If we are serious about unlocking the bootloader

Search This thread
By:
Advanced…
T

TMcGrath50

Member
Sep 22, 2013
15
31
I don't know much about QPST, but I've become more familiar lately with eMMc functionality lately. I think it's a long shot, but it's a good idea none the less. I'm trying to correlate base addresses and binaries, and it's a mess.

My question to you Surge: have you ever heard of an OTA introducing a security loophole that didn't exist on older versions? I don't think Sammy has made any deep firmware modifications with the updates, so it's probably a waste of a thought. At least, none deep enough to affect the bootloader level binaries (probably, with the exception of closing the Loki loophole).

Sent from my SCH-I545 using xda app-developers app

---------- Post added at 06:25 AM ---------- Previous post was at 06:19 AM ----------

Do you think there's still anything to be learned from Dan Rosenberg's old S4 exploit?



http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html?m=1


Sent from my SCH-I545 using xda app-developers app
 
  • Like
Reactions: Bait-Fish and Surge1223
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
Alright, I had not seen this part of this thread. Apparently their idea was/is similar to what we are trying to do (when I say we I mean I but hey to each his own lol). Apparently they were going down the same road as me (albeit, they had more knowledge and man power) but stopped pursuing that avenue once Adam posted about the leaked aboot. So currently im waiting/trying to get qpst to give me a signed 8960_msimage.mbn, but even without it I have been able to to get qdload.pl to give me:

Code: 
Sending MAGIC...
Got magic response: 03 00 03
Requesting SoftwareVersion...
sent 0c
received something
Version: PBL_DloadVER2.0
Requesting Bootloader..........
Response: 03 00 06
Requesting Param...
requestParam send ok
Param: 08 08 01 06 00 90 00 00
Sent 0x16
got back something
Uploding file...
I feel like I might be able to get a device unbricked if I can create the signed version, though thats not my main goal. if you click the link above and actually understand what they are talking about then you can probably see what im trying to do..maybe ill try to dump the pbl next see what we can find out.
 
  • Like
Reactions: Bait-Fish
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
TMcGrath50 said:
I don't know much about QPST, but I've become more familiar lately with eMMc functionality lately. I think it's a long shot, but it's a good idea none the less. I'm trying to correlate base addresses and binaries, and it's a mess.

My question to you Surge: have you ever heard of an OTA introducing a security loophole that didn't exist on older versions? I don't think Sammy has made any deep firmware modifications with the updates, so it's probably a waste of a thought. At least, none deep enough to affect the bootloader level binaries (probably, with the exception of closing the Loki loophole).

Sent from my SCH-I545 using xda app-developers app

---------- Post added at 06:25 AM ---------- Previous post was at 06:19 AM ----------

Do you think there's still anything to be learned from Dan Rosenberg's old S4 exploit?



http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html?m=1


Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse

I'll agree with you on the base addresses and binaries, its a big mess and hard to learn to do. Kudos for joining the effort! As far as security loopholes, I don't know there's alot of firmware updates to go through. Well I posted the link to djrbliss' post in the OP, I think a lot can be learned. Especially by studying the aboot.c file of Little Kernel project. According to Dan they are similar and you can see they are similar from some relevant sections I posted below. The second quote is what djrbliss found out phone's aboot says

Code: 
  kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
  ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
  second_actual  = ROUND_TO_PAGE(hdr->second_size,  page_mask);

  dprintf(INFO, "Loading boot image (%d): start\n",
                                kernel_actual + ramdisk_actual);
  bs_set_timestamp(BS_KERNEL_LOAD_START);

  offset = page_size;

  /* Load kernel */
  if (mmc_read(ptn + offset, (void *)hdr->kernel_addr, kernel_actual)) {
                        dprintf(CRITICAL, "ERROR: Cannot read kernel image\n");
                                        return -1;
  }
  offset += kernel_actual;

  /* Load ramdisk */
  if(ramdisk_actual != 0)
  {
  if (mmc_read(ptn + offset, (void *)hdr->ramdisk_addr, ramdisk_actual)) {
  dprintf(CRITICAL, "ERROR: Cannot read ramdisk image\n");
  return -1;
  }
  }
  offset += ramdisk_actual;

  dprintf(INFO, "Loading boot image (%d): done\n",
                                kernel_actual + ramdisk_actual);
  bs_set_timestamp(BS_KERNEL_LOAD_DONE);

  if(hdr->second_size != 0) {
  offset += second_actual;
  /* Second image loading not implemented. */
  ASSERT(0);
  }
Code: 
hdr = (struct boot_img_hdr *)buf;

  image_addr = target_get_scratch_address();
  kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
  ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask) + 0x200;
  imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
 
  memcpy(image_addr, hdr, page_size);
 
  offset = page_size;

  /* Load kernel */
  if (mmc_read(ptn + offset, (void *)hdr->kernel_addr, kernel_actual)) {
    dprintf(CRITICAL, "ERROR: Cannot read kernel image\n");
    return -1;
  }

  memcpy(image_addr + offset, hdr->kernel_addr, kernel_actual);

  offset += kernel_actual;

  /* Load ramdisk */
  if (mmc_read(ptn + offset, (void *)hdr->ramdisk_addr, ramdisk_actual)) {
    dprintf(CRITICAL, "ERROR: Cannot read ramdisk image\n");
    return -1;
  }

  memcpy(image_addr + offset, hdr->ramdisk_addr, ramdisk_actual);

  offset += ramdisk_actual;
 
Gator Brah

Gator Brah

Senior Member
Sep 24, 2013
156
28
Surge1223 said:
I know the bootloader will probably never be unlocked unless we get a leak. In my mind I don't see it as "we did get the LOKI workaround.." We didn't do anything, djrbliss gifted it to us. In the mean time ill continue to seek all avenues available to find an exploit. It already took me months to figure out how to use ida correctly, then figure out how and what base addressess correspond to which binaries and thats still a gigantic WIP. Along the way I learned what where and how the bootloaders worked, and now im just trying to get more ideas to try. I've collected Qualcomm pdfs, some of which I don't even think E:V:A has, and read through them. I realize how the emmc might be able to help us and I think its worth exploring. I know not many people know how to use QPST, or whatever but I'm only posting what I'm doing here so that if people find a fault in what im doing they can help me correct it or recommend alternatives. Also I didn't take the OTA. I have an MDK phone, but having an MDK phone doesn't mean we should just give up.
Click to expand...
Click to collapse

I HAD an mdk phone...froze the update apk's and all...had everything i dreamed of on that baby. Then the screen cracked..then the screen cracked again...then it got dropped into a pool. Im on my 4th S4 and not one of them has been on MDK since the first one. Its heartbreaking. I'm extremely grateful to have SS at the least but for me, aosp roms are where its at.

I appreciate all the hard work hashcode has put in (donated for SS) and would gladly donate to you fellas on this endeavor.
 
T

TMcGrath50

Member
Sep 22, 2013
15
31
Ah, I really need to brush up on my programming. Shouldn't be too bad. I'm going to see what I can dig up in the next few days from LKP. I'll be slow though, I'm swamped with school work right now.

Sent from my SCH-I545 using xda app-developers app
 
  • Like
Reactions: Froryrory
F

Froryrory

Senior Member
Oct 31, 2013
67
70
TMcGrath50 said:
Ah, I really need to brush up on my programming. Shouldn't be too bad. I'm going to see what I can dig up in the next few days from LKP. I'll be slow though, I'm swamped with school work right now.

Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse

What school work? Maybe I can lighten the load with the math and/or engineering portion. LMK...
 
T

TMcGrath50

Member
Sep 22, 2013
15
31
On h311sdr0id's method

I've been meaning to comment on this for a long time. h311sdr0id suggested using the GS4 JTAG. JTAG is a dark, evil place. You will brick your phone. Or at least, I've bricked a phone trying to implement JTAG.

Essentially, this is what it does: JTAG is a hardware implementation that allows a manufacturer to hard reset a device and install its stock firmware back on the device. It puts the phone in software "no man's land," waiting for you to push an image to it. In short answer, probably, it would probably be possible to exploit the JTAG to reset the device and push MDK from QDL. BUT I've never seen anyone try to implement a JTAG exploit around a qfuse. That qfuse would complicate things exponentially... without an unbrick.img and a modified MDK tar, I have no clue how to implement it. Surge, can you get the signed 8960_msimage.mbn? If we could unbrick with the signed version, it might be possible.

My story: I use to have a Droid Charge, and a little bit of knowledge in electrical engineering. JTAG is a hardware piece, which requires hooking up a circuit to reset the phone. I had my circuit, it exploited, and then got stuck in QDL. I didn't have any unbrick method at the time, and the bootloader was still uncracked. Since then, the bootloader has become unlocked, so I could probably find a way to push an old firmware to the phone to get it up and running, but then I got a GS4 and gave up.

Now that being said, h311sdr0id claims to have pushed it into JTAG mode and brought it back into MDK. I suppose he didn't trip qfuse. No one's heard from him in a long time though. But I'm not sure how he implemented it--did he use a reset circuit to bring it to JTAG, like they did here: http://xdaforums.com/showthread.php?t=1000175 Or did he use a soft circuit parallel? There's no telling. But either way, JTAG is no place that the lay programmer should be. Even if we used his method and could successfully push MDK, I'd imagine there might be 11 people with this phone who could take advantage of it.

---------- Post added at 01:39 AM ---------- Previous post was at 01:34 AM ----------

Everyone please see the link I put in that post. It shows the JTAG process for the Captivate. My Charge had a similar method--you had to use a hard (physical) circuit to exploit JTAG.

Surge, everything I said in the above post was assuming the JTAG process was similar; that you needed a hard circuit and EE skills. But that being said, there are some devices where JTAG can be reset with a soft (programming) circuit. All devices have JTAGs. My PS3, for example, has a soft circuit. If the bootloader on it were unlocked, you could stick that thing in JTAG mode from your computer. My TV's JTAG, however, requires a hard circuit. If this phone would only require a soft circuit, one skilled programmer could make a tool that would exploit it and push MDK in Odin....

But my old Charge required a hard circuit, just like the captivate. It would seem Samsung likes hard JTAGs. And if that's the case, I wouldn't focus efforts too much on that approach, it's just not universal enough.
 
  • Like
Reactions: th3bl3d and Bait-Fish
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
TMcGrath50 said:
I've been meaning to comment on this for a long time. h311sdr0id suggested using the GS4 JTAG. JTAG is a dark, evil place. You will brick your phone. Or at least, I've bricked a phone trying to implement JTAG.

Essentially, this is what it does: JTAG is a hardware implementation that allows a manufacturer to hard reset a device and install its stock firmware back on the device. It puts the phone in software "no man's land," waiting for you to push an image to it. In short answer, probably, it would probably be possible to exploit the JTAG to reset the device and push MDK from QDL. BUT I've never seen anyone try to implement a JTAG exploit around a qfuse. That qfuse would complicate things exponentially... without an unbrick.img and a modified MDK tar, I have no clue how to implement it. Surge, can you get the signed 8960_msimage.mbn? If we could unbrick with the signed version, it might be possible.

My story: I use to have a Droid Charge, and a little bit of knowledge in electrical engineering. JTAG is a hardware piece, which requires hooking up a circuit to reset the phone. I had my circuit, it exploited, and then got stuck in QDL. I didn't have any unbrick method at the time, and the bootloader was still uncracked. Since then, the bootloader has become unlocked, so I could probably find a way to push an old firmware to the phone to get it up and running, but then I got a GS4 and gave up.

Now that being said, h311sdr0id claims to have pushed it into JTAG mode and brought it back into MDK. I suppose he didn't trip qfuse. No one's heard from him in a long time though. But I'm not sure how he implemented it--did he use a reset circuit to bring it to JTAG, like they did here: http://xdaforums.com/showthread.php?t=1000175 Or did he use a soft circuit parallel? There's no telling. But either way, JTAG is no place that the lay programmer should be. Even if we used his method and could successfully push MDK, I'd imagine there might be 11 people with this phone who could take advantage of it.

---------- Post added at 01:39 AM ---------- Previous post was at 01:34 AM ----------

Everyone please see the link I put in that post. It shows the JTAG process for the Captivate. My Charge had a similar method--you had to use a hard (physical) circuit to exploit JTAG.

Surge, everything I said in the above post was assuming the JTAG process was similar; that you needed a hard circuit and EE skills. But that being said, there are some devices where JTAG can be reset with a soft (programming) circuit. All devices have JTAGs. My PS3, for example, has a soft circuit. If the bootloader on it were unlocked, you could stick that thing in JTAG mode from your computer. My TV's JTAG, however, requires a hard circuit. If this phone would only require a soft circuit, one skilled programmer could make a tool that would exploit it and push MDK in Odin....

But my old Charge required a hard circuit, just like the captivate. It would seem Samsung likes hard JTAGs. And if that's the case, I wouldn't focus efforts too much on that approach, it's just not universal enough.
Click to expand...
Click to collapse

Im working on getting the 8960_msimage.bin. Problem is you need the right version of qpst and the right xml files that i mentioned/attached earlier. From what ive read, qpst should be able to communicate with the phone in qdl and rewrite partitions. Im pretty sure that a soft circuit software implementation exists for the i9505 see here ( http://forum.legija.net/showthread....-galaxy-S4-(i9505-and-similar)-via-USB-Cable?) otherwise how would that be possible?

With that being said, I believe you bring up a good point. We need to test debrick.imgs before we can test anything. Maybe I should start a WIP thread on the side to create Debrick.imgs while we continue to do the hard research here.

Sent from my DROID RAZR using XDA Premium 4 mobile app
 
  • Like
Reactions: Bait-Fish and Froryrory
T

TMcGrath50

Member
Sep 22, 2013
15
31
Surge1223 said:
Im working on getting the 8960_msimage.bin. Problem is you need the right version of qpst and the right xml files that i mentioned/attached earlier. From what ive read, qpst should be able to communicate with the phone in qdl and rewrite partitions. Im pretty sure that a soft circuit software implementation exists for the i9505 see here ( http://forum.legija.net/showthread....-galaxy-S4-(i9505-and-similar)-via-USB-Cable?) otherwise how would that be possible?

With that being said, I believe you bring up a good point. We need to test debrick.imgs before we can test anything. Maybe I should start a WIP thread on the side to create Debrick.imgs while we continue to do the hard research here.

Sent from my DROID RAZR using XDA Premium 4 mobile app
Click to expand...
Click to collapse

Wow, that thread was really interesting. Did you notice that it was for i9505, and h311sdr0id comment on the forum and asked if it would work for I545? That thread must have been his inspiration for trying to apply that same method to I545.

That being said, you're right. It looks like you can use a soft method to put the phone into JTAG mode. That's phenomenal news, if someone knew how to do it. It looked like h311sdr0id was really close if he didn't actually succeed. But if we could get the phone into JTAG mode, we could probably get the phone into QDL mode and push commands via E:V:A or some other method to install a modified MDK.

But yes, we would absolutely need the debrick.imgs before we could really count on that idea. I'm not sure what JTAG mode is like on the GS4, but on my old phone, JTAG'ing the phone put it into a hard brick mode, and you HAD to have the debrick.imgs to restore it. JTAG mode literally bricked the phone. But once we had those imgs, we could get it into QDL mode and flash a bootloader from there. (I never did that, like I said in my old post). JTAG'ing I545 might put it into a hard brick that requires a debrick.img, though h311sdr0id seemed to get it out and back to MDK.

So we have two options: 1) Get a hold of h311sdr0id, and ask him how he implemented JTAG, or 2) start a WIP thread on the side for getting the debrick.imgs and wing it ourselves.
 
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
TMcGrath50 said:
Wow, that thread was really interesting. Did you notice that it was for i9505, and h311sdr0id comment on the forum and asked if it would work for I545? That thread must have been his inspiration for trying to apply that same method to I545.

That being said, you're right. It looks like you can use a soft method to put the phone into JTAG mode. That's phenomenal news, if someone knew how to do it. It looked like h311sdr0id was really close if he didn't actually succeed. But if we could get the phone into JTAG mode, we could probably get the phone into QDL mode and push commands via E:V:A or some other method to install a modified MDK.

But yes, we would absolutely need the debrick.imgs before we could really count on that idea. I'm not sure what JTAG mode is like on the GS4, but on my old phone, JTAG'ing the phone put it into a hard brick mode, and you HAD to have the debrick.imgs to restore it. JTAG mode literally bricked the phone. But once we had those imgs, we could get it into QDL mode and flash a bootloader from there. (I never did that, like I said in my old post). JTAG'ing I545 might put it into a hard brick that requires a debrick.img, though h311sdr0id seemed to get it out and back to MDK.

So we have two options: 1) Get a hold of h311sdr0id, and ask him how he implemented JTAG, or 2) start a WIP thread on the side for getting the debrick.imgs and wing it ourselves.
Click to expand...
Click to collapse

Yeah, the first time I read that I came to the same conclusion and was suprised when I saw his name. Since h311sdr0id is locked up I guess we'll have to start option 2. Ill start a thread tonight or tomorrow.

P.S. - I took a "deeper" look into that i9505 debrick .exe and noticed it uses a MPRG8064.hex and 8064_msimage.bin when its executing. I thought the international version had similar specs to ours? IDK but maybe I should be trying to use a 8064_msimage.bin instead of 8960_msimage.bin..

Sent from my SCH-I535 using XDA Premium 4 mobile app
 
T

TMcGrath50

Member
Sep 22, 2013
15
31
Good point. I'm not really sure. I would think that the i9505 would be identical. Where did you get the impression that you should use the 8960 images?

Sent from my SCH-I545 using xda app-developers app
 
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
TMcGrath50 said:
Good point. I'm not really sure. I would think that the i9505 would be identical. Where did you get the impression that you should use the 8960 images?

Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse

A lot of reasons, one being our board is msm8960. But ive gotten confirmation its 8064 from some reliable info.

Sent from my SCH-I535 using XDA Premium 4 mobile app
 
Last edited:
  • Like
Reactions: scryan
Fu5ion

Fu5ion

Senior Member
Nov 10, 2012
222
82
Boston, MA
I wish the other one hadn't gotten locked up. Imagine how big it'd be by now.

Sent from my SCH-I545 using Tapatalk
 
T

TMcGrath50

Member
Sep 22, 2013
15
31
Surge, I've been looking into a JTAG exploit, and this might be a lot more promising than I thought. It absolutely depends on the debrick.imgs, though. And whipping out a modified MDK image to push. Maybe using E:V:A. (I know nothing about that, but it's a method you brought up to pursue.) I've gotta figure out how he got around the qfuse, though. It seems like the method would trip it every time...

But I've confirmed that there *could be* a soft circuit JTAG on all GS4 models. That's great news, but it means that if we can find an exploit, we'd have to build an executable, using ODIN, to flash this stuff. It would, most likely, end up being far too long and risky of a process to leave to simple directions.

More news will come as my investigation deepens.

Sent from my SCH-I545 using xda app-developers app
 
Last edited:
  • Like
Reactions: warrenstimpy, Mightycaptain, Bait-Fish and 5 others
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
TMcGrath50 said:
Surge, I've been looking into a JTAG exploit, and this might be a lot more promising than I thought. It absolutely depends on the debrick.imgs, though. And whipping out a modified MDK image to push. Maybe using E:V:A. (I know nothing about that, but it's a method you brought up to pursue.) I've gotta figure out how he got around the qfuse, though. It seems like the method would trip it every time...

But I've confirmed that it's a soft circuit JTAG on all GS4 models. That's great news, but it means that if we can find an exploit, we'd have to build an executable, using ODIN, to flash this stuff. It would, most likely, end up being far too long and risky of a process to leave to simple directions.

More news will come as my investigation deepens.

Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse

Im glad you said that because i was just going to post that i needed help building an .exe file. ill update this post in a little bit

Update:

Okay I think I have the files we need for building the executable, this executable at this point needs to prove it can debrick a phone before we can even think exploits. My MDK is in QDL mode, I intentionally put it there and have the means to JTAG it later if needed (plus I don't use it on a daily basis I use my razr and S3 more often). Now I'm going to have to ask someone for a debrick image because:

1. I don't trust my usb ports
2. My attempt at using my own debrick image didn't work

What this means:

  • We need someone who is more knowledgeable at reverse engineering/ can help build an .exe file that will execute files in a certain order or way (this might not be necessary as I can probably learn how to do it tonight after doing some research but if someone is good at both reverse engineering and building .exe's it'd be helpful.)
  • I need someone on MDK with an MDK non-hlos and modem (doesnt matter if its a custom rom or not though) to build a debrick image and they will have to have a linux machine (or live cd) and I can give them instructions, ive asked people for this before but this time its going to be a larger file just to make sure (probably 500MB). Note: You will be giving me some personal information if we use this method, but I'll remove it and use my own efs I have backed up so no worries and I promise I wont repost/look into your info (ill delete it immediately).
If you fit the profile of either of the above PM me.
 
Last edited:
  • Like
Reactions: JavaManRules-GS4, Mightycaptain, Bait-Fish and 4 others
You must log in or register to reply here.

Similar threads

open1your1eyes0
  • Locked
[BOUNTY] New Root Method Exploit or Full Bootloader Unlock ***Updated Daily***
Replies
2K
Views
452K
KennyG123
KennyG123
invisiblek
[ROM][Official][4.3] CyanogenMod 10.2 for the Verizon Galaxy S4
Replies
3K
Views
542K
Ibuprophen
Ibuprophen
invisiblek
[ROM][Official][4.4.4] CyanogenMod 11.0 Nightlies for the Verizon Galaxy S4 (jflte)
Replies
4K
Views
399K
D
Deleted member 11818907
V
[HOWTO] Enable Hidden Menus for Verizon Galaxy S4
Replies
122
Views
413K
ryanallaire
ryanallaire
open1your1eyes0
[GUIDE] Root for Verizon Galaxy S4 ***VRUAME7 Build Only!***
Replies
650
Views
364K
P
pagerj

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 64
    Surge1223
    Surge1223
    Scroll down for recent updates;

    Has anyone ever heard more from h311sdr0id about his post (see here) to get more info about this "state" that allows you to flash MDK over ME7 in Odin? I'm curious to see if we can use that state, maybe in QDL mode to somehow either push an image to the phone or communicate with it using some methods/commands that E:V:A refers to on this page and a few pages after and before. It's also possible that we then might be able to use a modified unbrick.img (see here) to restore an MDK bootloader. So far those are the two ideas that I think have the best chance.

    Also in this thread I started with the intention of compiling the entire stock firmware for the Dev edition (OYUAMDK), I mentioned at the bottom that when flashing the stock MDK restore Odin tar on an ME7 phone users usually get a "SW REV. CHECK FAIL: FUSED: 3, Binary: 1" message meaning that your current fuse counter in aboot is set to 3 but the binary your attempting to flash is set to 1 so the flashing attempt will fail and I'm willing to bet if you're on VRUDMI1 and you attempt to flash the MDK restore you will get a similar message but the FUSED: value will be set to 4, you can see the counter upped in this post from jeboo here. However, with flashing the dev OYUAMDK aboot file on S4's with a ME7 bootloader users will receive a "SECURE CHECK FAIL: aboot" message instead, I don't know if we might be able to use dev OYUAMDK aboot file and bypass the fused counter entirely, since the dev edition has an unlocked bootloader and the fuse is an efuse, so software enforced, not a hardware enforced qfuse. If anyone wants to go into more detail, or wants to expand on these ideas we I can expand on this info or we can collaborate ideas in the Dev discussion thread.

    Other points to consider:

    • If you know how to use IDA pro, and can help with the base address of the binaries, that is probably our best bet to find a vulnerability in aboot, you can see jeboo and djrbliss discuss this a bit (here) and you can see Ralekdev show his findings here, also this gives the explanation of why you see the "custom unlock" boot screen that people constantly post about in the Q&A thread. Both of these threads along with djrbliss' blog discussing the S4 aboot vulnerability that lead to Loki (here), and exploiting the TrustZone (tz.mbn) on Moto's bootloaders (here) are good starting points in trying to find a new vulnerability.
    • If you know how to hexedit, then hexedit aboot.mbn from MDK, ME7, OYUAMDK, and MI1. You can see ME7 and MI1 are similar in both size and content, while MDK and OYUAMDK are more similar to each other in size and content. Obviously OYUAMDK differs from the others in the way it checks the recovery and boot partitions, (in djrbliss' blog on the S4 exploit he says "This bootloader differs between "locked" and "unlocked" variants of the Galaxy S4 in its enforcement of signature checks on the boot and recovery partitions.") but we are able to flash all bootloader partitions from the OYUAMDK firmware restore Odin file I made except aboot, so if you have any ideas on how we might be able to exploit any of that, please feel free to share.
    • If you do hexedit a dd'ed partition (if you copy mmcblk0p6 from your phone to your pc) you will see that its padded with zeroes at the end. You have to cut the padded zeros from the dd'ed image in order for the partition to be registered as a signed partition in Odin, etc. To do this, use Linux, open a terminal and type
      Code: 
      sudo apt-get install hexedit
      then enter your password and hit enter. Then go to the folder that contains the partitions you want to hexedit (for instance type cd /home/Your user name folder/Desktop/S4partitionbackups/" where "your user name folder" is whatever your username is and "S4partitionbackups" is a folder you create on your desktop containing a backup of your partitions) If you don't have a back up of your partitions you can create them using something like the command below, substituting mmcblk0p6 and aboot.mbn with the partition(s) you are interested in.
    Code: 
    adb shell su -c 'dd if=/dev/block/mmcblk0p6 of=/sdcard/backup/aboot.mbn'
    then
    Code: 
    adb pull /sdcard/backup/aboot.mbn /home/Your user name folder/Desktop/S4partitionbackups/
    then
    Code: 
    cd /home/Your user name folder/Desktop/S4partitionbackups/
    Code: 
    hexedit aboot.mbn
    Quick guide on Hexedit controls/keys

    • shift+> will take you to the end of the hex file
    • shift+< will take you to the beginning
    • page up/page down it will take you up a page and down a page respectively
    • ctrl+c you will exit the hex file without saving any changes
    • esc+t you will truncate the file at the current location
    • ctrl+x you will save the file with all changes you have done.
    This is an example of a padded aboot.mbn, before hexediting, and prior to truncating the file a at the first "0" in the string "00 01" found between the end of the actual file and the padded zero's and repeating F's
    View attachment 2353922
    This is an example of a properly signed aboot.mbn after hexediting
    View attachment 2353923

    How to find start addresses

    First you have to open the selected bootloader with a hex file editor and look at the header, converting for little endian you can find the start addresses and offsets

    Code: 
    [B]sbl1.mbn = 0x2a000000[/B]
00000000   D1 DC 4B 84  34 10 D7 73  15 00 00 00  FF FF FF FF  ..K.4..s........
00000010   FF FF FF FF  50 00 00 00  [COLOR=Red]00 00 00 2A[/COLOR]  40 72 01 00  ....P......*@r..
00000020   40 41 01 00  40 41 01 2A  00 01 00 00  40 42 01 2A  @A..@A.*....@B.*
00000030   00 30 00 00  01 00 00 00  04 00 00 00  FF FF FF FF  .0..............

[B] sbl2.mbn = 0x2e000000[/B]
00000000   16 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 00 2E[/COLOR]  ................
00000010   40 51 02 00  40 20 02 00  40 20 02 2E  00 01 00 00  @Q..@ ..@ ......
00000020   40 21 02 2E  00 30 00 00  12 00 00 EA  5F 00 00 EA  @!...0......_...
00000030   62 00 00 EA  65 00 00 EA  68 00 00 EA  6B 00 00 EA  b...e...h...k...

[B] sbl3.mbn = 0x8ff00000[/B]
00000000   18 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 F0 8F[/COLOR]  ................
00000010   20 20 04 00  20 EF 03 00  20 EF F3 8F  00 01 00 00    .. ... .......
00000020   20 F0 F3 8F  00 30 00 00  D3 F0 21 E3  D3 F0 21 E3   ....0....!...!.
00000030   00 70 A0 E1  09 02 A0 E3  00 D0 A0 E1  DB F0 21 E3  .p............!.

[B] aboot.mbn = 0x88e00000 offset = 0x285[/B]
00000000   05 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 E0 88 [/COLOR] ................
00000010   10 56 14 00  10 25 14 00  10 25 F4 88  00 01 00 00  .V...%...%......
00000020   10 26 F4 88  00 30 00 00  06 00 00 EA  F0 38 00 EA  .&...0.......8..
00000030   F6 38 00 EA  FC 38 00 EA  02 39 00 EA  08 39 00 EA  .8...8...9...9..

[B] tz.mbn = 0x2a000000[/B]
00000000   19 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 00 2A[/COLOR]  ...............*
00000010   C4 3A 03 00  C4 09 03 00  C4 09 03 2A  00 01 00 00  .:.........*....
00000020   C4 0A 03 2A  00 30 00 00  09 00 00 EA  90 F2 9F E5  ...*.0..........
00000030   90 F2 9F E5  90 F2 9F E5  90 F2 9F E5  84 F2 9F E5  ................

[B] rpm.mbn = 0x00020000[/B]
00000000   17 00 00 00  03 00 00 00  00 00 00 00 [COLOR=Red] 00 00 02 00[/COLOR]  ................
00000010   38 57 02 00  38 26 02 00  38 26 04 00  00 01 00 00  8W..8&..8&......
00000020   38 27 04 00  00 30 00 00  06 00 00 EA  1E 00 00 EA  8'...0..........
00000030   2C 00 00 EA  39 00 00 EA  46 00 00 EA  53 00 00 EA  ,...9...F...S...
    EDIT: 2/01/2014 - Updated OP to include where we're at

    2/01/2014

    1. Figuring out what Hellsdroid's method was - Unfortunately this seems unlikely as of now (figuring out what he did that is) On the other hand, @TMcGrath50 and I discussed a method we thought to be similar to his starting around here and then I learned how to use ida better as time went on and recently disassembled that I9505 S4 USB repair tool. I have not done a thorough analysis of the pseudocode yet though. But even so, this method has never been done before (as far as I know) and 
in addition to assuming the information in the pic below is true, and we can in fact reset the emmc on our devices with Secure Boot 3.0 (would this be a way of getting around having to reset the Secure Boot bit in the pbl to "0"?) I still think this idea needs to be refined a bit before its worth exploring because some questions remain in regards to if it would even work in the first place. For example, when a JTAG solution was tested previously, the VRUAMDK aboot.mbn didn't flash on a device with VRUAME7 after all the partitions were wrote over with VRUAMDK partitions via JTAG, why? @jeboo may be able to help answer that.

    Also, it was previously questioned whether or not the flash programmer (8064 hex) would need to be signed or not. As I have two S4's one thats working and one in QDL QHSUSB dload mode, in doing some recent testing through usb (S4 to S4) I was able to get some info back about my bricked S4, namely that I had sent it the wrong hex file ( see the last line here) because the dmesg and last_kmsg logs say something to the effect of "the the cpu clocks cannot start because its configured for the wrong device" and the last line from the my pastebin post says "8660" among other things as well.

    Status - Unknown - More Research Required


    pCgmFhal.png


    2. Using a Developer edition S4 to unlock a retail S4 - So here's what we know, the dev kernel (boot.img) is flashable and will work with retail S4's, but the recovery.img and aboot will not. Flashing the dev recovery.img will succeed in Odin/Heimdall, but if you try to boot into recovery it will inform you that your device is "tampered" and and will void your warranty by setting the Knox warranty bit to 0x1. Before I discuss why aboot.mbn wont flash consider this; neither the Developer edition of the GS4 nor the Developer edition of the Note 3 has every received an OTA or a factory Odin tar. This is not by random chance. Every Developer edition owner has a unique MD5 for their aboot. If you couple this with the fact that Dev edition devices have retail stickers under their dev stickers, you will probably come to the conclusion that Samsung/Verizon/AT&T haven't released updates to dev devices because they would have to do it on a 'per device' basis, that or risk handing us a method to convert retail devices into developer edition devices. If the method by which Samsung uses device specific info to sign developer edition aboot partitions were discovered this may work, or if their method to determine if a device is a developer edition or consumer retail edition is similar to what Dan R (djrbliss) took advantage of then this could be a possibility.
    3,4,5,6, coming up....updating...this will be a long post...advance warning.

    Status - Possibly - More Research Required
    View
    47
    Surge1223
    Surge1223
    Happy one year anniversary. I can't believe I wrote the OP one year ago today, I've learned so much since then, in fact im embarrassed to read the OP because reading it now I realize I didnt know much back when this thread started however ive learned a lot since then and thats mostly due to the contributions made in this thread and the people I have met here, so I just wanted to take a moment and say Thanks. :)

    #stillfightin
    View
    37
    Surge1223
    Surge1223
    RuggedHunter said:
    Any answer would just be a guess. My guess is ryanbg is feeling lonely on this project now...my hunch is that surge has moved on but the unsolved problem will bug him until it's solved, so his foot's in the door still... just a guess, I don't know either one personally. I think either one of them or any other dev is likely working on newer bootloaders... so maybe there's more effort on nc5 right now than on <mk2. Then again maybe a vulnerability is discovered for one of the older bootloaders and was patched in the newer ones.

    I'm sticking on mk2. My favorite ROM works best with the version for that bootloader, and if an unlock for a newer bootloader is ever available, I'll just upgrade at that point.
    Click to expand...
    Click to collapse

    Not moved on... just been busy and didn't have anything useful to contribute..until today anyways.

    I finally was able to re-patch the live kernel to allow insecure modules again. Meaning kexec and trustzone vulnerabilities are back on the table.

    The method I used to evoke the patch to the kernel is somewhat involved so I'll release it as a small apk or binary soon. For the time being this only effects vzw users, since I didn't check the att kernel.
    View
    36
    Surge1223
    Surge1223
    Cripes, we used to self-police well enough in here, lately thats not the case. Lets get our crap together before we lose this thread. Everyone here is smart enough to know if their post is useful or not, grow up people. We're giving this all the we've got, be patient. Other devs and I are in constant communication, not by pm but mostly through other means. Listen I know some of you may be frustrated with my lack of posting new info but just know that there are watching eyes on this thread that we don't want. Take the OYUAMDK thread I posted in original development, Samsung knows about that thread and I know that for a fact. I went to Best Buy and asked a Samsung rep (in the Samsung dept/area) how dev edition devices could get updates and the guy had no idea who I was but I started talking to him and he casually got more friendly and told me "Hey listen, I know theres no official dev stock images but check the XDA threads" then told me exactly where to check and said Samsung doesn't officially give dev device updates but knows they can be made/extracted, he said "someone already extracted it for the S4" so he essentially directed me to my own thread without knowing who I was. So theres a reason some stuff isn't posted here, please understand that. Also some of you are worried since there are no updates on kexec, I can confirm its being worked on.


    TLDR - Hold your horses

    Edit: Also we're working on some stuff today, I'll post an update tonight.
    View
    36
    Surge1223
    Surge1223
    Ok that's it. Its become apparent to me that far too many people are under the impression that the "bootloader" is a single entity, and that it is just too complex to understand. This is unacceptable to me. I had no idea what a bootloader was before I got this S4. Im going to detail the process first with a general overview, then again in more detail. Plus I dont see the current threads on this topic that include all we know, like the hexagon modem/kernel and the function of the tz and sbl2 are way over generalized. And discussion of the device cookie is completely missing. Ill post it in a new thread thread and link it here when im done.

    Sent from my SCH-I545 using XDA Premium 4 mobile app
    View

New posts