[GUIDE][I337UCUAMF3][STOCK][NEUTERED] MF3 OTA Update - Keep Recovery and Root! [7-12]
Notice (4/16/14): I'm no longer here. I've said "goodbye" to AT&T and their locked bootloader schemes. I'm voting with my wallet - I've sold my I337 and switched to T-Mobile. My apologies to the community, but you're now on your own here.
NOTICE: These instructions are pretty much obsolete. If you'd like to run a pure stock MF3 rom based on this exact method of neutering the MF3 OTA update, then read this thread. This thread shall remain for informational purposes only.
A quick THANKS to djbliss (motochopper root exploit), TeamWin (TWRP recovery), Chainfire (SuperSU), and all of the Guinea pigs that tested some of this stuff out for me in this thread.
What is this? This is not technically a ROM, but by the time you are done, you will be running the stock, (albeit rooted) I337UCUAMF3 ROM provided by AT&T. Unlike the original MF3 OTA patch, if you perform the steps outlined in this thread, you will not lose your custom recovery, and your bootloader (including aboot) will remain untouched.
Here's what the neutered version does:
It will flash a new boot.img, which primarily includes the MF3 Kernel.
It will flash the RPM partition, which as far as I can tell is strictly for power management. I kept it in the package because it seems harmless.
It will update many files in your /system partition, bringing you up to the latest MF3 build (the whole point).
It will flash the new MF3 modem/Baseband, along with its counterpart, the NON-HLOS partition as well. The NON-HLOS partition will cause some problems with your sound (keep reading), but I've added a patch here that will solve this problem while creating another (WiFi breaks). I've kept this included in the original neutered patch, just in case someone is able to find a very easy fix for the sound and/or WiFi.
Can I go back?
From my experience, if you do not update the bootloaders, it is fully possible to return to the I337UCUAMDB or I337UCUAMDL stock versions. I used Odin, personally, but you could simply restore nandroid backups or flash a new rom. Your modem/Baseband will stay at I337UCUAMF3, along with your RPM partition - unless you use Odin or otherwise flash older versions manually. Personally, I found ZERO side-effects of performing these steps and then restoring my MDL-based nandroid backup.
At this time, you will have to choose between either having sound, or having WiFi. Can't have both. This is completely related to the NON-HLOS modem that's included and expected in the MF3 build. As mentioned above, the new NON-HLOS modem will kill your sound capabilities without having the new bootloaders, etc. I have no idea why, so I've provided a "fix" for this - a flashable .zip that will restore your NON-HLOS modem back to the MDL version. If you revert to this MDL NON-HLOS modem, you will lose WiFi capabilities. If someone finds a more proper fix for this, please let everyone know. Otherwise, you're welcome to keep switching back and forth as you please. See the section in this post about flashing just the modems.
In addition to all this, I've provided a modified, deodexed SecSettings.apk that will not scan for SysScope and will not mark your system as "Custom". This add-on package also removes SysScope entirely from the OS. This add-on optional, and you can choose not to flash this part if you wish. This package is based on my previous mod, located here (some minor changes in Status.smali to match the new MF3 build, but otherwise the same steps were performed to create this new SecSettings.apk). Basically, if you perform all of the steps outlined in this method, you will find yourself with an "official" status, and will have the original "Galaxy S4" boot logo (not the custom/padlock logo), regardless of the root or custom recovery.
Warnings and Caveats:
I have not extensively tested the I337UCUAMF3 operating system, and I WILL NOT be providing tech support for this operating system. Take it AS-IS, and ask your questions about the OS in the Q&A forum. This thread will be only for the process of getting you to I337UCUAMF3.
NOTICE: This is only intended for the I337 - a.k.a. the AT&T Galaxy S4. I have only tried this on my 16Gb, original device. You may try it on other devices, but there is of course a very high risk of bricking your non-i337 device. You've been warned.
WARNING: I am not responsible if you brick your device. Follow the instructions very, very closely, and you will be fine.
ANOTHER WARNING: There are mixed reports about certain things being broken with the MF3 update, such as the "free unlock with hidden menu" and tethering, etc. If these are important to you, you might want to make a full backup of your EFS just in case. Most custom recoveries (including the provided TWRP recovery) can help you do this. The EFS partition does not appear to be touched during the update, but just in case the new kernel or new modem does something to it on-the-fly, it would be a good idea to have a backup.
Okay, great. So what do we do?
Click the "Click to show content" button below to begin.
Download all these prerequisites. Get the downloads started now, and just read-ahead so you are familiar with the next steps.
Put each and every one of these downloads onto the root of your internal SDCard (/sdcard/).
Make a full Nandroid backup of your device - include system, data, and everything.
Make a backup of everything that is on your internal SDCard - it's possible to accidently wipe it.
Wipe data. Be careful not to wipe your SDCard!
Odin to stock, unrooted MDB package. Instructions here.
Allow the device to reboot fully into the clean, stock MDB. This will clear your "Custom" status, by the way.
When returning to MDB, some apps will likely force-close when they start. This is due to data problems with these apps. You could wipe data again to remove these, but there is risk of wiping your SDcard if you do it wrong. Otherwise, just clock OK and get through them all before continuing.
Run Motocopper - Use custom version that I've provided, OR you can download the original version here http://forum.xda-developers.com/show....php?t=2252248
NOTE: If you use the original version, be sure not to allow it to restart your device! At the end when it prompts you to "Press Enter to reboot..." - DO NOT REBOOT.
Install a custom recovery using your ADB shell. Do NOT mistype the partition number at the end, or you can easily hard-brick your device.
Note: You should be able to use your own recovery. You will need to install it using the method above, however. Programs like GooManager will not work at this stage.
Allow the device to reboot directly into recovery. Do not leave recovery until instructed to do so.
NOTE: This is the original AT&T I337UCUAMDL update, but with the "ro.secure" check removed, and the recovery removed. Otherwise it is the same thing.
NOTE: This package will also clear your dalvik cache, just in case.
Flash modem-fix.zip NOTE/BUG: If you skip this, you will lose all audio. If you flash this modem-fix, you will lose WiFi. Currently working on investigating this!
Reboot the device into system.
Click the "Thanks" button if this has helped you.
But I only want to flash the new modem (Baseband). Do I have to do all that crazy stuff?
Certainly not! You can flash just the modem itself, very easily. You need to be rooted, or have a custom recovery first. The Manual Method - requires root (advanced users, but technically easier and quicker!):
Download the .zip I created of all the modems I've ever had here.
Make a nandroid backup for safekeeping. Note that a nandroid backup will not typically backup your current modem - this is just a precaution in case you mess things up and have to use Odin to restore your modems or something. Better safe than sorry!
Unzip contents to your sdcard.
Fire up your ADB shell.
Type the following very carefully. DO NOT GET THE PARTITION NUMBER WRONG or you could easily brick your device. Badly.
dd if=/sdcard/modem-MF3.bin of=/dev/block/mmcblk0p2
Start testing it out!
NOTE: The included NON-HLOS.bin is intended for mmcblk0p1. If you are on an MDL-based ROM and/or Kernel, don't flash this file yet, unless you're being experimental. Here's why:
Originally Posted by If you have an MDL-based ROM/Kernel...
If you have an MDB NON-HLOS.bin and an MF3 modem.bin, Wi-Fi will break.
If you have an MF3 NON-HLOS.bin and an MF3 modem.bin, sound will break.
If you have an MDL NON-HLOS.bin and an MF3 modem.bin, .... Nothing seems broken. Sound and Wi-Fi are working.
The Automatic Method - requires custom recovery (recommended for flashaholics): CPA Poke has offered a flashable version of the modem as an option here.
I just want the original, unaltered I337UCUAMDF patch. Where can I find it?
You can download it here. This was taken straight from \cache\fota\2400258.cfg. You can rename it as a .zip if you'd like to mess with it. Please note that this file may not be flashable on your device if you have customized your /system partition or have made other modifications to your device. This patch performs a series of integrity checks, and will not install if it fails any of them. If it fails, you should be safe, as the patch sequence aborts before making changes if it fails the checks.
BE FOREWARNED: Flashing this file directly will cause you to lose root, lose your custom recovery, and lose the ability to obtain root in the future (as far as we know). In other words, DO NOT install this unaltered, original update if you EVER want to have root again, flash custom ROMs, or have the ability to make/restore nandroid backups. You've been warned.
How can I make my own neutered version of the OTA patch?
Check out post #2 in this thread for all the details on how to customize your OTA patch file, including the warnings and potential ways you can hard brick your device.
What was changed in this patch?
If you were to flash the original patch without neutering it first, you'll be stuck with a stock MF3 build (or higher). As far as we can tell, this patch does blow some e-fuses in the device, incrementing a number such that it is impossible to return back to an older build (MDB or MDL). There is currently no known cure for this condition if this is the case, especially considering we have locked bootloaders on the I337 at this time.
For a complete list of all the files that this patch touches on your system, you can check out my previous post here.
Can I use this in my own ROM?
Certainly! In fact I encourage it. I'd like to see some cool ROMs be built using the MF3 base. It's got some nice improvements on the MDL base, so any stock-based ROMs should benefit. You have my full permission to use this complete process or any parts/pieces/packages/methods herein. I would like to see my name mentioned in your "thanks" list if you have one, but this is of course completely optional.
Where can I download a full system and kernel dump of the work you did? (ADDED 7-12-13)
You can download it right here. Apart from the SysScope mod mentioned above and injecting root, this is the full, stock image. This is NOT directly flashable, so don't even try. This will only be useful for ROM developers and advanced users. The modems and bootloaders have nothing to do with these packages, but these might be required for everything to work correctly (i.e. sound and WiFi).
This was created from my device after performing all the steps above, using these commands while the device was in recovery, from a root ADB shell:
Do you have this available as a ROM I can flash? (ADDED 8-6-13)
Indeed! If you want to install this as a ROM, check out my newer thread here.
Anything I can do to help here?
If this information and tutorial helped you out, just simply hit the "THANKS" button. It's great to know the work was appreciated. Another way that you can help is to provide feedback in this thread about how it worked for you, and if there's any improvements that can be made. Lastly, if you're interested in helping financially to help recover the costs of the JTAG box I now need to recover my S4, you're certainly welcome to assist by using the donate link on the left. Keep in mind that I'm not technically a Dev here - I'm just another forum member that's providing information to other members. It's what this whole community is about.
How can I make my own neutered version of the OTA patch? With lots of careful snipping. But first, you need a copy of the original OTA patch. You can download this from my post above, or you can download one yourself straight from AT&T.
To download your own copy, the process is not terribly complicated - just risky. Here's the steps I performed to obtain the original update file from AT&T:
Make sure you have root before continuing. If you screw this up and allow the update to install, you're pretty much SOL.
If you are running the stock MDL rom, you can simply launch the updater in Settings -> More... -> About device -> Software update and let it download. Just don't reboot your phone until you've then frozen the AT&T update applications (all 3 of them) from performing the update. Keep in mind that your device will eventually reboot on its own, thanks to AT&T and their way of forcing updates.
Pull the update file from /cache/fota/2400258.cfg, and put it somewhere on your computer that you can work with it. It's just a .zip file in disguise, so you can simply rename it appropriately.
Delete the original .cfg from the device.
As mentioned, freeze or disable the updater applications.
You now have your own copy of the OTA update.
Great - you've got the file. Time to grab the scissors and perhaps something to steady the hands and numb the pain. A keyboard works too in this case. Here's what to do:
Save a backup copy of your update file. One copy for safekeeping (in case you want to start over) and another to work on. Do it now.
Open the update file using basically any .zip editor. I used 7zip because it performed quickly, whilst Win7's zip capabilities were VERY SLOW dealing with this file.
From the root directory of the file, delete:
The entire "recovery" directory.
Within the file, browse to META-INF\com\google\android and pull a copy of the updater-script. This file does all the magic.
Edit the updater-script using a text editor, preferably something like Notepad++ (great program! I recommend it). Make the following changes:
Remove the following line:
Edit the following line from:
Remove the following line (it's right after the last one you edited):
Save it, and put the modified updater-script back inside the update file where you found it, replacing the old one.
Upload it to your SDCard and flash. See all the warnings here in this post and in the original post about what to do with this thing.
NOTES and WARNINGS:
A careful reader will be able to easily tell what each part of the updater-script does, and you can choose whether or not to keep it, modify it, or delete it.
Keep in mind that the update will fail if it does not pass all of those integrity checks. You can technically remove all of the integrity checks, and the update will still process, patching files left-and-right. However, depending on how heavily you have modified your system, you will probably run into extreme problems (soft brick most likely).
CRITICAL WARNING ABOUT BOOTLOADERS: At this time, do NOT allow the update package to only partially update your bootloader! Failure to update the entire bootloader will result in a hard brick. For example, if you were to include the parts that update sbl2 and sbl3, but not include tz and aboot... your chain of trust will be violated, and the device will refuse to boot normally (a.k.a. QDL Mode or Emergency Boot). The only theoretically known way out of this is JTAG. You don't want to go there. So, simply put: regarding bootloaders, it's all or nothing. The bootloader updates included in this package are: sbl2.mbn sbl3.mbn aboot.mbn tz.mbn. It's like any good D&D campaign - if you separate these party members, the campaign is toast.
REMINDER: At this time, it appears that flashing the new bootloader will trip an e-fuse. This is a hardware device that is only capable of incrementing a number. If the number on the e-fuse is higher than the bootloader you are trying to flash (with Odin, for example), the device will refuse to take the update. In other words, if you flash the MF3 bootloader, there is no known way to return to the MDB or MDL bootloaders at this time.
You dida great job, but think there may be an easier way to update if you are interested.
Food for thought.
This will only work with yours since you are updated.
dd if system and boot to the sdcard as system.img and boot.img.
Use kitchen to extract system and build update zip from that. This would create less flashes as it would have root and everything else built in.
Just a thought. If it sound likeva c goid idea. Great! If not its ok.
Again. Great job.
Sent from my SAMSUNG-SGH-I337 using xda premium
I haven't actually build a ROM yet, but this might be a good time to try!
Originally Posted by jetlitheone
Just wondering what's up with sound. So weird modem would mess with that
Sent from my SAMSUNG-SGH-I337 using Tapatalk 2
iknorite? Perhaps a more experienced Dev could shed some light on what's going on with this. If a solution is found, I would love to incorporate it into this project.
Also, an update: I added instructions in post #2 on how you can obtain and neuter your own OTA update file. I have no intentions of hiding any of my work.
Current device: T-Mobile Samsung Galaxy S5 (SM-G900T)
Current ROM: Stock, rooted
If my advice has helped you, please let me know by hitting the "THANKS" button! I also accept donations of beer or pizza.
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?