Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Thread Closed

[R&D] Unlock Bootloaders

OP AdamOutler

simonsimons34
15th August 2012, 02:52 AM   |  #311  
Guest
Thanks Meter: 0
 
n/a posts
Qdl is never gonna work without Samsung leaking the encryption key they use to unlock it themselves. Its the same for HTC s4 devices .... I know this from a few ppl I talked to who also work with these things. Now if someone can humor me. Download emmc_recovery made by fuses. Then flash an unsigned boot loader. Just change a useless byte like version. Then did it back. Just remember this can hard brick. Now run the brick detector. This has to be done fast. If it detects your device this is good and i may be able to talk to some people very good at this stuff. If you get brick detected be sure to just flash the original partition back with the tool. And yes it must be done in Linux

Sent from my One V using Tapatalk 2
15th August 2012, 06:16 PM   |  #312  
KennyG123's Avatar
RC-RT Committee / Senior Moderator / Spider-Mod
Flag Right behind you!
Thanks Meter: 27,237
 
28,950 posts
Join Date:Joined: Nov 2010
Donate to Me
More
Thread cleaned
Please remember to only post comments that will directly help move forward of this goal
Thanks
FNM
The Following 21 Users Say Thank You to KennyG123 For This Useful Post: [ View ]
15th August 2012, 07:01 PM   |  #313  
Senior Member
Flag Confusion
Thanks Meter: 97
 
154 posts
Join Date:Joined: Apr 2008
Donate to Me
More
QC EMMC Downloader
Has anyone messed with the Emmc Downloader on QPST it seems to allow writeing of the bootloaders but this bootloader has come packaged with it can anyone shed any light on this the app is pictured below

*edit*

Also looking at the Software Download for QPST it has a setting for Sec Boot 2.0 and probably more again its pictured below
Attached Thumbnails
Click image for larger version

Name:	emmcdownload.jpg
Views:	7788
Size:	47.0 KB
ID:	1262799   Click image for larger version

Name:	softDL.png
Views:	7729
Size:	42.8 KB
ID:	1262807   Click image for larger version

Name:	secBoot.jpg
Views:	7564
Size:	48.4 KB
ID:	1262810  
Last edited by dexter35803; 15th August 2012 at 07:09 PM.
The Following 4 Users Say Thank You to dexter35803 For This Useful Post: [ View ]
16th August 2012, 12:15 AM   |  #314  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,899
 
1,380 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by dexter35803

Has anyone messed with the Emmc Downloader on QPST

We use Secure Boot 3.0, but this look very interesting. We should figure out what protocols they use to do this "conversations"... I know some people around here already know a lot about this, in particular Chainfire...

BTW: Did you try hit the "Qfuse..." button?? What happens? (But be very careful!! Dots usually imply another menu, but if it does not in this case...don't blame me for bricking your device!)
16th August 2012, 01:27 AM   |  #315  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,899
 
1,380 posts
Join Date:Joined: Dec 2011
Some Questions and Issues, still to be resolved
There are some burning issues that still have not been addressed/resolved
that I think may be essential for further unlock development. And unless there are some recent tantalizing developments, that I'm not yet aware of, I'd like to see a plan of action. Perhaps something like this.

My Strategy / Way Points:
1. Find out if any Qfuses are blown, and which ones.
(What is the meaning/behavior of the various Qfuses on MSM8960?)
2. If we are not using Qfuses, how are the GPIO boot pins set?
3. If we are using Qfuses, what alternatives do we have to circumvent to reach code execution?
4. What is the meaning of the BOOT_CONFIG pins in (2).
5. How can we change GPIO to do what we want?
a) What do we want?
b) Is this a SW/FW hack or a HW hack?
6. How can we get our code to run?
a) Does it still need to be signed?
b) Where and when should it run?
The Issues
A) What are the:
a) cold-start BOOT_CONFIG settings?
b) warm-start BOOT_CONFIG settings?
We raised this issue in post #212, but we had a different opinion (#206, #217)
of how the MSM_RESOUT_N signal behaves during cold/warm boot. The point
being that the pins internal pull-up/down strength and behavior is decided
programatically, while the reference design was updated/changed at some point,
and thus the true behavior it was never resolved and verified.

What to do: We need someone to measure what happens on the following
UCP700 pins (see #212) during cold/warm boots, respectively.

Code:
C30     MSM_RESOUT_N, 
AK28    BOOT_CONFIG_6
AH32    BOOT_FROM_ROM

also BC[0:1] to verify...
B) How can we read all the GPIO settings as shown in #228 ?
On the SGS2 running stock GB (and many others), we can simply issue the command:
Code:
cat /sys/kernel/debug/gpio
and the result is in the form:
Code:
...
GPIOs 168-175, GPL0:
 gpio-171 (TSP_LDO_ON          ) out lo
 gpio-172 (GPB                 ) in  lo
 gpio-173 (_3_GPIO_TOUCH_INT   ) in  lo irq-537 edge-falling
 gpio-174 (USB_SEL             ) out lo
...
But this doesn't work on our I535. This is probably because it doesn't have the debugfs
mounted by default. This can be fairly easily done, but does not guarantee a positive result anyway.
So how do we do it on this device? We're not sure yet, so try we try the following commands to find GPIO info.
Code:
# To find all directories called "gpio":
find / -type d -iname "gpio"

#To find all regular files called "gpio":
find / -type f -iname "gpio"
If you find a regular file called "gpio", try to print it with:
cat /path/to/gpio

What to do: Post the results of the previous commands.

If this still doesn't work, we can try to use the modem to send an AT
commands that may show the GPIO settings etc. See below.
C) How to connect to your modem from a PC terminal when connected with USB cable?

This was first discussed in #231 and #235, but without any conclusion, since the user
managed to connect, but only one of his AT commands worked. No follow up.

The modem AT command interface is firmware (radio) dependent, so the available
commands can vary widely, but generally there is a standard (3GPP TS 27.007)
that the device need to comply to, regarding the minimally supported AT command
set. However, when connected under normal circumstances (with phone in normal
operation) the AT commands to the modem may be filtered by either the internal
Adnroid device driver RIL daemon "drexe" or something like it. Therefore you may
need to put your phone in some kind of service mode, or change the Qualcomm
connection settings to bypass this filter, to have full access to all avialble
AT commands. It has been suggested that one way to do this on the I535, is using
the "hidden meny", reached by dialing "*#22745927" (???), and then selecting the
"appropriate" settings...

http://forum.xda-developers.com/show...&postcount=317

Or you can try this, which was used for the HTC EVO3D.

For the Sprint SGS3 you have to enter the "IOTHiddenMenu" menu by
dialing "##DIAG#" (##3424#) and then long press "Qualcomm USB Settings".
Then select "DM + MODEM + ADB", as shown here and here, or watch
the movie!

According to that post, for the AOSP SGS3 you can also use:
Code:
echo 0 > /sys/class/android_usb/android0/enable
echo 04E8 > /sys/class/android_usb/android0/idVendor
echo 6860 > /sys/class/android_usb/android0/idProduct
echo diag > /sys/class/android_usb/android0/f_diag/clients
echo 1 > /sys/class/android_usb/android0/f_acm/instances
echo diag,acm,adb > /sys/class/android_usb/android0/functions
echo 1 > /sys/class/android_usb/android0/enable
start adbd
setprop sys.usb.state sys.usb.config
To make your settings stick: Use Chainfire's "adbd-Insecure-v1.0.apk" App as posted here.
Then when you finally have modem connection. A few basic commands to test are:

Code:
Code:
AT              // OK?
ATI             // device info
ATZ             // "reset" modem to default configuration (safe)
ATE1            // turn on echo
ATV1            // turn on verbose results
AT+CLAC         // lists all officially available AT commands
AT+CGMI         // Manufacturing Identification
AT+CGMM         // Model Identification
AT+CGMR         // Firmware Revision

AT$QCDMG        // Should cause phone/modem enter to diagnostic mode. (May be hard to exit...)
These are all standard ("+") AT commands. If all of these works, you are on
the right track. Next we'll lok at some specialized ("@", "$", "#", "%")
proprietary AT commands. Qualcomm proprietary AT commands usually have
the format: "AT$<command>". However, its becoming more popular for OEMs to
implement entire new sets of ATs. For example Intel/infineon have a whole
new programmable world (to be discovered). [E.g. Try on your XG626 with at@help.]

For Gobi:

Code:
AT$QCDMG                // Transitions to Diagnostics Monitor (DM) operation
AT$QCDMR=?              // Sets DM baud rate (default 115200)
AT&V                    // Dumps configuration paramters
AT$CNTI*                // Displays the access technology; 
                        // (Proprietary AT commands, AT&T Connection Manager)
According to this source, and for the HTC [(US T-mobile) G2] == [Desire Z] ==
[Vision], we can use the proprietary AT commands:
Code:
AT@EBI_CFG
AT@GPIO_IN?
AT@PMIC_LEVEL
...to get EBI, GPIO, and PMIC info.

<< To Be Continued... >>
Last edited by E:V:A; 16th August 2012 at 01:38 AM.
The Following 10 Users Say Thank You to E:V:A For This Useful Post: [ View ]
16th August 2012, 01:33 AM   |  #316  
Senior Member
Thanks Meter: 178
 
488 posts
Join Date:Joined: Jun 2012
More
Code:
shell@android:/ # cat /sys/kernel/debug/gpio
GPIOs 0-151, msmgpio:
 gpio-1   (mhl_rst             ) in  lo
 gpio-4   (lcd_22v_en          ) out hi
 gpio-8   (i2c_sda             ) in  hi
 gpio-9   (i2c_clk             ) in  hi
 gpio-10  (bt_host_wake        ) in  lo
 gpio-12  (sda                 ) in  hi
 gpio-13  (scl                 ) in  hi
 gpio-16  (tsp_sda             ) in  hi
 gpio-18  (LDO_BIAS            ) out lo
 gpio-19  (mhl_en              ) in  lo
 gpio-24  (sda                 ) in  hi
 gpio-25  (scl                 ) in  hi
 gpio-32  (sda                 ) in  hi
 gpio-33  (scl                 ) in  hi
 gpio-35  (a2220_wakeup        ) out hi
 gpio-38  (spi_mosi            ) in  lo
 gpio-39  (spi_miso            ) in  lo
 gpio-41  (spi_clk             ) in  lo
 gpio-43  (WL_REG_ON           ) out lo
 gpio-47  (scl                 ) in  hi
 gpio-48  (sda                 ) in  hi
 gpio-49  (Home                ) in  hi
 gpio-50  (Vol Up              ) in  hi
 gpio-52  (wpc-detect          ) in  lo
 gpio-54  (WL_HOST_WAKE        ) in  lo
 gpio-69  (MPUIRQ              ) in  lo
 gpio-71  (sda                 ) in  hi
 gpio-72  (scl                 ) in  hi
 gpio-73  (sda                 ) in  hi
 gpio-74  (scl                 ) in  hi
 gpio-75  (a2220_reset         ) out hi
 gpio-79  (bt_ext_wake         ) out lo
 gpio-81  (Vol Down            ) in  hi
 gpio-82  (bcm4334_bten_gpio   ) out hi
 gpio-92  (nfc_firm            ) out lo
 gpio-95  (sda                 ) in  lo
 gpio-96  (scl                 ) in  lo
 gpio-106 (nfc_int             ) in  lo

GPIOs 152-195, platform/pm8xxx-gpio, pm-gpio, can sleep:
gpio-152 (--          ) in         hi 0x05 0x10 0x24 0x30 0x40 0x58
gpio-153 (--          ) in         hi 0x05 0x10 0x24 0x30 0x40 0x58
gpio-154 (EAR_MICBIAS ) out        lo 0x05 0x18 0x2a 0x34 0x40 0x58
gpio-155 (vib enable  ) out        lo 0x05 0x18 0x2a 0x34 0x44 0x58
gpio-156 (--          ) out        lo 0x05 0x18 0x2a 0x38 0x40 0x58
gpio-157 (gpio_proximi) in         hi 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-158 (--          ) in         hi 0x09 0x10 0x2a 0x38 0x42 0x58
gpio-159 (--          ) out        lo 0x03 0x18 0x2a 0x38 0x42 0x58
gpio-160 (MAG_RST     ) out        hi 0x05 0x19 0x2a 0x38 0x40 0x58
gpio-161 (--          ) off        lo 0x01 0x1c 0x20 0x30 0x40 0x58
gpio-162 (--          ) off        lo 0x01 0x1c 0x20 0x30 0x40 0x58
gpio-163 (--          ) off        lo 0x01 0x1c 0x20 0x30 0x40 0x58
gpio-164 (--          ) off        lo 0x01 0x1c 0x20 0x30 0x40 0x58
gpio-165 (--          ) off        lo 0x01 0x1c 0x20 0x30 0x40 0x58
gpio-166 (IMA_ESD_DET ) in         lo 0x0d 0x10 0x28 0x30 0x40 0x58
gpio-167 (--          ) in         hi 0x05 0x10 0x20 0x30 0x40 0x58
gpio-168 (--          ) in         lo 0x05 0x10 0x20 0x30 0x40 0x58
gpio-169 (TOP_SPK_AMP ) out        lo 0x05 0x18 0x2a 0x38 0x40 0x58
gpio-170 (BOTTOM_SPK_A) out        lo 0x05 0x18 0x2a 0x38 0x40 0x58
gpio-171 (--          ) out        lo 0x01 0x18 0x2a 0x35 0x46 0x58
gpio-172 (nfc_ven     ) out        hi 0x01 0x19 0x2a 0x34 0x40 0x58
gpio-173 (Haptic pwr e) out        hi 0x05 0x19 0x2a 0x34 0x44 0x58
gpio-174 (AV_SWITCH   ) out        lo 0x05 0x18 0x2a 0x38 0x40 0x58
gpio-175 (--          ) out        lo 0x05 0x18 0x2a 0x34 0x46 0x58
gpio-176 (--          ) in         lo 0x01 0x10 0x2a 0x35 0x46 0x58
gpio-177 (--          ) in         lo 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-178 (--          ) out        lo 0x07 0x19 0x2a 0x38 0x40 0x58
gpio-179 (--          ) out        lo 0x01 0x18 0x2a 0x34 0x44 0x58
gpio-180 (--          ) out        lo 0x05 0x10 0x2a 0x38 0x42 0x58
gpio-181 (--          ) out        lo 0x07 0x18 0x2a 0x38 0x42 0x58
gpio-182 (--          ) out        lo 0x01 0x18 0x2a 0x35 0x46 0x58
gpio-183 (--          ) in         lo 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-184 (--          ) in         lo 0x03 0x10 0x2a 0x38 0x42 0x58
gpio-185 (--          ) out        lo 0x09 0x18 0x2a 0x38 0x42 0x58
gpio-186 (US_EURO_SWIT) out        lo 0x05 0x18 0x2a 0x38 0x40 0x58
gpio-187 (--          ) in         hi 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-188 (batt_int    ) in         lo 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-189 (CDC_RESET   ) out        hi 0x05 0x19 0x2a 0x38 0x40 0x58
gpio-190 (--          ) in         hi 0x05 0x10 0x2a 0x30 0x40 0x58
gpio-191 (--          ) out        lo 0x01 0x18 0x2a 0x34 0x44 0x58
gpio-192 (--          ) out        lo 0x05 0x18 0x2a 0x34 0x44 0x58
gpio-193 (ext_otg_sw_e) in         hi 0x05 0x11 0x2a 0x30 0x40 0x58
gpio-194 (disp_rst_n  ) out        hi 0x05 0x19 0x2a 0x34 0x40 0x58
gpio-195 (IMA_ESD_DET ) in         hi 0x0d 0x10 0x2a 0x30 0x40 0x58

GPIOs 196-207, platform/pm8xxx-mpp.0, pm8xxx-mpp, can sleep:
gpio-196 (--          ) sink       lo 0xa0
gpio-197 (--          ) d_out      lo 0x3c
gpio-198 (--          ) sink       lo 0xa0
gpio-199 (--          ) d_out      lo 0x3c
gpio-200 (--          ) a_out      lo 0x85
gpio-201 (--          ) sink       lo 0xa0
gpio-202 (ext_5v_en   ) sink       lo 0xa0
gpio-203 (--          ) a_in       lo 0x6c
gpio-204 (--          ) sink       lo 0xa0
gpio-205 (--          ) sink       lo 0xa0
gpio-206 (--          ) sink       lo 0xa0
gpio-207 (--          ) sink       lo 0xa0
The Following 8 Users Say Thank You to LLStarks For This Useful Post: [ View ]
16th August 2012, 01:40 AM   |  #317  
Verizon GS3 is now Bootloader UNLOCKED.
We now have access to an unsecure bootloader. This was leaked by an African-Canadian Sock Monkey.

Let me make this clear. If Samsung updates your device's bootloaders, using this tool could potentially brick your device. Once you apply this, never accept a factory update without first flashing the Odin Packages in the Original Post of this thread. As a general rule, you want to be the last guy to apply any Samsung update. Run custom.

As of the date of this posting, this works great on Linux and it should work wonderfully on Mac too. NOTE: this may work on windows, but please, windows users.. learn to use your computer before you ask questions on XDA-Developers. This is one-click on Linux and Mac every darn time. If you're using Windows, I recommend downloading Windows Ubuntu Installer(WUBI) to install Ubuntu from within Windows.

Download
http://d-h.st/ypJ


Instructions:
1. Open this file
2. Select Root with DebugFSRoot and Do It
3. Select Flash Unsecure Aboot and Do It
4. Use Odin or CWM to flash kernels to your device


To flash from device without the above tool:
  • root your device
  • Download this link to your /sdcard/Downloads/ folder: http://d-h.st/Piq
  • Type this in the terminal emulator
    Code:
    su -c dd if=/sdcard/Downloads/aboot.img of=/dev/block/mmcblk0p5

This was tested with a Sprint kernel flashed via Odin. Although the Sprint kernel caused the device to have a blank screen due to hardware incompatibility, it's more than enough for a proof-of-concept. Stock bootloaders will not let you flash improper kernels with Odin and will cause the device not to boot. This corrects the problem. I'll leave implementation to other developers. If you feel uncomfortable flashing this on your own, wait for your favorite kernel developer to release something.

Note to developers: This CASUAL package contains everything you need. A jar can be opened as a zip file. CASUAL format sticks all scripts in the /SCRIPTS/ folder. You can obtain all files needed from within this package, then repackage them into CWM format. In order to avoid a mass brick fest, please apply an assert to your CWM scripts to verify ro.build.version.incremental and do not allow updates past what has been tested. As of the time of this writing I535VRALG7B is safe.

With the unlock of the GS3, this thread is locked. There will be no victory dancing in here. Move along to General or something. This thread will lie dormant until it is needed again in the future. Ralekdev will be releasing another exploit in the future as soon as this one stops working. Feel free to review what was learned until then.

P.S. Sorry to those who I have offended by having posts removed. I'm also sorry to those who had their intelligence insulted before I had both of our posts removed. I hope you understand that in 6 months from now when everyone forgets about this thread but needs to catch back up, the information will still be right here in condensed format.
Last edited by AdamOutler; 9th October 2012 at 03:34 AM.
The Following 560 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
16th August 2012, 01:41 AM   |  #318  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,899
 
1,380 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by kennyglass123

Thread cleaned
Please remember to only post comments that will directly help move forward of this goal
Thanks
FNM

Thanks, but please don't be too trigger happy. I actually needed to refer to this post... (Or perhaps it wasn't you who removed it?)
The Following 8 Users Say Thank You to E:V:A For This Useful Post: [ View ]
9th October 2012, 02:17 AM   |  #319  
I've reopened this thread upon a report that the CASUAL Jar provided above, which was working two months ago, is now causing bricks. Do not flash on recently updated devices.

Can anyone confirm or deny that the new update kills the CASUAL method above?

I do not have a Verizon Galaxy S3 anymore... However, I have a feeling that because of work in the past by a guy who will surely post below me, a new exploit will not take much time.

False alarm. User was operating a Sprint phone. Game is still on Thread locked.
Last edited by AdamOutler; 9th October 2012 at 02:25 AM.

The Following 22 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
Thread Closed Subscribe to Thread

Tags
d2vzw, locked bootloader
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes