I just released Loki, a set of tools for developers and users to flash custom kernels and recoveries on the AT&T and Verizon branded Samsung Galaxy S4.
The tool is available at:
The technical details on how the exploit works are described at:
This is a support thread that I will check regularly until I decide to hand over support to the community. Feel free to ask any questions, and I may add the answers to this post. As a guideline, if it's a question that's already been answered in this thread or in the README for Loki, I will ignore it.
Does this make any permanent changes to the device?
No permanent changes are made to your device when using loki_flash. The bootloader itself is untouched. By restoring the original system, boot, and recovery images (via Odin or otherwise), the device will be in a stock state.
Can this be patched?
Absolutely. Any update that includes a new aboot will almost definitely cause your custom kernel or recovery to fail to boot without running it through loki_patch again, and if the update contains a fix for the vulnerability Loki exploits, it may permanently prevent using the tool. It's possible for Samsung to ship an update that prevents downgrading aboot to a vulnerable version, so I recommend avoiding installing any OTA updates without confirmation that it's safe.
What about the bounty?
As usual, I encourage anyone looking to donate (as part of the bounty or otherwise) to give their money to a reputable charity organization instead. If you insist on donating to me, I'm sure you can find my Paypal account somehow.
This all seems complicated. What about a step-by-step guide?
These tools are primarily intended for developers, who will be able to use them and provide ordinary users with easy ways to flash custom ROMs. Be patient, I'm sure your favorite ROM developer will come up with something for you.
I've installed a Loki-patched recovery. Can I just install regular custom ROMs now?
Any ROMs that include a replacement boot.img must be modified to include a Loki-patched boot.lok file instead. Otherwise, your phone will fail to boot until you restore a Samsung-signed boot.img or a custom boot.lok image via your custom recovery, or flash a stock image via Odin.
So this is just like kexec?
This is similar to kexec in that it works around a locked bootloader, but this approach is much more flexible and robust. Kernel and recovery developers can build their projects just as they would for an unlocked device, run the final result through Loki, and then it's ready to be flashed. No hackery and brokenness required.