[BOOTLOADER] Locked bootloader research and news [Updated: 7/16/2012]

Search This thread
By:
Advanced…
Mean Bro Greene

Mean Bro Greene

Senior Member
Jul 14, 2010
481
19
34
423
jamesnmandy said:
wait a minute.....didn't the official VZW Twitter account say "don't blame us, Samsung did it"!?

so which is it, did Samsung do it or did Verizon do it? (facetious yes)

so now that Verizon has openly lied and owned up to it and put Samsung out there as the bad guy, Samsung should be just fine with leaking something.....didn't one of the guys from the CM team or one of the most famous developers end up going to work for Samsung last year some time?
Click to expand...
Click to collapse

Fairly certain Cyanogen himself got offered a job at Samsung. Highly doubt that if he took it, he would be willing to risk it, though.

Edit: He did indeed take a position as a Software Engineer last year.

Sent from my Galaxy Nexus using Tapatalk 2
 
Last edited:
narsciso

narsciso

Senior Member
Jul 18, 2010
99
13
I can only let my imagination roll with a Samsung employee going under certain protocols to proxy his way to get in touch with a dev and release something. :(

Sent from my DROIDX using Tapatalk 2
 
N

neyenlives

Senior Member
Oct 11, 2010
3,415
868
Mean Bro Greene said:
Fairly certain Cyanogen himself got offered a job at Samsung. Highly doubt that if he took it, he would be willing to risk it, though.

Edit: He did indeed take a position as a Software Engineer last year.

Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse

i thought so.....i know he wouldn't....but if it were to get out, it has a better change I suppose.....if there were people sympathetic to the cause.....just thinking outloud....
 
Mean Bro Greene

Mean Bro Greene

Senior Member
Jul 14, 2010
481
19
34
423
jamesnmandy said:
i thought so.....i know he wouldn't....but if it were to get out, it has a better change I suppose.....if there were people sympathetic to the cause.....just thinking outloud....
Click to expand...
Click to collapse

I understand. Part of me likes to think that he would leak something out simply because of where he came from, but the other part of me knows that in his shoes, I would never jeopardize such a great gig.

Sent from my Galaxy Nexus using Tapatalk 2
 
C

CrimsinX

Member
Apr 4, 2011
22
8
Mean Bro Greene said:
I understand. Part of me likes to think that he would leak something out simply because of where he came from, but the other part of me knows that in his shoes, I would never jeopardize such a great gig.

Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse

I bet he is watching at least. Under a fake name and a proxy server I'm sure but nonetheless watching.

Sent from my SGH-T959 using xda premium
 
segv11

segv11

Senior Member
Mar 19, 2012
379
526
tonu42 said:
That would I'm pretty sure 100% work. But two things.

1. Who would take there phone apart? I know. Adamoutler, but he doesnt have it I dont think.
2. Even if we find out where and what, what if it is indeed encrypted?
Click to expand...
Click to collapse

Perhaps someone could get AdamOutler one of these to take apart:

"I'm sure I could do it and make it reproducible.. but the problem is that I don't have a device or Verizon."

https://plus.google.com/104711040110222472212/posts/2VbBBWGezLJ
 
17akota

17akota

Senior Member
Sep 11, 2010
507
190
State College
So I say by the end of the month we will have JB the way this is going. :)
Got a workaround working pretty well before official launch!
 
M

Mindstar1

Senior Member
Dec 19, 2011
95
3
Riverside
Bootloader Confusion

Awesome work guys, you are Android ninjas!

One clarification question, assuming your mission here is a success (and I am confident that will be the outcome), will the phone be as modable as the non-VZW versions?

Keep up the good work!4
 
L

Loglud

Senior Member
Jul 29, 2011
235
449
Google Pixel 7 Pro
Mindstar1 said:
Awesome work guys, you are Android ninjas!

One clarification question, assuming your mission here is a success (and I am confident that will be the outcome), will the phone be as modable as the non-VZW versions?

Keep up the good work!4
Click to expand...
Click to collapse

Theoretically yes. Once the boot loader has been modded and the boot.img can be changed, the Devs can use a overflash system. One can flash another versions rom, and then take that and apply the kernel and proprietaries from the VZW edition and have any rom they want from the SGSIII on their phone.
 
  • Like
Reactions: PGleo86 and Mindstar1
M

Mindstar1

Senior Member
Dec 19, 2011
95
3
Riverside
Loglud said:
Theoretically yes. Once the boot loader has been modded and the boot.img can be changed, the Devs can use a overflash system. One can flash another versions rom, and then take that and apply the kernel and proprietaries from the VZW edition and have any rom they want from the SGSIII on their phone.
Click to expand...
Click to collapse
Awesome!

I asked because I currently have a GNex and I am debating about keeping the SGS3 that I preordered, but it all hinges on whether the devs can get behind it. If what you say comes to pass, then it seems like a safe bet to keep it.

Thanks again!
 
O

ooofest

Senior Member
Aug 17, 2011
966
182
NY
tonu42 said:
Just on a side note, AdamOutler has the money donated from an anonymous person to get this phone to open it up and reverse engineer it as the hardware level. This is very good news for us.
Click to expand...
Click to collapse

So, does this mean he actually monitors the hardware bootup, all the signals related, etc. and might be able to figure out what is calling what and for which info, so that we can mirror that in custom s/w (for example, a custom boot.img) and the rest of the phone won't be wiser?

- ooofest
 
PGleo86

PGleo86

Senior Member
Dec 8, 2010
519
36
Rochester, NY
tonu42 said:
Just on a side note, AdamOutler has the money donated from an anonymous person to get this phone to open it up and reverse engineer it as the hardware level. This is very good news for us.
Click to expand...
Click to collapse

Yes! In 3 or 4 days we got farther than the Droid X guys got in the first year, and this only furthers that! Shows what a good dev community can do :D
 
You must log in or register to reply here.

Similar threads

invisiblek
[FIRMWARE] <I535VRUCML1> (MODEM/RPM/TZ/SBL) Verizon SGS3 (SCH-I535)
Replies
1K
Views
564K
Ibuprophen
Ibuprophen
eschelon
☆ ★ | ROM | SynergyROM VZW S3 | JB 4.1.2 | Floating Multiwindows! | Apr 20 r484 |★ ☆
Replies
24K
Views
4M
GeTex
GeTex
Scott
  • Locked
[ROM][6/7/14] - CleanROM 8.2 -★| Clean! | Smooth! | Stable! | No Gimmicks! |★-
Replies
15K
Views
2M
Scott
Scott
AdamLange
[Official] Latest STOCK ROMS for VERIZON SGS3 (SCH-I535) - [Latest: I535VRBMF1]
Replies
164
Views
331K
J
jerryspring
AdamOutler
  • Locked
[R&D] Unlock Bootloaders
Replies
318
Views
368K
AdamOutler
AdamOutler

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 67
    invisiblek
    invisiblek
    tonu42 said:
    Invisiblek succesfully booted to android using "adb reboot recovery" with his modified recovery.img.

    Basically we made it look as if going to recovery, but actually continuing onto boot.img.
    Click to expand...
    Click to collapse

    thats not 100% accurate

    i flashed a modified boot.img to our recovery partition (/dev/block/mmcblk0p18)
    then rebooted into recovery
    it booted up into android using this modified boot.img

    i don't plan for this to be of any real use to us though. proof of concept really

    we need our access to /dev/block/mmcblk0p7 (where our stock boot.img actually resided)

    thing is, we can flash to mmcblk0p7 just fine, but it wont boot (wont do anything actually other than let you get back into odin mode, where you can re-flash the stock boot image, or it gives you this when you try to boot android or recovery: http://i.imgur.com/Ci0gY.png )

    rest assured. this is being worked on...
    View
    39
    B
    biff6789
    Since this is a news thread...

    It was reported in IRC within the past hour or so that supposedly BOTH kexec is likely working and noobnl (whom many of you may know from his work with AOSP ROMs) has stated that the RIL has been cracked :D

    To those who don't know what that means, kexec chainloads kernels (in simplest terms, the custom kernel loads on top of the stock kernel AFTER the bootloader checks to make sure the stock kernel has been unmodified). This was necessary if one wanted to run a non-Touchwiz ROM (such as CM, AOKP, etc) or if they just wanted to run an overclocked, undervolted kernel.

    The RIL is essentially the radio. It was also needed to run a non-Touchwiz ROM and now opens the door to Jelly Bean ROMs.

    There is still working/testing to be done, and there are no ETAs, so don't bug the devs. They're actively working on it so let them do their thing.

    What a roller coaster of a weekend :)
    View
    36
    AdamLange
    AdamLange
    Since locked Verizon SGS3 is now the main problem, i'v decided to split my kernel thread to separate one that focus directly on unlocking bootloader and progress in that matter.

    Summary of the problem

    Verizon model is protected from flashing unsigned/modified boot.img and recovery.img. Which means there is no known root method as for now for SCH-I535.
    And that is where our adventure starts ....


    Rooted stock boot.img issue:
    <ID:0/008> Firmware update start..
    <ID:0/008> boot.img
    <ID:0/008> NAND Write Start!!
    <ID:0/008> FAIL! (Auth)
    Click to expand...
    Click to collapse

    CWM Recovery.img flash issue:
    <ID:0/003> Firmware update start..
    <ID:0/003> recovery.img
    <ID:0/003> NAND Write Start!!
    <ID:0/003>
    <ID:0/003> Complete(Write) operation failed.
    Click to expand...
    Click to collapse

    Research status: 50%
    + 20% - Some devs stated that RIL is hacked and there is also sucessfull Kexec implentation in works - http://xdaforums.com/showpost.php?p=28484191&postcount=262 Stay tuned for more news. Kexec proof-of-concept thread: http://xdaforums.com/showthread.php?t=1760678
    + 20% - phone can boot from unsigned boot.img flashed to recovery partition, this will leave you without recovery and requires to boot-trough-recovery every time u rebooting phone! (thanx invisiblek)
    Links: http://xdaforums.com/showpost.php?p=28420589&postcount=47 , http://pastebin.com/eARk7r48

    + 10% - phone rooted trough system.img tricks -> http://xdaforums.com/showthread.php?t=1756885 (by invisiblek)


    ROM analysys:
    boot.img -> signed
    recovery.img -> signed
    system.img -> not signed
    cache.img -> not signed

    Update [7/7/2012]
    News about locked Verizon model is spreading over the websites and main tech-related portals. Hopefully we will get some detailed info soon.

    Update [7/7/2012]
    It looks like it has been rooted by using system.img trick (system.img is not signed)
    http://xdaforums.com/showthread.php?t=1756885
    Enjoy! and thanx to invisiblek :) good job!

    Update [07/15/2012] VZN insider confirmed this is not a true info
    One of thread members chatted with verizon reps over mail & chat and got info that there may be possible unlocker released for bootloader at vzn locked phones. Here's the screenshots of chat: http://i.imgur.com/0lX3o.png , http://i.imgur.com/ULA4X.png
    At this is not confirmed yet officialy, it may be interesting finding.

    Update [07/15/2012]
    Adam Outler posted he's own research info in separated thread, read it. It may help a bit -> http://xdaforums.com/showthread.php?t=1769411

    Update [07/16/2012]
    Galaxy S III Verizon Developer edition shows up on Samsung Website! -> http://www.samsung.com/us/mobile/cell-phones/SCH-I535MBCVZW


    Thanks!
    View
    29
    stiltzkin
    stiltzkin
    Developing right now:

    JackpotClavin and Invisiblek have successfully loaded a custom kernel using a modified recovery ramdisk. It's still very early but this is excellent news for us. As it stands, this method wipes ClockworkMod and requires the recovery key combination on every boot, but those issues can probably both be overcome with custom scripts.

    Stay tuned guys...and mash those two guys' Thanks buttons!
    View
    24
    L
    Loglud
    piiman said:
    hmmmmm kind of like your post was right?
    Click to expand...
    Click to collapse

    And your post also.

    On a good note while i was digging around last night through the source code I did notice something really nice about the SGSIII that should make you all very happy. As the guys at epic have noted, the kexec flag is marked, meaning that kexec can crash the existing kernel with one of its own. Now what does that mean you may ask. I'm glad you asked.

    For those of you that do not know there are 5 primary partitions that are contained on most phones and android devices:
    1. X-Loader
      This partition is usually the partition with the most basic hardware inits such as base gpio (buttons) and power toggles​
    2. bootloader
      This is the partition that contains what most of us as dev's hate the most, the dreaded boot signature, and boot instructions. When a bootloader is locked down it can be because of either a hardware lock, see OMAP4 processors Sec_On Pin, or a software lock, HTC's S-Off. When a bootloader is said to be locked, it can have two reasons for this, a signed header or an encryption algorithm on the entire partition.​
    3. recovery
      This partition is the one every one loves to see Clockwork Mod on. When not signed the partition can be flashed and used. ONE THING TO NOTE HERE IS THAT WHEN YOU USE THIS THREAD, YOU ARE SHOWING THAT THIS IS NOT SIGNED, Or the signature is not checked!!! This is intersting because it its self may show a security hole. The recovery might be what checks the CWM recovery flash images signature.​
    4. boot
      Perhaps one of the most interesting partitions on android devices. The boot partitions contains the binary for the kernel, and the inframs for the initilization of the os. This partition in this case has said to be signed, with a signature check in the bootloader that checks the validity of a boot partition, meaning there is no changing this.​
    5. system
      Contains most of the information on the OS. At this point all the framework and android settings get loaded. This partition is not signed, meaning we can modify to our will​
    6. userdata
      Contains the userdata, such as games and such​

    Now one thing to note is that there are two initialzation points, the first of which occurs in the boot parition and the second of which is in the system's /etc/init files. One thing that i would be interested in seeing is if you were to use this place to load in a new partition or an SD OS. for example:
    system1 partition init:
    Code: 
    kexec -l /sdcard/kernel --reuse-cmdline --ramdisk=/sdcard/ramdisk
    system2 partition can then have an init that mounts a block partition from the sdcard onto the system partition.
    Code: 
    mount /dev/block/mmc1... /system

    Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.

    For those dev which hope to find a way to make it work i point you to the following posts:

    2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)

    kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag.
    View

New posts