Post Reply

R&D - Potential Stock Bootloader Unlocking Functionality

OP eschelon

1st February 2013, 06:32 AM   |  #1  
eschelon's Avatar
OP Recognized Developer
Thanks Meter: 8,965
 
1,388 posts
Join Date:Joined: Jun 2009
Donate to Me


Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://forum.xda-developers.com/show...ostcount=16666. Do not kang or try to pass off our work as your own.

Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

But those who wish to give this a try on this device or others need to try the following:



Type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

Then enable the hidden menu on the device when it pops up.

Then type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL



This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

TrevE has more details in the post below
Last edited by eschelon; 1st February 2013 at 06:43 AM.
The Following 23 Users Say Thank You to eschelon For This Useful Post: [ View ]
1st February 2013, 06:33 AM   |  #2  
Retired Recognized Developer
Thanks Meter: 3,657
 
2,031 posts
Join Date:Joined: Apr 2007
Donate to Me
Few quick facts about what is known about this stock bootloader unlock mode-
  • APK that controls this is hiddenmenu.apk
  • uses libuck for something
  • SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
  • Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST
Last edited by TrevE; 1st February 2013 at 07:14 AM.
The Following 14 Users Say Thank You to TrevE For This Useful Post: [ View ]
1st February 2013, 06:37 AM   |  #3  
nosympathy's Avatar
Senior Member
Flag Cincinnati
Thanks Meter: 1,132
 
2,381 posts
Join Date:Joined: Dec 2010
Donate to Me
More
Re: R&D - Potential Stock Bootloader Unlocking Functionality
Nice find guys! Would love to see Adams face right now!

Sent from my SCH-I535 using xda app-developers app
1st February 2013, 06:47 AM   |  #4  
Senior Member
Thanks Meter: 173
 
456 posts
Join Date:Joined: Jun 2012
More
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.
1st February 2013, 07:00 AM   |  #5  
nosympathy's Avatar
Senior Member
Flag Cincinnati
Thanks Meter: 1,132
 
2,381 posts
Join Date:Joined: Dec 2010
Donate to Me
More
Re: R&D - Potential Stock Bootloader Unlocking Functionality
Quote:
Originally Posted by LLStarks

Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.

I would imagine it should be no different regardless of the ROM running as long as the files required for this process are untouched if they are built into the ROM itself. If you are locked and looking to use this you would have to be running a stock kernel.

What could be the consequence of it not working correctly if one of the required files is broken? As in what exactly does this do? I assume it is just telling the boot loader to allow insecure kernels and nothing else? If that is the case your chance of anything going wrong should be very low?

Sent from my SCH-I535 using xda app-developers app
1st February 2013, 07:14 AM   |  #6  
alquimista's Avatar
Senior Member
Flag Los Angeles
Thanks Meter: 108
 
200 posts
Join Date:Joined: Mar 2008
Donate to Me
More
Re: R&D - Potential Stock Bootloader Unlocking Functionality
This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.


Sent from my SCH-I535 using xda app-developers app
Attached Thumbnails
Click image for larger version

Name:	uploadfromtaptalk1359702614408.jpg
Views:	1928
Size:	58.3 KB
ID:	1694128  
1st February 2013, 07:21 AM   |  #7  
eschelon's Avatar
OP Recognized Developer
Thanks Meter: 8,965
 
1,388 posts
Join Date:Joined: Jun 2009
Donate to Me
Quote:
Originally Posted by alquimista

This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.


Sent from my SCH-I535 using xda app-developers app

Awesome. We may be able to reverse engineer that...

Just for fun, try that sboot key:

oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo
Last edited by eschelon; 1st February 2013 at 07:28 AM.
1st February 2013, 07:25 AM   |  #8  
when the app fc's...

Code:
E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null
(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)
The Following 3 Users Say Thank You to invisiblek For This Useful Post: [ View ]
1st February 2013, 07:30 AM   |  #9  
eschelon's Avatar
OP Recognized Developer
Thanks Meter: 8,965
 
1,388 posts
Join Date:Joined: Jun 2009
Donate to Me
Quote:
Originally Posted by invisiblek

when the app fc's...

Code:
E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null
(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)

Time to hunt down that lib...
1st February 2013, 07:42 AM   |  #10  
Senior Member
Thanks Meter: 173
 
456 posts
Join Date:Joined: Jun 2012
More
I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

I think invisiblek still has the former.
Last edited by LLStarks; 1st February 2013 at 07:45 AM.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Verizon Galaxy S III Android Development by ThreadRank