Find Your Device:
Or Continue to Thread: [R&D] Unlock Bootloaders
13th July 2012, 03:50 AM |#1  
AdamOutler's Avatar
OP Recognized Developer
Flag Louisiana
Thanks Meter: 9,753
5,225 posts
Join Date:Joined: Feb 2011
Donate to Me
Do not post in here unless you have something constructive to say. "Thanks", "Hey this is wonderful", and any other comments like that are not wanted. They take up space and make it more difficult to find information. I'm requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.

What is this?
This is the place where we can research and develop a method to unlock the bootloader of the Verizon Galaxy SIII. Hopefully, this will be development at its finest.

Why not just buy a developer edition
GTFO! Not a single person got started developing by buying a developer phone. They started developing because they were unhappy with the features of their device and wanted something better. They wanted something more. This developer phone is a tax on developer innovation. We do not stand for that. We will break the security and we will enable XDA-Developers to do what they do best.

Until security is broken and available for everyone, this device will get updates last, users will be unhappy because there are no additional features and Samsung violates the spirit of Open Source and copyright laws. Take a look at the bottom line of FAQ located here:

What are the goals?
  • Attain a bootloader recovery - 75% JTAG (the extra 25% will be for a user-friendly method)
    The Galaxy S3 is bootable from SDCard. In case of emergency this is needed. We need to verify that this works on the Verizon GS3 to bring up Odin. This will set up infrastructure for research.
  • Attain a full stock restoration via Odin or Heimdall - 90%
    For use with Odin3.
    Bootloader - BOOTLOADER_I535VRALF2_618049_REV09_user_low_ship.t ar.md5 - 1.97 MB - Thanks nbsdx
    PDA -
    NEED CSC PACKAGE (MODEM, PARAMS and Other Miscellaneous partitions). This is enough to recover a device though.
    To include bootloaders and recovery to a working and stock condition with the EMMC wiped entirely. Heimdall is a work in progress for this device. This will complete the infrastructure needed for research.
  • Collect information
    This will be the longest and most difficult part of this development. The information provided by Qualcomm is not readily available. Samsung is notoriously secretive about their bootloaders. Mainly we, as a community, will generate information. Please post any relevant datasheets, theory-of-operation, or manuals which you can find.
  • Provide a way to remove security checks from Odin3.] 100% - insecure aboot.img which may break in the future
    By removing security checks from Odin3 on the computer or the Loki daemon on the device we can flash anything through Odin or Heimdall.
  • Provide a way to bypass security checks within bootloaders. 200% we have two exploits, only one has been released.
    This is the ultimate goal. Once we can bypass the security checks, kernels can be flashed giving us the control required to develop

Initial information
[BOOTLOADER] Locked bootloader research and news:

My own research

SBL1 is the first booting partition. Qualcomm provides the Modem partition so it comes first on the EMMC. SBL1 is the first bootloader and that is specified by Qualcomm standards. Qualcom mmake sthe primitive bootloader and allows their customers (Samsung) to make a Secondary bootloader. Samsung chose to use three secondary bootloaders.

The following 0p* are located in /dev/block/mmcblk*

0p1 = modem
Built by se.infra
I take this to mean this Qualcomm modem was built in Hudson Georgia.
I was not able to find signatures on this block . This does NOT mean that there are no signatures on this block. The file is 33 megs. The file is unencrypted.
The modem uses the BLAST Kernerl ver : Unfortunately we need someone who speaks French(???) to understand how this works
Judging by the contents of this file, it is an operating system of it's own including keyboard, mouse and a lot of debugging information. We need to find out more about the BLAST Kernel and this partition.

Samsung Proprietary partitions SBL1,2,3
Overall I'm not entirely familiar with this new 3 SBL setup. If someone could help me out, that would be great. This 3 SBL setup looks like they tried to adapt (slopily) their IBL+PBL+SBL setup to the Qualcomm and added overhead.

This block is signed by Samsung, we will not be able to modify it.
Some Strings we expect to see on UART are:

This block is signed by Samsung, we will not be able to modify it.

Some of the strings we may see over UART are:
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
This block is signed by Samsung, we will not be able to modify it.

Possibly useful information:
SVC: R1-R14

This block appears to be a full OS of its own. I'm not sure of its purpose.

op5= aboot
This block is signed by Samsung, we will not be able to modify it

This block contains HTML information. It would appear that it is possible to put the device into a mode where it will provide a webserver which displays state information.

This block appears to be a complete operating system

This block contains the Loke Daemon which communicates with Odin3.

0p6= rpm
This block is signed by Samsung we will not be able to modify it

0p7= boot
This is the kernel. There are several things we can do here... I belive this package itself is not signed, but the zImage itself is... here is the bootimg.cfg file

adam@adam-Desktop:~/Desktop/VZWGS3$ cat ./bootimg.cfg 
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name = 
cmdline = console=null androidboot.hardware=qcom user_debug=31
It may be possible to use that cmdline variable as an exploit.

0p8= tzTrust Zone
0p9= pad
0p10= param -boot mode parameters - this could be a potential exploitation point.
0p11= efs -serial numbers
I've honestly got no clue about most of the following partitions.
0p12= modemst1
0p13= modemst2
0p14= system - Android stuff
0p15= userdata - App Stuff
0p16= persist
0p17= cache - Storage for updates
0p18= recovery - recovery partition
0p19= fota
0p20= backup
0p21= fsg
0p22= ssd
0p23= grow

External UART log from initial power up:
[    0.000000] heap->name mm, mb->start c0000000
[    0.000000] Reserving memory at address ea000000 size: 100000
[    0.000000] sec_dbg_setup: str=@0x88d90004
[    0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[    0.000000] sec_dbg_setup: secdbg_size = 0x40000
[    0.000000] etb_buf_setup: str=@0x8fffb9c0
[    0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[    0.000000] etb_buf_setup: secdbg_size = 0x4000
[    0.174515] rdev_init_debugfs: Error-Bad Function Input
[    0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[    0.176957] sec_debug_init: enable=0
[    0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[    .216358] msm8960_iit_cam:292]settingdone!!
[    0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
    0.25237] i2c ic-14: Can' create evice at x00
[   0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[    .252250] 2c i2c-19:Can't crete deviceat 0x38
    0.25433] rdevinit_debufs: Error-ad Functin Input
    0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[    0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[   0.284449 smd_chanel_probe_orker: alocation tble not iitialized
                                                                  [    0.38766] pm_untime: fil to wak up
[   0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68                                                                   
[    0362673] Iside writback_drivr_init                                                                                                         
[   0.36275] Insidewritebackprobe                                                                                                               
[    1.244803] TZCOM: unable to get bus clk                                                                                                     
[    1.431680] cm36651_setup_reg: initial proximity value = 3                                                                                   
[    1.549671] msm_otg msm_otg: request irq succeed for otg_power                                                                               
[    1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]                                                                                
[    1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.                                                                                
[    1.583488] [__s5c73m3_probe:3818] S5C73M3 probe                                                                                             
[    1.587089] [s5c73m3_sensor_probe_cb:3793] Entered                                                                                           
[    1.591942] [s5c73m3_i2c_probe:3675] Entered                                                                                                 
[    1.596123] [s5c73m3_init_client:3381] Entered                                                                                               
[    1.600579] [s5c73m3_i2c_probe:3695] Exit                                                                                                    
[    1.604608] [s5c73m3_sensor_probe:3726] Entered                                                                                              
[    1.609095] [s5c73m3_spi_init:226] Entered                                                                                                   
[    1.613154] [s5c73m3_spi_probe:191] Entered                                                                                                  
[    1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed                                                                          
[    1.623561] [s5c73m3_sensor_probe :  3749] Probe_done!!                                                                                      
[    1.672638] mmc0: No card detect facilities available                                                                                        
[    1.682984] aat1290a_led_probe : Probe                                                                                                       
[    1.693850] msm_soc_platform_init                                                                                                            
[    1.697298] msm_afe_afe_probe                                                                                                                
[    1.843064] msm_asoc_pcm_new                                                                                                                 
[    1.849748] msm_asoc_pcm_new                                                                                                                 
[    2.023134] set_dload_mode <1> ( c00176d4 )                                                                                                  
[    2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06                                                                              
[    2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'                                                                      
[    2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'                                                       
[    2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'                                                      
[    2.145490] init: / 73: ignored duplicate definition of service 'thermald'                                                    
[    2.154677] init: could not open /dev/keychord                                                                                               
[    2.239951] init: Device Encryption status is (0)!!                                                                                          
[    2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::                                                               
[    2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15                                                  
[    2.588921] init: [disk_config] ext_check ->ok                                                                                               
[    2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::                                                               
[    2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17                                                  
[    2.655333] init: [disk_config] ext_check -> ok                                                                                              
[    2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::                                                               
[    2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11                                                  
[    2.704532] init: [disk_config] ext_check -> ok                                                                                              
[    3.259056] init: cannot find '/system/etc/', disabling 'flash_recovery'                                                  
[    3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
External UART log from battery-pull and reinsert
[    0.000000] heap->name mm, mb->start c0000000
[    0.000000] Reserving memory at address ea000000 size: 100000
[    0.000000] sec_dbg_setup: str=@0x88d90004
[    0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[    0.000000] sec_dbg_setup: secdbg_size = 0x40000
[    0.000000] etb_buf_setup: str=@0x8fffb9c0
[    0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[    0.000000] etb_buf_setup: secdbg_size = 0x4000
[    0.174484] rdev_init_debugfs: Error-Bad Function Input
[    0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[    0.176926] sec_debug_init: enable=0
[    0.177445] sc_debug_iit: restat_reason  0xdf0086c
[    0216206] [sm8960_int_cam:299]setting one!!
[   0.217915 select_req_plan:ACPU PVS:Nominal
    0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[   0.25207] i2c i2-14: Can'tcreate deice at 0x0
[    0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[    0252250] ic i2c-19: an't creae device t 0x38
[   0.25243] rdev_iit_debugs: Error-Bd Functio Input
[   0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
                                                                                           [    0.29536] msmetm msm_em: ETM trcing is nt enable!
[    0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[    .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60                                                                   
[    0.62734] Inide writeack_driverinit                                                                                                         
[   0.36285] Inside riteback_robe                                                                                                               
[    1.244803] TZCOM: unable to get bus clk

possible exploitations
Possible entry point MODEM - Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT - Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT - We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM - It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.

Current tasks
What do all of these partitions do?
Do we have a SDCard based recovery?
Where can we find an Odin3 CSC Flash?
Testing methods above is required
Last edited by AdamOutler; 16th August 2012 at 12:21 AM.
The Following 172 Users Say Thank You to AdamOutler For This Useful Post: [ View ]