Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,739,031 Members 45,003 Now Online
XDA Developers Android and Mobile Development Forum

R&D - Potential Stock Bootloader Unlocking Functionality

Tip us?
 
eschelon
Old
(Last edited by eschelon; 1st February 2013 at 06:43 AM.)
#1  
eschelon's Avatar
Recognized Developer - OP
Thanks Meter 8965
Posts: 1,388
Join Date: Jun 2009

 
DONATE TO ME
Default R&D - Potential Stock Bootloader Unlocking Functionality



Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://forum.xda-developers.com/show...ostcount=16666. Do not kang or try to pass off our work as your own.

Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

But those who wish to give this a try on this device or others need to try the following:



Type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

Then enable the hidden menu on the device when it pops up.

Then type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL



This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

TrevE has more details in the post below
The Following 23 Users Say Thank You to eschelon For This Useful Post: [ Click to Expand ]
 
TrevE
Old
(Last edited by TrevE; 1st February 2013 at 07:14 AM.)
#2  
Retired Recognized Developer
Thanks Meter 3653
Posts: 2,031
Join Date: Apr 2007

 
DONATE TO ME
Few quick facts about what is known about this stock bootloader unlock mode-
  • APK that controls this is hiddenmenu.apk
  • uses libuck for something
  • SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
  • Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST
DONATE TO THE EFF Let them know XDA-Developers sent you or you support the cause (https://www.eff.org/deeplinks/2011/1...s-legal-threat)
The Following 14 Users Say Thank You to TrevE For This Useful Post: [ Click to Expand ]
 
nosympathy
Old
#3  
nosympathy's Avatar
Senior Member
Thanks Meter 1132
Posts: 2,381
Join Date: Dec 2010
Location: Cincinnati

 
DONATE TO ME
Default Re: R&D - Potential Stock Bootloader Unlocking Functionality

Nice find guys! Would love to see Adams face right now!

Sent from my SCH-I535 using xda app-developers app
[Phone] Samsung Galaxy Note II
[Root] Jailbroken
[Recovery] TWRP 2.4.1.0
[Rom] Beans #7
[Kernal] Saber Kernel
 
LLStarks
Old
#4  
Senior Member
Thanks Meter 171
Posts: 444
Join Date: Jun 2012
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.
#verizons3 on Freenode ~ home for all d2 and step brothers
https://kiwiirc.com/client/irc.freenode.net/verizons3
 
nosympathy
Old
#5  
nosympathy's Avatar
Senior Member
Thanks Meter 1132
Posts: 2,381
Join Date: Dec 2010
Location: Cincinnati

 
DONATE TO ME
Default Re: R&D - Potential Stock Bootloader Unlocking Functionality

Quote:
Originally Posted by LLStarks View Post
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.
I would imagine it should be no different regardless of the ROM running as long as the files required for this process are untouched if they are built into the ROM itself. If you are locked and looking to use this you would have to be running a stock kernel.

What could be the consequence of it not working correctly if one of the required files is broken? As in what exactly does this do? I assume it is just telling the boot loader to allow insecure kernels and nothing else? If that is the case your chance of anything going wrong should be very low?

Sent from my SCH-I535 using xda app-developers app
[Phone] Samsung Galaxy Note II
[Root] Jailbroken
[Recovery] TWRP 2.4.1.0
[Rom] Beans #7
[Kernal] Saber Kernel
 
alquimista
Old
#6  
alquimista's Avatar
Senior Member
Thanks Meter 107
Posts: 194
Join Date: Mar 2008
Default Re: R&D - Potential Stock Bootloader Unlocking Functionality

This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.


Sent from my SCH-I535 using xda app-developers app
Attached Thumbnails
Click image for larger version

Name:	uploadfromtaptalk1359702614408.jpg
Views:	1919
Size:	58.3 KB
ID:	1694128  
PLEASE HIT THE THANKS BUTTON!!
I like to know when I've been a bit of help
 
eschelon
Old
(Last edited by eschelon; 1st February 2013 at 07:28 AM.)
#7  
eschelon's Avatar
Recognized Developer - OP
Thanks Meter 8965
Posts: 1,388
Join Date: Jun 2009

 
DONATE TO ME
Quote:
Originally Posted by alquimista View Post
This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.


Sent from my SCH-I535 using xda app-developers app
Awesome. We may be able to reverse engineer that...

Just for fun, try that sboot key:

oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo
 
invisiblek
Old
#8  
invisiblek's Avatar
Recognized Developer
Thanks Meter 3262
Posts: 1,234
Join Date: Feb 2010
Location: Minnesota

 
DONATE TO ME
when the app fc's...

Code:
Select Code
E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null
(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)


#verizons3 | #sgs4 | #cm-htc @ freenode

READ THIS


The Following 3 Users Say Thank You to invisiblek For This Useful Post: [ Click to Expand ]
 
eschelon
Old
#9  
eschelon's Avatar
Recognized Developer - OP
Thanks Meter 8965
Posts: 1,388
Join Date: Jun 2009

 
DONATE TO ME
Quote:
Originally Posted by invisiblek View Post
when the app fc's...

Code:
Select Code
E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null
(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)
Time to hunt down that lib...
 
LLStarks
Old
(Last edited by LLStarks; 1st February 2013 at 07:45 AM.)
#10  
Senior Member
Thanks Meter 171
Posts: 444
Join Date: Jun 2012
I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

I think invisiblek still has the former.
#verizons3 on Freenode ~ home for all d2 and step brothers
https://kiwiirc.com/client/irc.freenode.net/verizons3

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes