DELETED
reserved...
What's the purpose of this?
...well , anyone tell me what is this ?
AJsama said:
...well , anyone tell me what is this ?
Click to expand...
Click to collapse
its a modifyed XBL bootloader... for now the security hole is enabled if you know what to do with the partition sde34 ...
ill build a image for the partition that wil make the secureboot frack up .. sp we can get rid of the stupid text on unlocked oem
it is not gonna happend in 1 day ... let me and others work on it
its a good start , and i DID try the files on my own ot5 before publishing it
In
Sent from my ONEPLUS A5010 using Tapatalk
Wow @brokenworm this is amazing ! thanks. have you only tried this on oneplus bootloaders. I am sure thus could be worked up on other devices too. You should msg alephsecurity and tell them about this exploit so that they can furthur explore this. Thanks again
So, I just have to flash it and "bootloader unlocked" message at boot will gone? @brokenworm
EDIT: Nevermind
Just wanna make sure, is there a way to revert to the stock BL if I want to relock or something? (Just not sure whether or not OP have released a BL image or something like that)
EugenStanis said:
So, I just have to flash it and "bootloader unlocked" message at boot will gone? @brokenworm
EDIT: Nevermind
Click to expand...
Click to collapse
working on that...
brokenworm said:
its a modifyed XBL bootloader... for now the security hole is enabled if you know what to do with the partition sde34 ...
ill build a image for the partition that wil make the secureboot frack up .. sp we can get rid of the stupid text on unlocked oem
it is not gonna happend in 1 day ... let me and others work on it
its a good start , and i DID try the files on my own ot5 before publishing it
Click to expand...
Click to collapse
wow , coolll!:victory:
Am I the only one that looked at the title and wondered what Xbox Live had to do with OnePlus
On topic: I look forward to Future releases based on this and other creative things can be done
Did somebody flash this and did it work?
If this actually works, that'd mean that OnePlus somehow managed to knock out the signature verification of the bootloader. If you flash this on a properly provisioned retail device, you're just gonna brick it. You can't just modify random stuff in signed firmware images and expect them to work on retail hardware.
Shad0wKn1ght93 said:
If this actually works, that'd mean that OnePlus somehow managed to knock out the signature verification of the bootloader. If you flash this on a properly provisioned retail device, you're just gonna brick it. You can't just modify random stuff in signed firmware images and expect them to work on retail hardware.
Click to expand...
Click to collapse
im ofcource rooted with magisk and have twrp installed
PBL comes before XBL "PBL the primary bootloader"
so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...
currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01
... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34
dont come tell me what i can and can not do.. were doing it anyways !
brokenworm said:
im ofcource rooted with magisk and have twrp installed
PBL comes before XBL "PBL the primary bootloader"
so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...
currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01
... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34
dont come tell me what i can and can not do.. were doing it anyways !
Click to expand...
Click to collapse
Editing a text config file in this case is as much of a change as if I told you that I am using a OnePlus 7 just because I changed my build.prop to say that. Without compiling the bootloader with these changes in effect, it really isn't making a difference. Additionally as the person above me pointed out, if you were able to run a modified XBL I'd be very surprised. Did you actually try this?
brokenworm said:
im ofcource rooted with magisk and have twrp installed
PBL comes before XBL "PBL the primary bootloader"
so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...
currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01
... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34
dont come tell me what i can and can not do.. were doing it anyways !
Click to expand...
Click to collapse
You didn't "trick" anything. You used HexEdit to edit two bytes. In doing so you've invalidated the signature, and actually messed up the image itself, since you can't just randomly insert bytes into it. Proof is in the attachment. No way in hell this boots.
First attachment shows the terrible editing (removed the #, which breaks the parsing / added a byte later on that corrupts the entire image from thereon), second one the resulting corruption of the image as a result of the extra byte that he added.
Shad0wKn1ght93 said:
You didn't "trick" anything. You used HexEdit to edit two bytes. In doing so you've invalidated the signature, and actually messed up the image itself, since you can't just randomly insert bytes into it. Proof is in the attachment. No way in hell this boots.
First attachment shows the terrible editing (removed the #, which breaks the parsing / added a byte later on that corrupts the entire image from thereon), second one the resulting corruption of the image as a result of the extra byte that he added.
Click to expand...
Click to collapse
Thanks for pointing that out! Seriously, why upload a dangerous ZIP file that could probably corrupt one person's bootloader. I myself have very little knowledge on how bootloaders work but the thing that I do know is that they are not easily editable without breaking tons of security mechanisms. Such easy edits would be the easiest way to go for hackers if it were true.
No reason to be rude in this thread.
Just because you may know something he doesn't, does not give you the right to be so rude.
But I appreciate the OP trying.
It's more than I'm capable of doing.
And I do appreciate your input on why you believe you know it won't work.
THREAD CLEANED
Expressing differences of opinion on XDA is fine, even expected. Doing so with a rude, condescending tone and flaming others is not. Per the forum rules:
2.3 Flaming / Lack of respect: XDA is about sharing and this does not involve virtual yelling (flaming) or rudeness. Flaming or posting with a lack of respect is unacceptable. Treat new members in the manner in which you would like to have been treated when you were a new member. When dealing with any member, provide them with guidance, advice and instructions when you can, showing them respect and courtesy. Never post in a demanding, argumentative, disrespectful or self-righteous manner.
2.4 Personal attacks, racial, political and / or religious discussions: XDA is a discussion forum about certain mobile phones. Mobile phones are not racial, political, religious or personally offensive and therefore, none of these types of discussions are permitted on XDA.
Click to expand...
Click to collapse
Related
Need link to download the specific software specified in the title of this thread. Came across the one loaded on Google by another xda member but having difficulties downloading it. If you have it mirrored to another cloud service please provide me with the link. I am mostly gunning to get my hands on all of the .img files which come inside it so that I may review them via a hex editor and unlock my bootloader the sneaky way since Huawei refuses to reply back to my emails. Many thanks in advance.
Update: I was able to get my hands on the update.app file. So now will begin extraction and making my changes to hack the bootloader status on my device. If Huawei has responded back to you with your proper bootloader unlock code then you were fortunate. I myself have run out of patience with them and am now handling this on my own personal level.
Modding.MyMind said:
Need link to download the specific software specified in the title of this thread. Came across the one loaded on Google by another xda member but having difficulties downloading it. If you have it mirrored to another cloud service please provide me with the link. I am mostly gunning to get my hands on all of the .img files which come inside it so that I may review them via a hex editor and unlock my bootloader the sneaky way since Huawei refuses to reply back to my emails. Many thanks in advance.
Update: I was able to get my hands on the update.app file. So now will begin extraction and making my changes to hack the bootloader status on my device. If Huawei has responded back to you with your proper bootloader unlock code then you were fortunate. I myself have run out of patience with them and am now handling this on my own personal level.
Click to expand...
Click to collapse
Having trouble getting the bootloader unlock code? Try this:
Most of the issues are that emails sent outside of Shenzhen China business time during the week are not answered. They go into an email black hole. You'd have to send in the bootloader unlock request email really late here in the US or set up some way to send your email later automatically like I did with the Chrome extension Boomerang to get the code for my second HAM2. Currently sending in a request around 9pm EST to 4am EST Sunday - Thursday is the best time to email for the unlock code Sun-Thurs corresponds to Monday-Friday at Huawei in China.
I have emailed outside of those times and not gotten a response. After figuring out the time difference and setting up boomerang for an automated send later feature with my email the code arrived a couple hours after it was sent and I saw it when I woke up the next morning.
Sent from my MT2L03 using Tapatalk
@arcadesdude, thanks for your input, but unfortunately that route has failed me as well. Been at it with these emails since late last year. My guess is that my emails are getting lost in middle of a bunch of other emails they may be receiving or I'm going to their spam mail which they probably ignore. Either case, all attempts have not been successful. I found the EFI image and boot image inside the update.app last night. So far so good as it looks like I can easily hack this update and finally get my bootloader unlocked so I may do what I need to do with it.
Modding.MyMind said:
@arcadesdude, thanks for your input, but unfortunately that route has failed me as well. Been at it with these emails since late last year. My guess is that my emails are getting lost in middle of a bunch of other emails they may be receiving or I'm going to their spam mail which they probably ignore. Either case, all attempts have not been successful. I found the EFI image and boot image inside the update.app last night. So far so good as it looks like I can easily hack this update and finally get my bootloader unlocked so I may do what I need to do with it.
Click to expand...
Click to collapse
You can unlock the bootloader without the bootloader unlock code?
Did you try another email address? Another member on here used another address and got through to Huawei.
Sent from my MT2L03 using Tapatalk
arcadesdude said:
You can unlock the bootloader without the bootloader unlock code?
Did you try another email address? Another member on here used another address and got through to Huawei.
Sent from my MT2L03 using Tapatalk
Click to expand...
Click to collapse
No, the bootloader code is still required. All I am going to do is modify the source via a hex editor so that I can input a code of my choosing and force it to accept that code and thus unlock my bootloader. That is very possible . Should of done this already but I wanted to give Huawei a chance - but they failed.
Modding.MyMind said:
No, the bootloader code is still required. All I am going to do is modify the source via a hex editor so that I can input a code of my choosing and force it to accept that code and thus unlock my bootloader. That is very possible . Should of done this already but I wanted to give Huawei a chance - but they failed.
Click to expand...
Click to collapse
I didn't know you could do that. Is it essentially just flashing your modified bootloader partition to the phone using adb like we flash the recovery partition?
arcadesdude said:
I didn't know you could do that. Is it essentially just flashing your modified bootloader partition to the phone using adb like we flash the recovery partition?
Click to expand...
Click to collapse
Pretty much, but not with adb. Using fastboot.
also, i guess you also need disable the verification chain? but how? I heard it probably start from very beginning, ROM, a real read only rom. if you flash hacked aboot, sbl probably refuse to boot it, right?
xordos said:
also, i guess you also need disable the verification chain? but how? I heard it probably start from very beginning, ROM, a real read only rom. if you flash hacked aboot, sbl probably refuse to boot it, right?
Click to expand...
Click to collapse
With a bootloader being locked you are presumably limited on what can and cannot be flashed. With that in mind should a modification be incorrectly done for a device with a locked bootloader then it would be safe to say that the flash would be denied and no harm done. Because I will be modifying the source to accept my personal code then this will not have any affect towards flashing. The device will even accept it. Then, when I enter my code and reboot, the device will simply say it is unlocked. The only catch to this though is that if I flash back to the original then the bootloader should technically relock itself. I will open a thread on this procedure down the road when I get time and even include my mods so others may compare it with the stock to see the differences.
Modding.MyMind said:
With a bootloader being locked you are presumably limited on what can and cannot be flashed. With that in mind should a modification be incorrectly done for a device with a locked bootloader then it would be safe to say that the flash would be denied and no harm done. Because I will be modifying the source to accept my personal code then this will not have any affect towards flashing. The device will even accept it. Then, when I enter my code and reboot, the device will simply say it is unlocked. The only catch to this though is that if I flash back to the original then the bootloader should technically relock itself. I will open a thread on this procedure down the road when I get time and even include my mods so others may compare it with the stock to see the differences.
Click to expand...
Click to collapse
Regarding the limitation, early I thought you are going to modify/repackage the UPDATE.APP, as that way, if (a big if) it works, ideally you can flash to any partition. (There is some thread in xda that discussion about read/repackage the huawei UPDATE.APP)
But as we discussed briefly long time back, this whole thing is really really risky, if the booting path to fastboot got damage, then pretty much the phone is hard bricked.
Probably if you stick with flash with fastboot, then the risk will be lesser but man, this is scary stuff..
Regarding the validation chain, I got info from following article:
http://www.newandroidbook.com/Articles/aboot.html
A few paragraph after the Figure One.
Let's see...
PS, maybe you can continue try some different email address and sent at correct time to Huawei for the code...
PS2, another thought, maybe inject a superSU to the UPDATE.APP system image will work? not sure how strict they are validating when flashing UPDATE.APP and/or when booting the system partition.
xordos said:
Regarding the limitation, early I thought you are going to modify/repackage the UPDATE.APP, as that way, if (a big if) it works, ideally you can flash to any partition. (There is some thread in xda that discussion about read/repackage the huawei UPDATE.APP)
But as we discussed briefly long time back, this whole thing is really really risky, if the booting path to fastboot got damage, then pretty much the phone is hard bricked.
Probably if you stick with flash with fastboot, then the risk will be lesser but man, this is scary stuff..
Regarding the validation chain, I got info from following article:
http://www.newandroidbook.com/Articles/aboot.html
A few paragraph after the Figure One.
Let's see...
PS, maybe you can continue try some different email address and sent at correct time to Huawei for the code...
Click to expand...
Click to collapse
I won't be using the update.app parsay. Merely needed it so I can locate the images I want by viewing it with a hex editor and then extracting them so that I can solely focus on those images using a hex editor and once I make my patch(s) then I will use fastboot to flash those images to their respective partitions on the device. It really isn't that risky as long as you know what to look for. I won't be that guy that says "oops" in this case lol. So, I'm not worried about possibly bricking this device one bit .
Modding.MyMind said:
I won't be using the update.app parsay. Merely needed it so I can locate the images I want by viewing it with a hex editor and then extracting them so that I can solely focus on those images using a hex editor and once I make my patch(s) then I will use fastboot to flash those images to their respective partitions on the device. It really isn't that risky as long as you know what to look for. I won't be that guy that says "oops" in this case lol. So, I'm not worried about possibly bricking this device one bit .
Click to expand...
Click to collapse
Just curious, what are you planning to do that requires an unlocked bootloader?
ScoobSTi said:
Just curious, what are you planning to do that requires an unlocked bootloader?
Click to expand...
Click to collapse
Something lol
I'm not sure why you can't get the code from Huawei ...but I'm kinda glad you can't. seems your gathering nice info about this phone.
Sent from my MT2L03 using XDA Free mobile app
Modding.MyMind said:
Something lol
Click to expand...
Click to collapse
Just in case you're being super extremely nice and kind and trying to make a ROM for us, the other developer has hit a huge roadblock on CM11/12 you should know about.
ScoobSTi said:
Just in case you're being super extremely nice and kind and trying to make a ROM for us, the other developer has hit a huge roadblock on CM11/12 you should know about.
Click to expand...
Click to collapse
Even he is not plan to build CM, but as the man who build first recovery for us, I think he wont stop until he can play with his own baby in his phone.
Modding.MyMind said:
I won't be using the update.app parsay. Merely needed it so I can locate the images I want by viewing it with a hex editor and then extracting them so that I can solely focus on those images using a hex editor and once I make my patch(s) then I will use fastboot to flash those images to their respective partitions on the device. It really isn't that risky as long as you know what to look for. I won't be that guy that says "oops" in this case lol. So, I'm not worried about possibly bricking this device one bit .
Click to expand...
Click to collapse
1. How are you going to flash image via fastboot if your bootloader is locked?
2. You have to hack fastboot image to pass throuth unlock code verification without or with some random code. But even if you do so, you won't be able to flash fastboot image via fastboot even with unlocked bootloader.
I would'nt touch fastboot at all 'cause it's a high risk to get a hard brick.
I have found unlock code in some partition of my device, but I dunno was it there initially or was written there after unlocking. If the first case is and fastboot just compares entered code with saved one in device, then you can try to make update.app with injected su, as xordos offered, to be able to read this partition.
Injecting su into the update.app woukdnt work. The update.app has it's own crc and such. So to simply say, it won't work. You also answered your questions with remarks 1 and 2. One exception is that yes, you can flash the image. As for risks, it's only there if you mess something up - development typically is about taking risks . The fastboot image won't technically brick the device anyways. At best a soft brick may occur, but to be honest since "bricking" is up for discussion; bricking can occur simply by making a change to the build.prop file and not fixing it's permissions prior to rebooting. Unless you "hard" brick the device, then it can always be recovered.
You said the image or images can't be flashed with a locked bootloader, while yes is technically true, but understand that it isn't 100%, because you see, when your device recieves an update initially the devices bootloader is expected to be locked, right? Yet, magically enough the update goes through, the phone reboots, you either hate or love the new update. Something to think about before actually saying an image can't be flashed . Instead, I would have you ask yourself, "how?".
xordos said:
Even he is not plan to build CM, but as the man who build first recovery for us, I think he wont stop until he can play with his own baby in his phone.
Click to expand...
Click to collapse
And best believe, I want to play
Hello there,
as you may know you can change the oem splash screen on the OnePlus 3, as provided in this thread by @makers_mark here.
That program only needs minor fixes to work with OnePlus 3T splash partitions, and I have attached the source code and a windows binary below.
To use it, extract the "OnePlus3TInjector.zip" and run the commands in the command prompt in the folder you extracted the zipfile into.
To decode use:
Code:
OP3TInject -i LOGO.bin -D
After having changed the image files, use
Code:
OP3TInject -j fhd -i LOGO.bin
I have tested this and it works on my phone, but you still have to USE THIS ON YOUR OWN RISK.
If you want to see how this looks, take a look at this video here: https://www.youtube.com/watch?v=DWj2WRpcoqI
If you want a custom bootlogo but can't use the tool you can pm me an image file or post one here down below. I will send you a zip file that you can flash in recovery.
To use this, get the "Stock" zip from below, and replace the modified.logo.bin in it with the one produced by the injector, then flash in your recovery.
If you do not want to use your recovery use a terminal emulator on your phone and run the command as root:
Code:
dd if=/sdcard/Downloads/modified.logo.bin of=/dev/block/platform/soc/624000.ufshc/by-name/LOGO"
To go back to stock logo.bin, flash the zip file attached below.
Please note that this does not remove the warning that your phone is unlocked.
Finally a big shoutout to @prmcmanus who tested this for me. Leave him a like!
I also thank @makers_mark for all the work he has done on the OnePlus 3 and the original OP3Injector.
Jo_Jo_2000 said:
Hello there,
as you may know you can change the oem splash screen on the oneplus 3, as provided in this thread here:
That program only needs minor fixes to work with OnePlus 3T splash partitions.
Unfortunately I cannot provide a compiled program here because the original program was not published under a proper license, but I can tell you that you just need to change line 35 of the file "src/LogoInjector.v1.4.c" from the zip archive linked in the thread below to be "#define MAXOFFSETS 32" instead of "#define MAXOFFSETS 28" and recompile the program.
I have not yet tested it, so I do not know whether this works or just bricks your phone, so USE THIS ON YOUR OWN RISK.
If you want to test this for me, but do not want to compile the program yourself, you can flash my "beta-test" version linked below. Follow the instructions from the original thread above. Remember to backup your current LOGO partition.
Note to moderators:
I know that this should rather belong into the development section, but I do not yet have enough posts to post there, so I put it in here. Sorry about that but I do not want to randomly spam other threads to get the 10 responses needed.
Click to expand...
Click to collapse
Thanks. I put in a bit of time trying to figure this out with a 3t and git code. First: I wasn't interested in the "logo" partition exactly, but more about that "unlocked bootloader" and it's associated tag warning and timeout that comes up each boot after unlocking bootloader. I found the timeout and the text that goes on the screen here in the code (the bootable bootloader code) : ~/sandbox/oneplus3t/bootable/bootloader/lk/app/aboot/aboot.c : I even tested changing that, but there was no easy way to to "give it out" aside from as part of a custom ROM done from source.
Are we talking about the same thing? Or : are you talking about just replacing one logo partition content with another and it has nothing to do with the unlocked tag warning & timeout (5 sec.)?
Thanks.
---------- Post added at 05:06 AM ---------- Previous post was at 04:48 AM ----------
OK: I checked it out and it has nothing to do with the unlocked bootloader warning, which I'm working on as said above and have gotten rid of on my own phone (which I no longer have..). That's completely about the file I mentioned above "aboot.c" in bootable/bootloader/... tree.
But nice going anyway, -- thanks.
Nope, these are different things. I'm refering to the logo partition which stores images while the warning message is hardcoded into the bootloader which you probably cant change because it's signed by OnePlus.
Also OnePlus hasn't released their bootloader sources (I think) and the bootloader in the source tree is just the generic base for all quallcomm bootloaders (aka Little Kernel).
So sorry to disappoint you but you won't be able to remove that warning with LOGO editing.
Jo_Jo_2000 said:
Nope, these are different things. I'm refering to the logo partition which stores images while the warning message is hardcoded into the bootloader which you probably cant change because it's signed by OnePlus.
Also OnePlus hasn't released their bootloader sources (I think) and the bootloader in the source tree is just the generic base for all quallcomm bootloaders (aka Little Kernel).
So sorry to disappoint you but you won't be able to remove that warning with LOGO editing.
Click to expand...
Click to collapse
So the rom I built from their 3t sources must have used boot.img as a "prebuilt"? Does that sound right? I guess I could unpack boot.img and figure out how to get rid of the delay with a binary overwrite. (I wouldn't look forward to testing that ;
It's in the bootLOADER which is not a prebuilt nor a thing you build yourself when you build a custom rom. Its build, maintained and signed by OnePlus so they and only they can alter the bootloader (I think so, maybe "flashing unlock_critical" does the trick here, but dont try it or you will irreversibly hard brick your phone).
Also good luck with a binary overwrite, I hope you know ARM assembly.
To get that clear, the warning message has got _nothing_ to do with boot.img, they are two completely different things and no matter what you do with a boot.img, you won't get rid of that warning!
I know there's a flashable .bin that gets rid of that exact same unlocked bootloader msg and delay on the moto x pure 2015 (XT1575). Maybe it's similar. I've attached the file.
I doubt that this will work... the original logo.bin is about 16mb and even if I just repack it with the original images it's only about 700kb
noahvt said:
I doubt that this will work... the original logo.bin is about 16mb and even if I just repack it with the original images it's only about 700kb
Click to expand...
Click to collapse
Good that you are concerned and looking for errors I might have made!
However I am very certain that the file indeed is only .7 MB large because:
1. That program (without mods) works on the oneplus 3, whose file is also only about that large
2. The first 786432 bytes (the size of the recoded file) of the original LOGO.bin dump are identical
3. the remaining 16 mb are zeroed out and contain no data
4. the program produces correct images
I would be happy to try it out, because I do not have access to a PC where I can run the MSM Downloader in case I brick things!
Greetings.
g96818 said:
I know there's a flashable .bin that gets rid of that exact same unlocked bootloader msg and delay on the moto x pure 2015 (XT1575). Maybe it's similar. I've attached the file.
Click to expand...
Click to collapse
The OnePlus 3t's warning is hardcoded into the bootloader, so unless you find a bug in sbl1 or break rsa you won't get around that.
I compiled this and got it working, but can't share for the same reasons as OP.
If anyone wants a custom logo, PM me the picture and I'll make an image file for you
prmcmanus said:
I compiled this and got it working, but can't share for the same reasons as OP.
If anyone wants a custom logo, PM me the picture and I'll make an image file for you
Click to expand...
Click to collapse
So you can use this without bricking your phone?
Jo_Jo_2000 said:
So you can use this without bricking your phone?
Click to expand...
Click to collapse
Yep, working on mine
Hey, @prmcmanus... PM'ed you!
@Ker~Man did you get my reply? It doesn't look like Quick Reply works :-S
prmcmanus said:
@Ker~Man did you get my reply? It doesn't look like Quick Reply works :-S
Click to expand...
Click to collapse
I sure did, and thank you! How do I install these, though? Flash in TWRP? I'm not too keep with .bin files. Thanks again!
Ker~Man said:
I sure did, and thank you! How do I install these, though? Flash in TWRP? I'm not too keep with .bin files. Thanks again!
Click to expand...
Click to collapse
look in my opening post, I've written two methods there.
Ker~Man said:
I sure did, and thank you! How do I install these, though? Flash in TWRP? I'm not too keep with .bin files. Thanks again!
Click to expand...
Click to collapse
Put the phone in fastboot mode and flash:
Code:
fastboot flash LOGO filename.bin
Jo_Jo_2000 said:
look in my opening post, I've written two methods there.
Click to expand...
Click to collapse
That 2nd method, I didn't know you could do that in the terminal! Nice
Jo_Jo_2000 said:
Hello there,
as you may know you can change the oem splash screen on the OnePlus 3, as provided in this thread here:
That program only needs minor fixes to work with OnePlus 3T splash partitions.
Unfortunately I cannot provide a compiled program here because the original program was not published under a proper license, but I can tell you that you just need to change line 35 of the file "src/LogoInjector.v1.4.c" from the zip archive linked in the thread below to be "#define MAXOFFSETS 32" instead of "#define MAXOFFSETS 28" and recompile the program.
Click to expand...
Click to collapse
I apologize for not responding to you soon enough. When I figure out an encoding, I release the source code for the encoder and decoder that I build for a couple of reasons. And one of those reasons is so you can do like you did! And you did it right! Thanks for asking and giving a link which in my book is good enough for proper credit. Feel free to share the binary with whoever:good:
I replaced the logo injector .zip file because it created an error when executed by some people.
You can use it now.
Jo_Jo_2000 said:
I replaced the logo injector .zip file because it created an error when executed by some people.
You can use it now.
Click to expand...
Click to collapse
Does my device have to be "Critical Unlocked"? I have an unlocked bootloader but when I try "fastboot flash LOGO" I get "FAILED (remote: Partition flashing is not allowed)"
EDIT: flashing it with dd works though
Hello everyone.
I know many of you have worked on safe-strap TWRP recovery in light of the inability to unlock the bootloader.
I have been testing on my note 8 and as someone else pointed out if you install the Engineering Rom listed below you will have the oem unlock toggle.
This service rom.
COMBINATION_FA71_N950USQU2AQK3_CL12591988_QB15811772_REV00
As far as everyone believes this option is only for FRP reset.
To tell you anyway the FRP reset is simply ZEROing out the persistence partition.
A persistence partition that is ZERO is default OEM Unlock ON. Meaning the toggle is set to not allow oem unlocking.
Using the mentioned rom above it is possible to set oem unlocking allowed.
This does not mean the bootloader is unlocked.
But i do feel that it is very close to unlocked and leads me down a path that i can unlock the bootloader.
I have a Galaxy Tab E that is allowed to be bootloader unlocked.
By doing a dd dump of all partitions then doing hexdump of the dd dumps the hex dumps can be diffed in terminal effectively.
By doing a comparison of the unlocked and locked state partitions I can Identify the changes being made.
I am still in the process of testing and comparing the dumps.
I need a TWRP build for N950USQU2AQK3 or ver 2 bootloader.
I almost think I have the bootloader set to where it will allow TWRP to Run.
This may not be a full unlock yet but having a good TWRP build would be a good test.
I could build TWRP myself but i do not have a build system setup currently..
So one of you that has compiled twrp for safestrap or other testing please share to save me some time.
I dealt with this same scenario on a HTC Desire 526 that was bootloader locked by verizon.
I did develop a unlock method using this same process i am using now.
So no......This is not a JOKE.
I am making progress on unlocking the note 8 USA Variety. :victory:
Help me out and share your TWRP.
HI, I have a SM-N950U and I'm on Verizon,
My Baseband is:
N950USQU1AQI5
What would you like someone to do for you?
Htc is different then samsung....samsung has checks on every partition in the device if it detects something the phone will not boot ha
pbedard said:
Htc is different then samsung....samsung has checks on every partition in the device if it detects something the phone will not boot ha
Click to expand...
Click to collapse
Bigcountry has been doing all the necessary research which involves how the partitions interact with each other. He is really close to officially unlocking the boot loader apparently. We all are aware of how strict Samsung is but there seems to be a small window of opportunity that WILL enable a true bootloader unlocking method.
JedidroidX said:
Bigcountry has been doing all the necessary research which involves how the partitions interact with each other. He is really close to officially unlocking the boot loader apparently. We all are aware of how strict Samsung is but there seems to be a small window of opportunity that WILL enable a true bootloader unlocking method.
Click to expand...
Click to collapse
ºȯº could it be?
Wow really this would be awesome. Cannot wait. Thanks for the hard work.
I really hope this works
Interesting
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I have a V3. I also am currently learning some arm assembly this semester, so I might be of some (minor) use. Note sure what my schedule will allow, but I will definitley assist how I can.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I'm on bootloader 5. I'll be glad to help ya out with what you need.
BigCountry907 said:
I am still making progress on this. I took a step back to make sure I can unbrick my device when I screw something up.
Currently I am working on the unbrick for the V2 bootloader.
Someone got the firehose for the s-8 and s-8 + versions and some people have had luck unbricking s8 and s8+.
I have to rebuild the s8 unbrick rom for the note 8.
This involves getting the GPT tables off the device then decoding the GPT to write the partition.xml. Since we have ufs memory there are 4 primary partitions which means there are 8 GPT tables.
Once I have this all completed we can flash anything we want with the firehose. Even single partitions.
What I was asking for was TWRP that is Built for the Note 8.
So I can see if I can get it to boot.
This would save me from building TWRP myself and leave me more time to work on other stuff.
My Note 8 is currently on V2 bootloader.
We will need a unbrick rom for each bootloader version.
In order for me to make that I will need the GPT tables from each bootloader version. I can provide the commands to do it. Anyone wanting to help just let me know. I will be starting a new thread of how to do this soon.
Click to expand...
Click to collapse
I'm on v3 bootloader...if you need anything I will try my best to help you out and see if we can get this phone unlocked
I'm interested and will get note 8 for this work. Is there any particular bl you'd prefer like rev1 and or 3 or just rev 2. Also I have a Samsung edl tool to aid the firehose process. Now that I think of it I already have firehose Rev2 from when I bricked out on SD.
---------- Post added at 06:10 PM ---------- Previous post was at 06:01 PM ----------
Also what sort of programming knowledge can help you if you don't mind me asking
Vell123 said:
I'm interested and will get note 8 for this work. Is there any particular bl you'd prefer like rev1 and or 3 or just rev 2. Also I have a Samsung edl tool to aid the firehose process. Now that I think of it I already have firehose Rev2 from when I bricked out on SD.
---------- Post added at 06:10 PM ---------- Previous post was at 06:01 PM ----------
Also what sort of programming knowledge can help you if you don't mind me asking
Click to expand...
Click to collapse
Currently I am working on Rev 2. bootloader.
You guys that have other Revisions Can help us all out by getting GPT backups from your devices. Then I can Compare the GPT for differences.
I currently have the UNBRICK for bootloader version 2.
Anyone with a HARD Bricked device that is on samfail V2 possibly samfail V2..5 or the factory AQK2 or the AQK2 factory repair should test this unbrick. I am sure it will work.
If other versions of the bootloader have the same gpt then we can take the bootloaders out of the stock firmware and swap them with the files in the unbrick and it should work. If the gpt is different then new GPT files will need made for the other bootloaders.
@Vell123;77796726
Which Box do you have?
You mention SD / does the sdcard method still work.
Do you put the sdcard into the device to boot download mode?
If that is the case we can run full android off the sd card potentially.
I would love to have a copy of the card if you can dd and image that would be great.
I have been thinking about buying the medusabox pro. It supports firehose and these phone models.
I don't know what box is best but whatever it is i want to buy one.
As far as bootloader unlocking I noticed after the GPT on the beginning of dev/block/sda there is a pretty decent chunk of data that is not the GPT or the PIT and may be a place for us to look into. Its basically a hidden spot in the emmc that samsung is not normaly written to.
@kronickhigh
If you can re-base and disassemble the abl.img that could lead us down the right road. You may be able to locate where the security checks are executed. If you can locate those it could be possible to determine the memory addresses where this data is stored.
I'm going to start a new thread on GPT and I will post there the commands to pull the GPT and what were looking at.
I am also going to start a new thread for the unbrick files.
@Vell123;77796726
If you can share the sdcard image you have that would be superb.
For now here is the v2 unbrick tor the N950U
Which Box do you have? I have the z3x box however i also have a edl repair cable/tool.
You mention SD / does the sdcard method still work.
Do you put the sdcard into the device to boot download mode? I don't have a SD card version. I was told by Me21( that made Samfail ) it wouldn't work so i didn't mind working on anything. However it might work. When i said SD i was referring to Snapdragon processors.
If that is the case we can run full android off the sd card potentially.
I would love to have a copy of the card if you can dd and image that would be great.
I have been thinking about buying the medusabox pro. It supports firehose and these phone models.
I don't know what box is best but whatever it is i want to buy one.
I'm sure your may already know the boxes use AT+COMMANDS but the most support is the best!
As far as bootloader unlocking I noticed after the GPT on the beginning of dev/block/sda there is a pretty decent chunk of data that is not the GPT or the PIT and may be a place for us to look into. Its basically a hidden spot in the emmc that samsung is not normaly written to.
@kronickhigh
If you can re-base and disassemble the abl.img that could lead us down the right road. You may be able to locate where the security checks are executed. If you can locate those it could be possible to determine the memory addresses where this data is stored.
I'm going to start a new thread on GPT and I will post there the commands to pull the GPT and what were looking at.
I am also going to start a new thread for the unbrick files. @Vell123;77796726
If you can share the sdcard image you have that would be superb.
For now here is the v2 unbrick tor the N950U[/QUOTE]
Rip note 8
What Happened
pbedard said:
Rip note 8
Click to expand...
Click to collapse
What happened to your note 8.
The unbrick files are legitimate Samsung Leaked files.
If you are on bootloader rev 2 you should be able to unbrick it.
You need to load the qualcomm edl drivers.
If you are on a different bootloader version we can try to make a unbrick for you.
Also depending on what you were doing.
You may have got the device stuck in sahara mode or something.
I once thought i bricked mine.
It was deader than dead. Only showed up as unrecognized device.
I left it that way overnight until the battery fully died.
Then when i plugged it in the next day it came back to life.
Unless you physically damaged the note 8 it can be recovered. Sooner or later.
Sooner if you are on rev 2
So as this thread first asked.
Who has a halFway decent tree for me to build TWRP.
I going to need it pretty soon.
Were about there. I gotta get me a 64gb sd card tonight and finish up a little more work on my gpt decoder.
Looking at the strings in the elf files I can see that the option to boot from sd card is in there.
Other than that I need to create sparse chunk images of partitions like /system and /data and /persist.
All the big boys gotta get sparsed out to chunks small enough for edl flashing.
I have a very special set of bootloaders and I'm thinking this set will be able to be unlocked.
What needs done is building a complete edl flash using these bootloaders and the standard U2 version /system and other images needed to complete the flash. If this all works as I anticipate it will be RIP Locked Bootloader.
I am on rev 3 i fixed my bricked device myself with a friends help
BigCountry907 said:
So as this thread first asked.
Who has a halFway decent tree for me to build TWRP.
I going to need it pretty soon.
Were about there. I gotta get me a 64gb sd card tonight and finish up a little more work on my gpt decoder.
Looking at the strings in the elf files I can see that the option to boot from sd card is in there.
Other than that I need to create sparse chunk images of partitions like /system and /data and /persist.
All the big boys gotta get sparsed out to chunks small enough for edl flashing.
I have a very special set of bootloaders and I'm thinking this set will be able to be unlocked.
What needs done is building a complete edl flash using these bootloaders and the standard U2 version /system and other images needed to complete the flash. If this all works as I anticipate it will be RIP Locked Bootloader.
Click to expand...
Click to collapse
Fingers crossed and good luck!
I have been coming here for years really, enough o spot major changes, like the bootloader variant's available lately, so I thought it a good idea to create a one charity thread full of bootloaders, because I figured out that the variant's of bootloaders have increased. Just look at all those custom roms... each modded rom seems to come in 4 flavour now.
a, a/b
32mb or 64..?
user, user-debug, or eng.
then there's the type of whatever chips etc, but most importantly...
People are forgetting a simple fact. A 'user' built bootloader, ie, stock, after-sale is blocked to root.
Magisk says patch the bootloader, yup, but they also want internet, so flashing latest magisk to a bootloader wont work if your not online, cause it wants to update BEFORE you get to play.. su CANNOT be used until you update the app, even if there are no updates, and while flashing magisk apk solves this, it is an un-neccessary step and a pain, because magisk is not the cure. It now takes over su... or busybox... Provable thus:
Flash Magisk'd boot, reboot, dulled out magisk shows in gui, wanting an update. Root checker says you are rooted (system-as-root, root shows even without magisk ) does not mean magisk rooted your bootloader, because if it had, you would be able to install su or busybox at shell... to get su. without recovery. I know. I've tested this fone for a year now... then I noticed I was using a user build... says it all....
With a latest magisk'd bootloader, booted up, we still cannot install su or busybox. So magisk does NOT root the bootloader, OR the fone. Until you login to them.
Even then, Magisk can patch, but not FLASH the fone=USER build.
Say I cant update offline to test why it wont flash the boot it just created. to make matters worse, now we gotta worry about the name of the patched boot getting longer and longer, magisk themselves making it harder to keep track... only to find flash failed. Respect Magisk
All because of the variant build.
We test recoveries... but magisk roots the bootloader.
Why patch a recovery for temp root wiped upon reboot when we can do the bootloader?
If we posted our magisk'd bootloaders instead of recoveries, you'd spot something factual.
A WORKING magisk'd bootloader, when opened in hex, will show variant=eng - if its PIE. Mine shows user.
A WORKING magisk'd recovery, when opened in hex, wait for it.. shows eng! wtf?
This is cause someone upped their test using their eng build, so it worked. For others.
Stock recovery does NOT show this. It shows user. PIE rooters see ENG in their RECOVERY. NOT USER!!!!!
Hence the note9 recovery, with ENG at the start, allowed me to patch my bootloader while in gui, and reflash it to bootloader OFFLINE, using what I just wrote wont work.
Because the PIE rooted bootloades are all ENG builds.
So if your magisk'd bootloader OR recovery shows 'USER' - forget it.
So, why not magisk patch your bootloader and post it here? Take it from your stock, magisk it, and post it.
Then we can all just grab a boot, and KNOW why the latest problems can disappear in a FLASH!
I'll post a link to my post's regarding how I found this simply stupid fact... Since my bootloaders there...
people assume root works on user builds...
It no longer does, and is now in fact, a barrier. One we never worried about before.. until now...
Ps: Last OS's only please, nothing from Pie please, just Android 10 onwards due to new partition schemes...
Thank you. I'll get you rooted. After I plant myself lol....
Armor x5 Android 10_Q Mt6765 aka Mt6762 ROOT AT LAST!
This 'tutorial' is a quicky for those yet to figure this fone out. Well it took a bit time for sure, but this is how it went... No matter what recovery or magisk I tried, nothing worked, all ulefone images with twrp were 64mb in size, where-as...
forum.xda-developers.com
The main mistake in your post is that you confuse bootloader ( read: uboot.bin ) with boot.img.
Next big mistake is to claim that a device's bootloader can get rooted: only the Android OS can get rooted.
Another mistake is to claim a bootloader is build-type dependent: the build-type only relates to Android OS, it controls whether ADB is featured or not.
And so on ...
No, I'm not confused. I do not want uboot.bin, although I understand your geek speak, there is NO uboot anywhere in my rom.
I want, like everyone else, a bootloader that clearly states its an eng variant of either a 32mb or 64 mb, preferable from stock, but since google twigged to what I'm saying, eng bootloaders are hard to find. Pie shows eng... but nothing since, have you twigged to that uboot?
When I want linux, I'll attempt lineage, but since twrp wont see the lineage zip we're all supposed to install, which in turn has an img inside, I'll say bang goes that idea, says it all when the devs think twrp will see their roms as a zip when it's an xz, not viewable in twrp, and well, I guess I just need to hang on until the boots arive when y'all twig to what google is doing...
Killing root period.
Uboot? Das uboot 57 is on the ocean floor....
Even google admit they're not releasing engineer or debug builds anymore... yes you can make them in the dev studio, and then post them online, but we've yet to accept what I'm saying.... in order to find the eng builds.
I want rid of google period, not install all their crap...
And how many people so far have realised what I'm saying, looked at their user bootloaders, and gave up knowing how pointless magisk actually is on a user bootloader?
Oh, and su actually needs to be in a bootloader to have true root, since directory traversal is geting worse.... aint no goin back....
Why do you think flashing a BOOTABLE recovery made from a BOOTLOADER works in recovery?
$ is turned into # when typing su.
Now if system is yet to load, explain how $ turns to # -Don't lol
Because it WAS a bootloader until it was rooted and loaded in RECOVERY, in order to boot or root!
I know what I'm saying and pursuing, and all others will fall into line soon....
jwoegerbauer said:
The main mistake in your post is that you confuse bootloader ( read: uboot.bin ) with boot.img.
Next big mistake is to claim that a device's bootloader can get rooted: only the Android OS can get rooted.
Another mistake is to claim a bootloader is build-type dependent: the build-type only relates to Android OS, it controls whether ADB is featured or not.
And so on ...
Click to expand...
Click to collapse
Uboot is in pie I believe. and every other linux I've seen, but android is NOT linux, but a remix... I even see uboot in the firesticks... but not my fone. Nor my stock firmware. your statement here could mean a/b partitioning is 2 uboots? pointless... uboot. Docsis 1. Docsis 2. Dual Chips. ab partitioning. Docsis 3. Same. Hello Fone. Is that a seperate linux os with another uboot controlling the lte side of your fone? or one uboot with 2 identical partitions.. My fone calls that a preloader. boot 1 would be boot.img, boot 2 would be boot-debug.img, if I was a/b partitioned. But I got a preloader with 2 identical boot.img, checking byte for byte unless I root. the boot.
It's not a mistake to know I know the origional command used in windows, to create a true unix root and password (at that time, supposedly impossible), windows commanding unix? windows control over an iphone with nothing more than the origional unix root user hack, which incidently, still works on every version of unix/linux/android...?
Android is NOT linux, but a remix, as much as linux is unix is eye... same commands, some on google, some in my head
And as for your last statement, I never made any mistake claiming any bootloader is dependant on build-type, but the bootloader's build-type decides wether we can flash, a magisk'd bootloader in gui, or rw system...
User is simply windows oem home edition. debug is android. engineer is unix.
I'm old school. Past it... Never frown on those that write like I do, we have so much to share...
But if my memory serves me well, uboot actually came from eCos, origionating in Docsis modems at the beginning of broadband., hence it is a DOS boot file, origionaly for modems. Just for the record, check tcniso, where they mention the vxShell as being 'very beauty'...
This explains the 64mb non-vol from the ambit 250, best security at that time, the non-vol was doubled to store a copy of the first half, in the second half where the first half was matched byte for byte before the modem came online, and why an ambit 250 non-vol could not work on an ambit 256, for the non-vol was exactly half the size, 32mb..
Same structure, day in day out... meanwhile, back in the jungle...
Pachacouti said:
Uboot is in pie I believe. and every other linux I've seen, but android is NOT linux, but a remix... I even see uboot in the firesticks... but not my fone. Nor my stock firmware. your statement here could mean a/b partitioning is 2 uboots? pointless... uboot. Docsis 1. Docsis 2. Dual Chips. ab partitioning. Docsis 3. Same. Hello Fone. Is that a seperate linux os with another uboot controlling the lte side of your fone? or one uboot with 2 identical partitions.. My fone calls that a preloader. boot 1 would be boot.img, boot 2 would be boot-debug.img, if I was a/b partitioned. But I got a preloader with 2 identical boot.img, checking byte for byte unless I root. the boot.
It's not a mistake to know I know the origional command used in windows, to create a true unix root and password (at that time, supposedly impossible), windows commanding unix? windows control over an iphone with nothing more than the origional unix root user hack, which incidently, still works on every version of unix/linux/android...?
Android is NOT linux, but a remix, as much as linux is unix is eye... same commands, some on google, some in my head
And as for your last statement, I never made any mistake claiming any bootloader is dependant on build-type, but the bootloader's build-type decides wether we can flash, a magisk'd bootloader in gui, or rw system...
User is simply windows oem home edition. debug is android. engineer is unix.
I'm old school. Past it... Never frown on those that write like I do, we have so much to share...
But if my memory serves me well, uboot actually came from eCos, origionating in Docsis modems at the beginning of broadband., hence it is a DOS boot file, origionaly for modems. Just for the record, check tcniso, where they mention the vxShell as being 'very beauty'...
This explains the 64mb non-vol from the ambit 250, best security at that time, the non-vol was doubled to store a copy of the first half, in the second half where the first half was matched byte for byte before the modem came online, and why an ambit 250 non-vol could not work on an ambit 256, for the non-vol was exactly half the size, 32mb..
Same structure, day in day out... meanwhile, back in the jungle...
Click to expand...
Click to collapse
Ok, so no-one see's the need for bootloaders yet lol... so in the meantime, I had another idea.
Why not just remove magisk from an eng build bootloader, and then flash it, then re-apply magisk, if only to find out that this is how google prevent us writing to system...
And to whom-ever it was that stated magisk can convert an unpatched bootloader of the user variant into an eng (engineer) variant bootloader, your simply wrong, no offence, I been through enough of them to know...
I wouldn't be looking for one since android 10 if it was ahem, the old way...
Please be kind if this is a stupid question - I'm very new to this and learning fast.
Would it be possible to add a signature to aromafm or to a lock pattern removal script, using the leaked Samsung platform certificate (as recently reported), and if so would that allow it to be sideloaded to stock recovery in a Galaxy S9?
I recently had to add a pattern lock - which I somehow managed to immediately forget. Even though it was a simple pattern specifically chosen to fall naturally under the hand so that I wouldn't forget it... I've tried so many variations that it's now making me wait 24 hours between attempts. It also turns out that data that I thought was backing up externally was actually only going to internal storage, so I really don't want to do a factory reset without trying absolutely everything else first.
Galaxy S9
Not rooted
Bootloader is locked
USB debugging is enabled
ADB can see the phone but it's not authorised
ADB sideload does work - but of course any scripts need the Samsung signature.
The phone is not registered with Samsung, so I can't unlock it through my Samsung account.
I realise it's clutching at straws but would the leaked platform key be a way in?
missmilla said:
Please be kind if this is a stupid question - I'm very new to this and learning fast.
Would it be possible to add a signature to aromafm or to a lock pattern removal script, using the leaked Samsung platform certificate (as recently reported), and if so would that allow it to be sideloaded to stock recovery in a Galaxy S9?
I recently had to add a pattern lock - which I somehow managed to immediately forget. Even though it was a simple pattern specifically chosen to fall naturally under the hand so that I wouldn't forget it... I've tried so many variations that it's now making me wait 24 hours between attempts. It also turns out that data that I thought was backing up externally was actually only going to internal storage, so I really don't want to do a factory reset without trying absolutely everything else first.
Galaxy S9
Not rooted
Bootloader is locked
USB debugging is enabled
ADB can see the phone but it's not authorised
ADB sideload does work - but of course any scripts need the Samsung signature.
The phone is not registered with Samsung, so I can't unlock it through my Samsung account.
I realise it's clutching at straws but would the leaked platform key be a way in?
Click to expand...
Click to collapse
While XDA prides itself on being hacker friendly, we shy away from anything that could result in legal liability, which is why we do not permit the sharing of any proprietary material, even if it's already in the public domain.
So in a nutshell....I imagine that if one did have a valid key, and signed an update package using that key, they could potentially use it to exploit their device, such as changing the props to allow bootloader unlocking, thereby permitting custom recoveries. Samsung as far as I know does not protect the system image with Verified Boot, so it is possible to modify /system without incurring a boot failure.
All that being said, the point is pretty moot, because as I pointed out we do not allow sharing anything that is licensed intellectual property, so any discussions on the topic would have to be rather...vague.
V0latyle said:
While XDA prides itself on being hacker friendly, we shy away from anything that could result in legal liability, which is why we do not permit the sharing of any proprietary material, even if it's already in the public domain.
So in a nutshell....I imagine that if one did have a valid key, and signed an update package using that key, they could potentially use it to exploit their device, such as changing the props to allow bootloader unlocking, thereby permitting custom recoveries. Samsung as far as I know does not protect the system image with Verified Boot, so it is possible to modify /system without incurring a boot failure.
All that being said, the point is pretty moot, because as I pointed out we do not allow sharing anything that is licensed intellectual property, so any discussions on the topic would have to be rather...vague.
Click to expand...
Click to collapse
Thank you, that's really helpful. I was thinking more whether simply adding a signature to a script would let that script be used directly with stock recovery, rather than unlocking the bootloader to flash a custom recovery (which I suspect would be beyond me), but it sounds as though in theory it might be worth a try. At this stage I probably have nothing left to lose as I'll have to to a full reset anyway if I can't find anonther way in.
missmilla said:
Thank you, that's really helpful. I was thinking more whether simply adding a signature to a script would let that script be used directly with stock recovery, rather than unlocking the bootloader to flash a custom recovery (which I suspect would be beyond me), but it sounds as though in theory it might be worth a try. At this stage I probably have nothing left to lose as I'll have to to a full reset anyway if I can't find anonther way in.
Click to expand...
Click to collapse
I'm honestly no expert on this kind of thing, but if I'm correct in my assumption that Samsung does not protect the system image, then yes - you could, in theory, use the leaked key to sign an update package that could patch /system to gain root. This would require knowledge of exactly how Samsung signs their updates. However, if the system image is protected, this would cause a boot failure, as AVB would detect the modification.
But.
If the above were possible, then the best course of action would be to create a script that would set ro.oem_unlock_ability=1 and sys.get_unlock_ability=1, after which the user would immediately reboot to download mode and unlock the bootloader, because once you've unlocked the bootloader, you've removed a lot of restrictions - you can flash a custom recovery, flash a root patch, flash anything you damn well pleased.
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
V0latyle said:
I'm honestly no expert on this kind of thing, but if I'm correct in my assumption that Samsung does not protect the system image, then yes - you could, in theory, use the leaked key to sign an update package that could patch /system to gain root. This would require knowledge of exactly how Samsung signs their updates. However, if the system image is protected, this would cause a boot failure, as AVB would detect the modification.
But.
If the above were possible, then the best course of action would be to create a script that would set ro.oem_unlock_ability=1 and sys.get_unlock_ability=1, after which the user would immediately reboot to download mode and unlock the bootloader, because once you've unlocked the bootloader, you've removed a lot of restrictions - you can flash a custom recovery, flash a root patch, flash anything you damn well pleased.
Click to expand...
Click to collapse
Thank you, I will do some more digging around. Would unlocking the bootloader that way not wipe the data?
blackhawk said:
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
Click to expand...
Click to collapse
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
missmilla said:
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
Click to expand...
Click to collapse
If in the US try a Samsung Experience center at a Best buy.
I never set locks on my phones, bios's or use encryption on data backup drives because you are always the one most likely to be locked out, sometimes through no fault of your own
Digital data is fragile unless it's redundantly backed up.
blackhawk said:
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
Click to expand...
Click to collapse
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
blackhawk said:
If in the US try a Samsung Experience center at a Best buy.
I never set locks on my phones, bios's or use encryption on data backup drives because you are always the one most likely to be locked out, sometimes through no fault of your own
Digital data is fragile unless it's redundantly backed up.
Click to expand...
Click to collapse
Thank you. I'm in the UK but we do have a couple of Samsung Experience Centres here so I'll try asking. Oh I will definitely be making multiple, unencrypted backups from now on! I will also be rooting the phone and installing a custom recovery just in case.
If you start playing with the firmware bricking the device is always a real possibility especially if you don't follow the protocols correctly. I never had to flash any of my Samsung's in 12 years, all are still working today. I don't do OTA updates either, ever, the potential to brick them like that is higher with you having zero control.
Samsung would really love to sell you a new expensive phone...
Some lessons you end up learning the hard way. I lost a 30yo database that is irreplaceable
Learn from your mistakes and press on. It's a lot easier though to learn from other's mistakes.
missmilla said:
Thank you, I will do some more digging around. Would unlocking the bootloader that way not wipe the data?
Click to expand...
Click to collapse
Unlocking the bootloader will always require a data wipe.
missmilla said:
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
Click to expand...
Click to collapse
The stock recovery will refuse any packages that are not signed, or are signed with an unrecognized key. There's other measures in place as well.
blackhawk said:
If you start playing with the firmware bricking the device is always a real possibility especially if you don't follow the protocols correctly. I never had to flash any of my Samsung's in 12 years, all are still working today. I don't do OTA updates either, ever, the potential to brick them like that is higher with you having zero control.
Samsung would really love to sell you a new expensive phone...
Some lessons you end up learning the hard way. I lost a 30yo database that is irreplaceable
Learn from your mistakes and press on. It's a lot easier though to learn from other's mistakes.
Click to expand...
Click to collapse
Probably not something to be messing around with when I don't know what I'm doing then.
Ouch! No wonder you're so careful with backing up... as I will be too from now on. Lesson learned
V0latyle said:
Unlocking the bootloader will always require a data wipe.
The stock recovery will refuse any packages that are not signed, or are signed with an unrecognized key. There's other measures in place as well.
Click to expand...
Click to collapse
It's sounding like I'd probably better count my losses and leave it alone. And be more careful in future. All this has got me itching to try stuff out though. Possibly not on my one and only phone, but maybe if I can get a cheap second hand one to play with, or the S9 once I eventually upgrade - it sounds so much fun!
You can use the key to sideload an update, if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures, but the problem on this is where you can find the certificate? Nobody will tell you where you can find it because who has it remains silent and also communities do not allow this kind of sharing.
Skorpion96 said:
You can use the key to sideload an update, if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures, but the problem on this is where you can find the certificate? Nobody will tell you where you can find it because who has it remains silent and also communities do not allow this kind of sharing.
Click to expand...
Click to collapse
Thank you. Yeah, I thought I had seen someone publish the certificate, but I misunderstood. So wouldn't be able to get hold of it what with not being familiar with the dark web!
Skorpion96 said:
if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures
Click to expand...
Click to collapse
you can always flash blank vbmeta on low level (such as usbdl, edl or bootrom mode) but that's not how it works.
aIecxs said:
you can always flash blank vbmeta on low level (such as edl or bootrom mode) but that's not how it works.
Click to expand...
Click to collapse
Depends, if your device is made in USA you can't. I was only suggesting a way to bypass flashing restrictions hoping that bootloader lock don't block you. Normally bootloader lock blocks unsigned flashing but if you are able to bypass it during flash maybe you can boot unsigned firmware, I'm not sure though. To flash stuff you can use an exploit or escalate privileges with a signed app that updates a system one to become uid 1000 and after that you can do setenforce 0 or setenforce permissive to set kernel permissive
No no, locked bootloader prevents booting unsigned boot, vbmeta, etc (not flashing in first place)
@missmilla just realized you wanna break into your device? this was always possible for S9 (encrypted with default_password) but it's not easy
https://www.forensicfocus.com/news/samsung-exynos-support-in-oxygen-forensic-detective
aIecxs said:
@missmilla just realized you wanna break into your device? this was always possible for S9 (encrypted with default_password) but it's not easy
https://www.forensicfocus.com/news/samsung-exynos-support-in-oxygen-forensic-detective
Click to expand...
Click to collapse
Apparently the Qualcomm variants aren't suspectable to this hack. Only Exynos models are listed.