. If memory serves me, it is quite a bit different from the S2.
Basically, I want to do anything I can ahead of time to reduce the risk of a brick (and know what I should avoid to reduce bricking the phone). Based upon what you said, it sounds like the best way to upgrade my bootloader is to flash a stock ROM that includes the bootloader. If that is the case, since JB 4.1 was the last version release by AT&T, should I just go to that bootloader and hope it works if I install a JB 4.2/4.3 or KitKat based ROM? I assume if I reflashed the stock KH7 ROM, it would just replace everything (including bootloader) and get me back to where I am now?
Click to expand...
Click to collapse
I would assume that the above is correct. The boot loaders in the 4.1.2 UCMD8 firmware would be the latest official ones for this phone. As far as flashing back to earlier stock, you would only get the boot loaders if you use a full distribution. Many of the stock distributions and almost all of the custom firmware posted on this site for the AT&T S2 do not contain boot loaders or param.lfs.
I have a lot of experience in the Linux world, so I'm trying to map over the Android concepts to the Linux concepts, but I still get tripped up sometimes (recovery, bootloader, kernel, ROM, etc). Sometimes people don't seem to use the terms the same way.
From a technical standpoint, it doesn't surprise me too much that the bootloaders are the same size. It's probably similar to the MBR code for hard drives that just does a minimalistic job of getting the hardware in an accessible state so it can later boot the kernel (like GRUB).
Click to expand...
Click to collapse
A lot of people around here (myself included) speak from anecdotal information gathered from the forums.
Wow. A LOT of useful information in that response. Thanks! A few of the things finally made some light bulbs go on in my head and clear some things up.
creepyncrawly said:
If you need to update to ICS or JB boot loaders, you would have to flash the full stock distribution that has the boot loaders included. No one has made Odin flashable tars of either of those. The UCKH7 Gingerbread secondary boot loader is available in tar, and that is the only separate tar I know of.
Click to expand...
Click to collapse
So to get to an ICS or JB bootloader, does it mean I have to perform an update through Kies? I'm looking at the different custom ROMs running KitKat and at least some of them say to be on a JB bootloader. I've read that at least some some devices (such as my TF300T), the different bootloader versions can actually have different partition layouts
If I tried flashing your OCD package for UCLL6 4.0.4 on my current system (with gingerbread BL), would it boot (or worst case, just not boot but still allow me to enter ODIN download mode to flash back to stock UCKH7)? If I'm understanding things correctly, it seems like as long as I'm not touching the bootloader, the worst thing that could happen is that I get an unbootable phone that I can still recover using ODIN download mode.
creepyncrawly said:
2. I don't know software engineering, only a little programming. I don't know where the code that puts the phone into download mode is located. It seems likely that it is in the secondary boot loader, but that is only speculation. I do know that you can enter download mode, and then flash both boot.bin and/or sbl.bin.
Click to expand...
Click to collapse
I guess I'll have to start poking around the different partitions to see if I can find any signs that point to what is what (unless I can't do a simple dd of the partition to a file using adb shell).
creepyncrawly said:
1. The memory is partitioned. Each chunck of code is loaded into its specific partition. I don't have a partition table handy for the S2, but essentially you have: primitive boot loader (boot.bin), secondary boot loader (sbl.bin), parameters (param.lfs), kernel (zImage or boot.img), cache (cache.img), system (factoryfs.img), hidden (hidden.img), modem (modem.img) and several others like PIT, EFS, CSC and I don't remember what. But the ones I named are what is included in a full firmware distribution, and the AT&T model does not allow for the changing of the CSC like on the international S2 so that is not used. I'm not a Linux person, but if my understanding is correct, the img files install like a block device, but the boot loaders and param at a lower level.
Click to expand...
Click to collapse
Very useful stuff. I'll have to read around a bit more to understand the different functions associated with each image. And yes, it would make sense that the img files are simply a direct bit-for-bit copy of that partition (which I would assume could be obtained with a simple dd copy). That would also explain why the bootloaders are the same size (if you dd a block device/partition, the resulting raw file is the size of the block device/partition). My guess is that the flashing process essentially just takes each img and does the same thing as a dd of the file to the partition.
This makes me wonder... If the bootloader partition for a phone has a JB BL, I can't see why someone couldn't do a dd of that partition into an image file and then restore that to the bootloader partition of another phone (maybe there's built in security that prevents stuff like that).
creepyncrawly said:
3. If you are interested, I have attached a partition table for the S4, which you might want to look at just for interest and learning. If memory serves me, it is quite a bit different from the S2.
Click to expand...
Click to collapse
Very nice. Thanks. I just got my S4 last month, so I don't plan on doing anything to it besides already acquiring root. I'm also on the MF3 release which doesn't have any known way of installing custom ROMs anyway.
I wouldn't use Kies. Flash the full distribution of the stock firmware that you want the boot loader. For JB boot loaders, flash UCMD8 full. You can find that in the Download Repository at the bottom of the page.
The OCD for UCKK6 does not have boot loaders. To get the Gingerbread boot loaders, flash UCKH7 full. To get the ICS boot loaders, flash UCLE5 or UCLL6 full. Again, you can get those in the Download Repository.
You can use dd to pull or restore the contents of a partition. You can use adb shell, or you can use terminal emulator right on the phone. In fact, it's a good idea to back up your efs partition using the dd command. I've posted how to do that several times in the forums. Advanced search for "back up efs" and "creepyncrawly" should find that for you.
I personally would never try to flash a bootloader using the dd command, although it is definitely possible. There is too much margin for error. Remember, the dd command is lovingly called the destroy disk command.
wait. I've never flashed any bootloader. My phone came with GB but the last official firmware that my phone had was the ICS OTA. From there, I flashed up to JB and now I'm happily running KK.
I have flashed the latest modem, however.
Unless I am missing something, my phone works just fine with old bootloaders and new kernel/recovery/roms.
Sent from my SGH-I777 using XDA Premium 4 mobile app
Once again, thanks for the useful info.
I would definitely only use dd to replace the contents of a partition as a last resort. Since I don't know enough about how android would handle a partition being changed underneath its feet, it would be risky.
I grabbed the file for UCMD8 (4.1.2) and I'll play around with that. I tried to grab UCLL6 (4.0.4) too, but the links point to the defunct hotfile site. Do you have updated links for that file (or is it exactly the same as what I can download at sammobile.com)? The full stock binaries (.tar.md5) go in the ODIN PDA slot, right?
Also, for those that may be interested, I made a copy of the bootloader from my stock UCKH7 (partition /dev/block/mmcblk0p2) and looked for strings related to the ODIN download mode, and I was able to find all of the strings that appear when in download (e.g. "ODIN MODE", "PRODUCT NAME", "ERASING DOWNLOAD INFORMATION", etc), so it's safe to say that ODIN download mode is part of the bootloader. All the more reason to just leave the bootloader alone if possible.
I also noticed that the two bootloader partitions (mmcblk0p2 and mmcblk0p3) are almost identical except for the text string SNBL in the mmcblk0p2 partition. I wonder why the two partitions...
bleggy said:
wait. I've never flashed any bootloader. My phone came with GB but the last official firmware that my phone had was the ICS OTA. From there, I flashed up to JB and now I'm happily running KK.
Click to expand...
Click to collapse
Which JB version are you running? One possible reason I can think of where a newer bootloader would be needed is if the partition layout changes. I've heard of some devices where that occurred with JB 4.2. Maybe that's why TWRP recovery has two different versions for 4.1 and 4.2 on my TF300T.
At any rate, it's good to hear that someone hasn't broken their phone by running an older bootloader with a newer ROM.
I'm on KitKat 4.2.2 now.
Previously, 4.3 & 4.2-something Jellybean. And a ICS rom before that.
I dont think flashing new bootloaders is necessary. I mean, I dont think its common.
Sent from my SGH-I777 using XDA Premium 4 mobile app
jpasher said:
I grabbed the file for UCMD8 (4.1.2) and I'll play around with that. I tried to grab UCLL6 (4.0.4) too, but the links point to the defunct hotfile site. Do you have updated links for that file (or is it exactly the same as what I can download at sammobile.com)? The full stock binaries (.tar.md5) go in the ODIN PDA slot, right?
Click to expand...
Click to collapse
I haven't finished uploading files to dev-host yet. But I'll be sure to upload that one today. I don't think you can get the file from sammobile either. They also used hotfile, and have not re-uploaded their complete library yet.
Yes, put the tar.md5 in the pda slot.
Also, for those that may be interested, I made a copy of the bootloader from my stock UCKH7 (partition /dev/block/mmcblk0p2) and looked for strings related to the ODIN download mode, and I was able to find all of the strings that appear when in download (e.g. "ODIN MODE", "PRODUCT NAME", "ERASING DOWNLOAD INFORMATION", etc), so it's safe to say that ODIN download mode is part of the bootloader. All the more reason to just leave the bootloader alone if possible.
Click to expand...
Click to collapse
So you dd'd the contents of 0p2 and looked at that? What tool did you use to look for strings? And do you know if that is boot.bin or sbl.bin? I think it must be boot.bin.
I also noticed that the two bootloader partitions (mmcblk0p2 and mmcblk0p3) are almost identical except for the text string SNBL in the mmcblk0p2 partition. I wonder why the two partitions...
Click to expand...
Click to collapse
Is it possible that there is built in redundancy? If one partition is bad, the second one can be used?
I have uploaded UCLL6 Odin Flashable tar.md5 to dev-host and posted it in the Download Repository.
By the way, I forgot so didn't mention it earlier in the discussion, but both UCLE5 and UCLL6 contain boot bin, but do not contain either sbl.bin or param.lfs. Evidently, the secondary boot loader and param files were not updated in the upgrade from Gingerbread to ICS.
Thanks for the files. One more question about them. If I simply remove the boot.bin and sbl.bin from the tar file and flash, that's the same as the "no bootloader" flash images, right? Maybe param.lfs too? I'm just thinking of ways to make things safer while I'm doing my initial testing (and bleggy seems to be running newer ROMs off the original GB bootloader).
creepyncrawly said:
So you dd'd the contents of 0p2 and looked at that? What tool did you use to look for strings? And do you know if that is boot.bin or sbl.bin? I think it must be boot.bin.
Click to expand...
Click to collapse
It was definitely the SBL, because it's a 1.25MB image instead of the 128K first stage bootloader. I found this thread about the Captivate (another extra phone I have) that says it works the same way (and does a good job explaining the boot process). I haven't figured out where the first stage bootloader (boot.bin) is stored, since it's not in a partition. I'll have to do some research on that.
In Linux, there's actually a command called strings that you can run on a file and it will extract all of the text strings it can find. A grep of that can find specific text. You could of course do the same thing by opening the file in a hex editor.
Is it possible that there is built in redundancy? If one partition is bad, the second one can be used?
Click to expand...
Click to collapse
That was my thought, but I'm not brave enough to experiment to see if that's true.
whats the point, anyway? having consistent bootloader and rom doesnt seem to matter and plenty of i777 owners are running kitkat which there is no available bootloader to download and flash.
Is this an OCD thing? I get flashing the various modems for signal improvement, but I've never had a problem booting any rom with my old GB or ICS bootloader.
Sent from my SGH-I777 using XDA Premium 4 mobile app
jpasher said:
One more question... If I simply remove the boot.bin and sbl.bin from the tar file and flash, that's the same as the "no bootloader" flash images, right? Maybe param.lfs too?
Click to expand...
Click to collapse
Yes, that would be true. As long as you are using Linux to tar the remaining files, they should flash fine. I guess you can add the md5 if you want also.
The UCLE5 and UCLL6 one-click downloaders that I posted have the boot.bin removed. The UCLE5 and UCLL6 stock plus root also have the boot.bin removed. No one has ever said anything about any problems resulting.
My assumption is that it's ok to keep gingerbread boot loaders, or to flash the ICS boot loader, or to flash the JB boot loaders, and you would never be able to tell the difference. On the other hand, there must be a reason that Samsung puts them into the kies download. I just have no knowledge and no speculation on how they differ, or whether it is important to have matching boot loaders.
Edit: Oh, and boot.bin probably goes into 0p0 partition, just a guess. But it gets flashed in the pda slot just like sbl and param, so it must go into a partition.
Edit: A forum friend found this thread for us.
Edit: I just found Adam Outler's online pit file analyzer and ran the pit file from the Download Repository through it. Partition information for the AT&T SGS2 attached.
bleggy said:
whats the point, anyway? having consistent bootloader and rom doesnt seem to matter and plenty of i777 owners are running kitkat which there is no available bootloader to download and flash.
Click to expand...
Click to collapse
I have no reason to make the bootloader match the ROM. I'm just making sure I understand how everything works together to avoid doing something that may potentially brick my phone. I flashed the no bootloader version of stock UCMD8 today and everything seems to be working fine. As long as things work, I don't really care which bootloader I have.
creepyncrawly said:
Edit: Oh, and boot.bin probably goes into 0p0 partition, just a guess. But it gets flashed in the pda slot just like sbl and param, so it must go into a partition.
Click to expand...
Click to collapse
There's not a "zero" partition. My only guess is that it's embedded somewhere else. Not sure at this point.
I found that post the other day with the S2 partition layout (that's what I was using for my tests). The PIT file analysis gives a little more info, although it says boot.bin partition is 0 bytes. That's what confuses me a bit. But in the end, not really a big deal. More of a curiosity than anything else.
When this forum was active "Don't mess with bootloaders" was common knowledge. Unless you absolutely have to. You can hard brick this thing if there's a problem while flashing it.
Don't mess with any of the files you mentioned. As far as I know it's unnecessary. I'm running Renders CM11 build with no problems with the original GB bootloader. Never had a problem with ICS or JB roms either.
Yea, my main purpose for starting the thread was to make sure I wouldn't break anything beyond repair by having mismatched bootloaders. It makes perfect sense why corrupting the bootloader would hose things (just like if you corrupted the MBR of your hard drive and had to boot off of alternative media to repair it, except for the fact that the phone does not have the ability to boot alternative media). My ASUS Transformer TF300T is nice in that aspect as the Nvidia chipset allows booting into APX mode which is an extremely low level boot mode that allows repair of almost anything. It should would be nice if the additional bootloader slot on the S2 could be used as a fallback with a way to choose which bootloader to run.
I'm the kind of person that likes to know more about the innards of how something works instead of looking at it as a black box. When I'm "flashing the kernel", I like to know exactly what it is I'm changing so I can understand the repercussions, especially if something goes wrong.
So the net result after this conversation is that I'm a lot more confident about flashing android devices (as long as I stay clear of messing with the bootloader whenever possible). I have CM11 running now too (stock CM kernel) while still on the GB bootloader.
READ ON!
I HAVE SUCCESSFULLY BYPASSED VERIZON/ATT OF4 SECURITY ON THE OF4 BUILD for the SM-S975L and have succeeded in downgrading the bootloader by hex editing. I reach the Samsung Galaxy S4 logo. This is quite the accomplishment for me.
However, I need help with unpacking the system image and reworking it to an ATT-based ROM. Knox flat out tells me "No Verizon." when I try the flash. Because you know, aboot knox and all...
Merely hex edit the version number inside your custom boot image to match the system currently installed as you flash to stock. Search for any build number strings inside mbm files and edit accordingly. My documentation is below. Screw you verizon! I just saved myself $200.
Files to keep in Odin tar with matching build number name to pass check:
Changed
S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar.md5
to
S975LUDUAOF4_S975LTFNAOF4_S975LUDUAOF4_HOME.tar
Hex edited version numbers into:
aboot.mpm
rpm.mbm
sbl1.mbm
sbl2.mbm
tz.mbm
boot.img
Guide update: Bootloader error "No Verizon. I suppose thats the CSC?"
deleted other files from that archive.
Made new archive name of:
S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar
Placed system files in it. Rebooted and flashed. WORKED!
It will flash in Odin 3.07. Then reboot into download mode and flash the other ones with the same, you'll be downgraded and bypass the security check since you have the downgraded bootloader.
Give me credit and donate. I just saved the Verizon users' butts. As well as the tracfone ones.
If I can figure out how to unlock the straight talk bootloader I shall do. And make a flashable Odin image.
:laugh::laugh::laugh::laugh:
WORKING! -> SM-S975L Straight Talk on locked down firmware. http://forum.xda-developers.com/galaxy-s4/unified-development/root-sm-s975l-straight-talk-variant-of4-t3279890/post64511525
Documentation
I need a reliable way to edit mbm files I've extracted from the stock NB1 image. OF4 bootloader won't let old versions flash, so I'm going through a hex editor after removing md5 check to see what I can do as far as hex editing the version number to be newer than OF4 from the binaries. We get a fail on aboot.mbm. We are compatable, however Knox says we cannot downgrade.
Documentation on Odin flashable .tars and correct Samsung official mpm formats?
Help unpacking/repacking mpm files and root injection?
Documentation on Qualcomm Snapdragon machine code.
Update: aboot.mpm, modem, and system.img.ext4 version numbers changed, there is some kind of pattern, I see in system.img.ext: NB1 scattered throughout the code pages. I'm wondering if this is safe to change. It looks part of the code, so I'd assume no. I am seeing their routines for checksum as well there too, near there. So to the requests goes documentation on ARM assmelber, machine code. I hope this helps people like for example loki_tool. Would be nice if we had one to patch samsung images. I can make one that searches for the strings in the code in C for all the phone models, it sure would help bypass Verizon's crap. I'm so mad at them, rant rant rant onwards... Towelroot apk is going to need modified to support this build number (OF4, it is rootable since its NB1, but towelroot just checks the build number)
UPDATE 2: Flashed. Successful Nand write start. aboot is write protected even at Download mode level. Will try documented successes on Odin 3.07 for bootloader aboot flashes. Flashing it fails with a security lockup. Odin 3.09 sits there, but Odin 3.07 might work.
Update 3: Hacking the version number to current out of the Samsung Verizon images produces successful NAND write start. Developers, please note this when unlocking boot loaders. I have discovered a compromise which will allow flashing of unofficial aboot and system data. Provided the flashed bootloader does not contain checksum code.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Found in codepages of aboot.mpm Don't know if changing this plain text string is enough to make it match, I have a feeling CSC is going to fail which is going to require another hack. Plus half the code pages of aboot are SA1 encrypted. Going to search through mpm packages to make them all match.
In system.img.ext4 NB1 is scattered throughout the codepages. I found it several times but not going to change until I know if it will causes a system boot failure.
Build number hex edited to OF4 to bypass CSC check. Original post updated.
Bump. OP updated with link and working results.
I apologize for my ignorance since I don't fully understand the OP, so allow me to ask: does this wotk on USA AT&T GS4?
If it does work, and even if it doesn't, I think you should re-make the OP because I think the majority of people won't be able to understand what you did. Just an advice, I think it would be great!
Good job btw, you are giving us a little bit of hope!
Could this be reworked to downgrade firmware on the GS4 VZW (SCH-I545) ?
you can't downgrade bootloaders if the qfuse is blown
period end of discussion
you tamper with the bootloader by hexediting its a one way ticket to brick town on qfuse-blown vzw devices
Legitsu said:
you can't downgrade bootloaders if the qfuse is blown
period end of discussion
you tamper with the bootloader by hexediting its a one way ticket to brick town on qfuse-blown vzw devices
Click to expand...
Click to collapse
Unless of course, you have no idea what you're doing.
Does this or my guide look like I know what I'm doing? I'm root, now with disabled knox. So please don't insult me. You can flash modified loki'd aboot no issues. As long as signature matches you're gold. No qfuse. You insult someone who spends hours in a hex editor with this kind of thing, sir. I'm not technically downgrading. I'm tricking it into passing the code the downgraded kernel provides.
Bootloader screen
Verification Check: OK
0x0 KNOX Kernel Lock: Off
0x0 Verification Lock: Off
Warranty bit: 0x1 (Void)
Kernel lock and verification lock where on last night then some more tinkering got them off.
This stuff is to help people. So please mediocre responses like that are not necessary. Makes me not want to share my work sometimes.
rena14 said:
I apologize for my ignorance since I don't fully understand the OP, so allow me to ask: does this wotk on USA AT&T GS4?
If it does work, and even if it doesn't, I think you should re-make the OP because I think the majority of people won't be able to understand what you did. Just an advice, I think it would be great!
Good job btw, you are giving us a little bit of hope!
Click to expand...
Click to collapse
Thank you. I appreciate it. It works on the new Straight Talk / ATT GS4 with the corrected JB 4.3 and locked kernel. But as stated the flash will blow qfuse. But I'm not sure on that one, because I blew qfuse when I tried to flash TWRP, not during my tinkering.
Current issue is that Wi-Fi freezes in the OF4 firmware because the NB1 kernel does boot the OS, but OF4 is for JB 4.3 and NB1 is for JB 4.2. I have not encountered any FCs thus far. Recovery can't be flashed yet, but modified aboot with matching build number hex hacked into it OF4 does not throw a security check fail. I got nand write start, and pass.
Best I can say is try this hack method for your device. Find a sacrificial lamb you where going to throw away with a cracked screen. Ebay works. As long as the device is fully functional. All of my dev phones are old phones I'm getting rid of. So I never wreck a daily driver and a replacement is so cheap because of a damaged model I might only pay $50-100 for a device with a cracked screen.
Samsung's root certificates are in plain code in system.img.ext4. So sign your builds with the root certs, Sha256 pack, hex hack build number, gold.
The best explanation I can offer:
You are passing downgraded code. But Knox thinks you're just re flashing the current build.
LupineDream said:
Thank you. I appreciate it. It works on the new Straight Talk / ATT GS4 with the corrected JB 4.3 and locked kernel. But as stated the flash will blow qfuse. But I'm not sure on that one, because I blew qfuse when I tried to flash TWRP, not during my tinkering.
Current issue is that Wi-Fi freezes in the OF4 firmware because the NB1 kernel does boot the OS, but OF4 is for JB 4.3 and NB1 is for JB 4.2. I have not encountered any FCs thus far. Recovery can't be flashed yet, but modified aboot with matching build number hex hacked into it OF4 does not throw a security check fail. I got nand write start, and pass.
Best I can say is try this hack method for your device. Find a sacrificial lamb you where going to throw away with a cracked screen. Ebay works. As long as the device is fully functional. All of my dev phones are old phones I'm getting rid of. So I never wreck a daily driver and a replacement is so cheap because of a damaged model I might only pay $50-100 for a device with a cracked screen.
Samsung's root certificates are in plain code in system.img.ext4. So sign your builds with the root certs, Sha256 pack, hex hack build number, gold.
The best explanation I can offer:
You are passing downgraded code. But Knox thinks you're just re flashing the current build.
Click to expand...
Click to collapse
Thank you for taking time the to answer my question, I really appreciate the time and effort you are spending on this.
Since you are still working on this, I'll just wait until you finally get all the things together and fully unlock bootloader. My GS4 is also my daily driver so, following your advice, I better don't attempt to do anything until I can fully understand the whole thing.
Wish you the best of luck on this project, and thanks again for your work, dude!
Regards.
LupineDream said:
Unless of course, you have no idea what you're doing.
Does this or my guide look like I know what I'm doing? I'm root, now with disabled knox. So please don't insult me. You can flash modified loki'd aboot no issues. As long as signature matches you're gold. No qfuse. You insult someone who spends hours in a hex editor with this kind of thing, sir. I'm not technically downgrading. I'm tricking it into passing the code the downgraded kernel provides.
Bootloader screen
Verification Check: OK
0x0 KNOX Kernel Lock: Off
0x0 Verification Lock: Off
Warranty bit: 0x1 (Void)
Kernel lock and verification lock where on last night then some more tinkering got them off.
This stuff is to help people. So please mediocre responses like that are not necessary. Makes me not want to share my work sometimes.
Click to expand...
Click to collapse
This sounds very promising. Thank you
This is absolutely huge news to read. I am assuming once recovery is working (ie: TWRP) that perhaps could AOSP ROMs like CM13 be usable on all Verizon S4's once the downgrade is done? I'll be keeping track of the progress on this for sure.
yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?
Legitsu said:
yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?
Click to expand...
Click to collapse
Said documentation on CPU integrity checks?
In that case, I'll most likely need more hardware than I currently have... Like a JTAG debugger. At least something thar can get me low level enough to reverse engineer and find out what the CPU I'd trying to verify. And match an aboot to it.
Legitsu said:
yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?
Click to expand...
Click to collapse
Right know I have a few tools that are providing useful, IDA decompiler being one of them. But I need the documentation on the instruction sets of the CPU and hardwarespec
Going to do some digging. I'm an it student though not enrolled at Penn State. There's a campus local. I'm going to do some asking around (quite cautiously) to find any equipment needed. I need this functional model to work with. I am getting a new DD next month
Shout out to any Penn state students. This is a project that's worth the bounty. Because if a JTAG won't give me access on POST, yeah, that's a disassembly and a chip mount. And that's not something I have the funds for. At all. Even though the most backwater of websites will take an auto deskffile and 3D print me a mount for pennies on the dollar.
Im realizing where there is a bounty on this unlock.... Again. Got to do some digging. If I become neglectful of this thread I am sorry. Its because quite honestly I'm probing for assistance.
Legitsu said:
yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?
Click to expand...
Click to collapse
I feel like an idiot but this might help: I was I of1(the latest lollipop build) and I Odin'ed oc1(the first lollipop build). Here's the the part that is interesting: I got a soft brick and could fix it through Odin. Sorry if you guys already knew this, just wanted to help.
LupineDream said:
Right know I have a few tools that are providing useful, IDA decompiler being one of them. But I need the documentation on the instruction sets of the CPU and hardwarespec
Going to do some digging. I'm an it student though not enrolled at Penn State. There's a campus local. I'm going to do some asking around (quite cautiously) to find any equipment needed. I need this functional model to work with. I am getting a new DD next month
Shout out to any Penn state students. This is a project that's worth the bounty. Because if a JTAG won't give me access on POST, yeah, that's a disassembly and a chip mount. And that's not something I have the funds for. At all. Even though the most backwater of websites will take an auto deskffile and 3D print me a mount for pennies on the dollar.
Im realizing where there is a bounty on this unlock.... Again. Got to do some digging. If I become neglectful of this thread I am sorry. Its because quite honestly I'm probing for assistance.
Click to expand...
Click to collapse
everything you wanna know is in this thread http://forum.xda-developers.com/showthread.php?t=2500826
pay close attention to the bits at the bottom and the posts about TZ aka trust zone
there has been a pretty massive effort at this for sometime with only sporadic progress
basicly focus shifted from unlocking to getting kexec working,which is just as good
for the record please nobody attempt this on a vzw device you will blow a qfuse or cause a hard brick
Legitsu said:
for the record please nobody attempt this on a vzw device you will blow a qfuse or cause a hard brick
Click to expand...
Click to collapse
i was about too anyone tried it anyways though?
Awesomeslayerg said:
i was about too anyone tried it anyways though?
Click to expand...
Click to collapse
.... why would anyone try it when its a 100% guarantee to hard brick on vzw
Envoyé de mon SM-G903F en utilisant Tapatalk
Hello everyone.
I know many of you have worked on safe-strap TWRP recovery in light of the inability to unlock the bootloader.
I have been testing on my note 8 and as someone else pointed out if you install the Engineering Rom listed below you will have the oem unlock toggle.
This service rom.
COMBINATION_FA71_N950USQU2AQK3_CL12591988_QB15811772_REV00
As far as everyone believes this option is only for FRP reset.
To tell you anyway the FRP reset is simply ZEROing out the persistence partition.
A persistence partition that is ZERO is default OEM Unlock ON. Meaning the toggle is set to not allow oem unlocking.
Using the mentioned rom above it is possible to set oem unlocking allowed.
This does not mean the bootloader is unlocked.
But i do feel that it is very close to unlocked and leads me down a path that i can unlock the bootloader.
I have a Galaxy Tab E that is allowed to be bootloader unlocked.
By doing a dd dump of all partitions then doing hexdump of the dd dumps the hex dumps can be diffed in terminal effectively.
By doing a comparison of the unlocked and locked state partitions I can Identify the changes being made.
I am still in the process of testing and comparing the dumps.
I need a TWRP build for N950USQU2AQK3 or ver 2 bootloader.
I almost think I have the bootloader set to where it will allow TWRP to Run.
This may not be a full unlock yet but having a good TWRP build would be a good test.
I could build TWRP myself but i do not have a build system setup currently..
So one of you that has compiled twrp for safestrap or other testing please share to save me some time.
I dealt with this same scenario on a HTC Desire 526 that was bootloader locked by verizon.
I did develop a unlock method using this same process i am using now.
So no......This is not a JOKE.
I am making progress on unlocking the note 8 USA Variety. :victory:
Help me out and share your TWRP.
HI, I have a SM-N950U and I'm on Verizon,
My Baseband is:
N950USQU1AQI5
What would you like someone to do for you?
Htc is different then samsung....samsung has checks on every partition in the device if it detects something the phone will not boot ha
pbedard said:
Htc is different then samsung....samsung has checks on every partition in the device if it detects something the phone will not boot ha
Click to expand...
Click to collapse
Bigcountry has been doing all the necessary research which involves how the partitions interact with each other. He is really close to officially unlocking the boot loader apparently. We all are aware of how strict Samsung is but there seems to be a small window of opportunity that WILL enable a true bootloader unlocking method.
JedidroidX said:
Bigcountry has been doing all the necessary research which involves how the partitions interact with each other. He is really close to officially unlocking the boot loader apparently. We all are aware of how strict Samsung is but there seems to be a small window of opportunity that WILL enable a true bootloader unlocking method.
Click to expand...
Click to collapse
ºȯº could it be?
Wow really this would be awesome. Cannot wait. Thanks for the hard work.
I really hope this works
Interesting
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I have a V3. I also am currently learning some arm assembly this semester, so I might be of some (minor) use. Note sure what my schedule will allow, but I will definitley assist how I can.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I'm on bootloader 5. I'll be glad to help ya out with what you need.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I'm on v3 bootloader...if you need anything I will try my best to help you out and see if we can get this phone unlocked
I'm interested and will get note 8 for this work. Is there any particular bl you'd prefer like rev1 and or 3 or just rev 2. Also I have a Samsung edl tool to aid the firehose process. Now that I think of it I already have firehose Rev2 from when I bricked out on SD.
---------- Post added at 06:10 PM ---------- Previous post was at 06:01 PM ----------
Also what sort of programming knowledge can help you if you don't mind me asking
Vell123 said:
I'm interested and will get note 8 for this work. Is there any particular bl you'd prefer like rev1 and or 3 or just rev 2. Also I have a Samsung edl tool to aid the firehose process. Now that I think of it I already have firehose Rev2 from when I bricked out on SD.
---------- Post added at 06:10 PM ---------- Previous post was at 06:01 PM ----------
Also what sort of programming knowledge can help you if you don't mind me asking
Click to expand...
Click to collapse
Currently I am working on Rev 2. bootloader.
You guys that have other Revisions Can help us all out by getting GPT backups from your devices. Then I can Compare the GPT for differences.
I currently have the UNBRICK for bootloader version 2.
Anyone with a HARD Bricked device that is on samfail V2 possibly samfail V2..5 or the factory AQK2 or the AQK2 factory repair should test this unbrick. I am sure it will work.
If other versions of the bootloader have the same gpt then we can take the bootloaders out of the stock firmware and swap them with the files in the unbrick and it should work. If the gpt is different then new GPT files will need made for the other bootloaders.
@Vell123;77796726
Which Box do you have?
You mention SD / does the sdcard method still work.
Do you put the sdcard into the device to boot download mode?
If that is the case we can run full android off the sd card potentially.
I would love to have a copy of the card if you can dd and image that would be great.
I have been thinking about buying the medusabox pro. It supports firehose and these phone models.
I don't know what box is best but whatever it is i want to buy one.
As far as bootloader unlocking I noticed after the GPT on the beginning of dev/block/sda there is a pretty decent chunk of data that is not the GPT or the PIT and may be a place for us to look into. Its basically a hidden spot in the emmc that samsung is not normaly written to.
@kronickhigh
If you can re-base and disassemble the abl.img that could lead us down the right road. You may be able to locate where the security checks are executed. If you can locate those it could be possible to determine the memory addresses where this data is stored.
I'm going to start a new thread on GPT and I will post there the commands to pull the GPT and what were looking at.
I am also going to start a new thread for the unbrick files.
@Vell123;77796726
If you can share the sdcard image you have that would be superb.
For now here is the v2 unbrick tor the N950U
Which Box do you have? I have the z3x box however i also have a edl repair cable/tool.
You mention SD / does the sdcard method still work.
Do you put the sdcard into the device to boot download mode? I don't have a SD card version. I was told by Me21( that made Samfail ) it wouldn't work so i didn't mind working on anything. However it might work. When i said SD i was referring to Snapdragon processors.
If that is the case we can run full android off the sd card potentially.
I would love to have a copy of the card if you can dd and image that would be great.
I have been thinking about buying the medusabox pro. It supports firehose and these phone models.
I don't know what box is best but whatever it is i want to buy one.
I'm sure your may already know the boxes use AT+COMMANDS but the most support is the best!
As far as bootloader unlocking I noticed after the GPT on the beginning of dev/block/sda there is a pretty decent chunk of data that is not the GPT or the PIT and may be a place for us to look into. Its basically a hidden spot in the emmc that samsung is not normaly written to.
@kronickhigh
If you can re-base and disassemble the abl.img that could lead us down the right road. You may be able to locate where the security checks are executed. If you can locate those it could be possible to determine the memory addresses where this data is stored.
I'm going to start a new thread on GPT and I will post there the commands to pull the GPT and what were looking at.
I am also going to start a new thread for the unbrick files. @Vell123;77796726
If you can share the sdcard image you have that would be superb.
For now here is the v2 unbrick tor the N950U[/QUOTE]
Rip note 8
What Happened
pbedard said:
Rip note 8
Click to expand...
Click to collapse
What happened to your note 8.
The unbrick files are legitimate Samsung Leaked files.
If you are on bootloader rev 2 you should be able to unbrick it.
You need to load the qualcomm edl drivers.
If you are on a different bootloader version we can try to make a unbrick for you.
Also depending on what you were doing.
You may have got the device stuck in sahara mode or something.
I once thought i bricked mine.
It was deader than dead. Only showed up as unrecognized device.
I left it that way overnight until the battery fully died.
Then when i plugged it in the next day it came back to life.
Unless you physically damaged the note 8 it can be recovered. Sooner or later.
Sooner if you are on rev 2
So as this thread first asked.
Who has a halFway decent tree for me to build TWRP.
I going to need it pretty soon.
Were about there. I gotta get me a 64gb sd card tonight and finish up a little more work on my gpt decoder.
Looking at the strings in the elf files I can see that the option to boot from sd card is in there.
Other than that I need to create sparse chunk images of partitions like /system and /data and /persist.
All the big boys gotta get sparsed out to chunks small enough for edl flashing.
I have a very special set of bootloaders and I'm thinking this set will be able to be unlocked.
What needs done is building a complete edl flash using these bootloaders and the standard U2 version /system and other images needed to complete the flash. If this all works as I anticipate it will be RIP Locked Bootloader.
I am on rev 3 i fixed my bricked device myself with a friends help
BigCountry907 said:
So as this thread first asked.
Who has a halFway decent tree for me to build TWRP.
I going to need it pretty soon.
Were about there. I gotta get me a 64gb sd card tonight and finish up a little more work on my gpt decoder.
Looking at the strings in the elf files I can see that the option to boot from sd card is in there.
Other than that I need to create sparse chunk images of partitions like /system and /data and /persist.
All the big boys gotta get sparsed out to chunks small enough for edl flashing.
I have a very special set of bootloaders and I'm thinking this set will be able to be unlocked.
What needs done is building a complete edl flash using these bootloaders and the standard U2 version /system and other images needed to complete the flash. If this all works as I anticipate it will be RIP Locked Bootloader.
Click to expand...
Click to collapse
Fingers crossed and good luck!
I have been coming here for years really, enough o spot major changes, like the bootloader variant's available lately, so I thought it a good idea to create a one charity thread full of bootloaders, because I figured out that the variant's of bootloaders have increased. Just look at all those custom roms... each modded rom seems to come in 4 flavour now.
a, a/b
32mb or 64..?
user, user-debug, or eng.
then there's the type of whatever chips etc, but most importantly...
People are forgetting a simple fact. A 'user' built bootloader, ie, stock, after-sale is blocked to root.
Magisk says patch the bootloader, yup, but they also want internet, so flashing latest magisk to a bootloader wont work if your not online, cause it wants to update BEFORE you get to play.. su CANNOT be used until you update the app, even if there are no updates, and while flashing magisk apk solves this, it is an un-neccessary step and a pain, because magisk is not the cure. It now takes over su... or busybox... Provable thus:
Flash Magisk'd boot, reboot, dulled out magisk shows in gui, wanting an update. Root checker says you are rooted (system-as-root, root shows even without magisk ) does not mean magisk rooted your bootloader, because if it had, you would be able to install su or busybox at shell... to get su. without recovery. I know. I've tested this fone for a year now... then I noticed I was using a user build... says it all....
With a latest magisk'd bootloader, booted up, we still cannot install su or busybox. So magisk does NOT root the bootloader, OR the fone. Until you login to them.
Even then, Magisk can patch, but not FLASH the fone=USER build.
Say I cant update offline to test why it wont flash the boot it just created. to make matters worse, now we gotta worry about the name of the patched boot getting longer and longer, magisk themselves making it harder to keep track... only to find flash failed. Respect Magisk
All because of the variant build.
We test recoveries... but magisk roots the bootloader.
Why patch a recovery for temp root wiped upon reboot when we can do the bootloader?
If we posted our magisk'd bootloaders instead of recoveries, you'd spot something factual.
A WORKING magisk'd bootloader, when opened in hex, will show variant=eng - if its PIE. Mine shows user.
A WORKING magisk'd recovery, when opened in hex, wait for it.. shows eng! wtf?
This is cause someone upped their test using their eng build, so it worked. For others.
Stock recovery does NOT show this. It shows user. PIE rooters see ENG in their RECOVERY. NOT USER!!!!!
Hence the note9 recovery, with ENG at the start, allowed me to patch my bootloader while in gui, and reflash it to bootloader OFFLINE, using what I just wrote wont work.
Because the PIE rooted bootloades are all ENG builds.
So if your magisk'd bootloader OR recovery shows 'USER' - forget it.
So, why not magisk patch your bootloader and post it here? Take it from your stock, magisk it, and post it.
Then we can all just grab a boot, and KNOW why the latest problems can disappear in a FLASH!
I'll post a link to my post's regarding how I found this simply stupid fact... Since my bootloaders there...
people assume root works on user builds...
It no longer does, and is now in fact, a barrier. One we never worried about before.. until now...
Ps: Last OS's only please, nothing from Pie please, just Android 10 onwards due to new partition schemes...
Thank you. I'll get you rooted. After I plant myself lol....
Armor x5 Android 10_Q Mt6765 aka Mt6762 ROOT AT LAST!
This 'tutorial' is a quicky for those yet to figure this fone out. Well it took a bit time for sure, but this is how it went... No matter what recovery or magisk I tried, nothing worked, all ulefone images with twrp were 64mb in size, where-as...
forum.xda-developers.com
The main mistake in your post is that you confuse bootloader ( read: uboot.bin ) with boot.img.
Next big mistake is to claim that a device's bootloader can get rooted: only the Android OS can get rooted.
Another mistake is to claim a bootloader is build-type dependent: the build-type only relates to Android OS, it controls whether ADB is featured or not.
And so on ...
No, I'm not confused. I do not want uboot.bin, although I understand your geek speak, there is NO uboot anywhere in my rom.
I want, like everyone else, a bootloader that clearly states its an eng variant of either a 32mb or 64 mb, preferable from stock, but since google twigged to what I'm saying, eng bootloaders are hard to find. Pie shows eng... but nothing since, have you twigged to that uboot?
When I want linux, I'll attempt lineage, but since twrp wont see the lineage zip we're all supposed to install, which in turn has an img inside, I'll say bang goes that idea, says it all when the devs think twrp will see their roms as a zip when it's an xz, not viewable in twrp, and well, I guess I just need to hang on until the boots arive when y'all twig to what google is doing...
Killing root period.
Uboot? Das uboot 57 is on the ocean floor....
Even google admit they're not releasing engineer or debug builds anymore... yes you can make them in the dev studio, and then post them online, but we've yet to accept what I'm saying.... in order to find the eng builds.
I want rid of google period, not install all their crap...
And how many people so far have realised what I'm saying, looked at their user bootloaders, and gave up knowing how pointless magisk actually is on a user bootloader?
Oh, and su actually needs to be in a bootloader to have true root, since directory traversal is geting worse.... aint no goin back....
Why do you think flashing a BOOTABLE recovery made from a BOOTLOADER works in recovery?
$ is turned into # when typing su.
Now if system is yet to load, explain how $ turns to # -Don't lol
Because it WAS a bootloader until it was rooted and loaded in RECOVERY, in order to boot or root!
I know what I'm saying and pursuing, and all others will fall into line soon....
jwoegerbauer said:
The main mistake in your post is that you confuse bootloader ( read: uboot.bin ) with boot.img.
Next big mistake is to claim that a device's bootloader can get rooted: only the Android OS can get rooted.
Another mistake is to claim a bootloader is build-type dependent: the build-type only relates to Android OS, it controls whether ADB is featured or not.
And so on ...
Click to expand...
Click to collapse
Uboot is in pie I believe. and every other linux I've seen, but android is NOT linux, but a remix... I even see uboot in the firesticks... but not my fone. Nor my stock firmware. your statement here could mean a/b partitioning is 2 uboots? pointless... uboot. Docsis 1. Docsis 2. Dual Chips. ab partitioning. Docsis 3. Same. Hello Fone. Is that a seperate linux os with another uboot controlling the lte side of your fone? or one uboot with 2 identical partitions.. My fone calls that a preloader. boot 1 would be boot.img, boot 2 would be boot-debug.img, if I was a/b partitioned. But I got a preloader with 2 identical boot.img, checking byte for byte unless I root. the boot.
It's not a mistake to know I know the origional command used in windows, to create a true unix root and password (at that time, supposedly impossible), windows commanding unix? windows control over an iphone with nothing more than the origional unix root user hack, which incidently, still works on every version of unix/linux/android...?
Android is NOT linux, but a remix, as much as linux is unix is eye... same commands, some on google, some in my head
And as for your last statement, I never made any mistake claiming any bootloader is dependant on build-type, but the bootloader's build-type decides wether we can flash, a magisk'd bootloader in gui, or rw system...
User is simply windows oem home edition. debug is android. engineer is unix.
I'm old school. Past it... Never frown on those that write like I do, we have so much to share...
But if my memory serves me well, uboot actually came from eCos, origionating in Docsis modems at the beginning of broadband., hence it is a DOS boot file, origionaly for modems. Just for the record, check tcniso, where they mention the vxShell as being 'very beauty'...
This explains the 64mb non-vol from the ambit 250, best security at that time, the non-vol was doubled to store a copy of the first half, in the second half where the first half was matched byte for byte before the modem came online, and why an ambit 250 non-vol could not work on an ambit 256, for the non-vol was exactly half the size, 32mb..
Same structure, day in day out... meanwhile, back in the jungle...
Pachacouti said:
Uboot is in pie I believe. and every other linux I've seen, but android is NOT linux, but a remix... I even see uboot in the firesticks... but not my fone. Nor my stock firmware. your statement here could mean a/b partitioning is 2 uboots? pointless... uboot. Docsis 1. Docsis 2. Dual Chips. ab partitioning. Docsis 3. Same. Hello Fone. Is that a seperate linux os with another uboot controlling the lte side of your fone? or one uboot with 2 identical partitions.. My fone calls that a preloader. boot 1 would be boot.img, boot 2 would be boot-debug.img, if I was a/b partitioned. But I got a preloader with 2 identical boot.img, checking byte for byte unless I root. the boot.
It's not a mistake to know I know the origional command used in windows, to create a true unix root and password (at that time, supposedly impossible), windows commanding unix? windows control over an iphone with nothing more than the origional unix root user hack, which incidently, still works on every version of unix/linux/android...?
Android is NOT linux, but a remix, as much as linux is unix is eye... same commands, some on google, some in my head
And as for your last statement, I never made any mistake claiming any bootloader is dependant on build-type, but the bootloader's build-type decides wether we can flash, a magisk'd bootloader in gui, or rw system...
User is simply windows oem home edition. debug is android. engineer is unix.
I'm old school. Past it... Never frown on those that write like I do, we have so much to share...
But if my memory serves me well, uboot actually came from eCos, origionating in Docsis modems at the beginning of broadband., hence it is a DOS boot file, origionaly for modems. Just for the record, check tcniso, where they mention the vxShell as being 'very beauty'...
This explains the 64mb non-vol from the ambit 250, best security at that time, the non-vol was doubled to store a copy of the first half, in the second half where the first half was matched byte for byte before the modem came online, and why an ambit 250 non-vol could not work on an ambit 256, for the non-vol was exactly half the size, 32mb..
Same structure, day in day out... meanwhile, back in the jungle...
Click to expand...
Click to collapse
Ok, so no-one see's the need for bootloaders yet lol... so in the meantime, I had another idea.
Why not just remove magisk from an eng build bootloader, and then flash it, then re-apply magisk, if only to find out that this is how google prevent us writing to system...
And to whom-ever it was that stated magisk can convert an unpatched bootloader of the user variant into an eng (engineer) variant bootloader, your simply wrong, no offence, I been through enough of them to know...
I wouldn't be looking for one since android 10 if it was ahem, the old way...