If we are serious about unlocking the bootloader

Search This thread
By:
Advanced…
C

cicuye

Member
May 15, 2016
41
3
Pinehurst, Texas
Keep Looking

raptor734 said:
does anyone know if the samsung galaxy i545 verizon phone is able to have a unlocked bootloader? ive been looking for ages and havent found anything
The original Galaxy S4 made by Samsung for Verizon had an unlocked bootloader with a build number ending in MDK. When they started upgrading these phones, those upgrades locked the bootloader. Hence the big stink that's been raised over that issue. The original operating system was unlocked. You can still find them from time to time on Swappa and other used phone websites, but you really have to watch constantly.
Click to expand...
Click to collapse
 
X

xdaahmedaiwy

Member
Jun 23, 2015
8
2
This script unlocked the note 4 ,S5 ,and more..the devoloper says if you want to use it on other Samsung devices...read below...






ELF(*4ѕV4 ( 444ЯЯхх``.`.░┤ђђ.ђ.**QтtdRтtd``.`.аа/system/bin/linker
!',18?GMSZ`gnt{ЂєІњЮцф»Хй─2ы*╦2ы*О2ы*__libc_init__cxa_atexitmemsetioctlopenreadsscanfprintfputcharclosefopenfwritefreadfclosefilenofsynccallocfseekfreeputsstrstrstrcasecmpfflushscanf__sFgetuidmemcmpreboot_edata__bss_start_endlibc.solibdl.so 
  
p/t/x/|/ђ/ё/ћ/ў/ю/а/ц/е/г/░/┤/ И/
╝/ └/ ─/
╚/╠/л/н/п/▄/Я/С/У/В/*/З/Э/Ч/Я-тЯЪтЯЈЯ*Йтї)кЈР╩їРїщ╝ткЈР╩їРёщ╝ткЈР╩їР|щ╝ткЈР╩їРtщ╝ткЈР╩їРlщ╝ткЈР╩їРdщ╝ткЈР╩їР\щ╝ткЈР╩їРTщ╝ткЈР╩їРLщ╝ткЈР╩їРDщ╝ткЈР╩їР<щ╝ткЈР╩їР4щ╝ткЈР╩їР,щ╝ткЈР╩їР$щ╝ткЈР╩їРщ╝ткЈР╩їРщ╝ткЈР╩їР щ╝ткЈР╩їРщ╝ткЈР╩їРЧЭ╝ткЈР╩їРЗЭ╝ткЈР╩їРВЭ╝ткЈР╩їРСЭ╝ткЈР╩їР▄Э╝ткЈР╩їРнЭ╝ткЈР╩їР╠Э╝ткЈР╩їР─Э╝ткЈР╩їР╝Э╝т@-ж0аслMР0Їт0Їт0Їт 0ЇтЬ**вPс
0ЪтЈЯ┌**влЇРђйУ┤вPсЪтЈЯм**вШ**ЖвPс

арЮвPс&║
арыв0ПтSс

пЪтЈЯ┬**вТ**Ж╠ЪтЈЯЙ**в─ЪтЈЯ╗**в▀**ЖИЪт
арЈЯЂР аск**вPс
юЪтЈЯ»**в╣вPс ѕЪтЈЯЕ**вђЪтЈЯд**вxЪт╣**в╚**ЖpЪтЈЯа**в─**ЖdЪтЈЯю**в└**ЖXЪтЈЯў**ввPсш**DЪтЈЯњ**в(ЪтЦ**в┤**ЖѕСЭ'pї└▄■!C╠л╠ЯPс@-жђй0*/рђйУ\└ЪтH-жX Ът░ЇРлMР └ЈЯL0Ът юуHЪт тD Ът0юу0 т<0Ътюу  т юу тІР юуас0KР,**влKРѕйУ|&У***В*******З***Э***ар Ът Ът ЈЯЈЯ!**Жљ(X***p@-жHлMРPар`ар
арасH ас**вBасЯас>└ас0асар
арЪт PЇт4@ЇтЯЇт└Їт 0Їт**вHлЇРpђйУ│H└@-жар@арЪтР**варЪт▀**вар Ът@йУ█**ЖВbг№P№Ь╠я*@-жPар└Ът@ас$лMРарЈЯ@Їт@Їт@Їт @Їт@Їт@Їт@Їт@Їты■*вPс║
ар ас№■*в
@ар PсlpЪт `ЇРpЈЯар арар@ёРу■*вTрPЁРэ**ас$лЇР*ђйУ8ЪтарЈЯО■*вPст**ф$ЪтарЈЯЛ■*вPс▀**╩Яс№**Жd░8p@-жHлMРPар`ар
арасH ас╗■*в@ас0асхЯас└асар
арRас$Ът@`Їт4PЇт0Їт(0Їт@Їт ЯЇт$└Їт«■*вHлЇРpђйУ│H└лт@Рoраар*/рp@-жPар4Ът4`ЪтЈЯг■*в@EР`ЈЯPЁРЗтард■*вTрЩ**
асp@йУц■*Ж░─@-жаслMРњ■*в@PР ┌,Ът
арі■*варџ■*вл═р0љр
лЇРђйУаслЇРђйУrђ*@-жпMРлMРас(ас
арu■*вЪтЪтЈЯЈЯѕ■*в
PарpPР3
УЪтУЪтЈЯЈЯђ■*в`PРJа,Ж~■*вPс
@TР
ас ас0арарx■*вас ас0арPсар№**арs■*варq■*вЯспЇРлЇР*ђйУарk■*варi■*вЯспЇРлЇР*ђйУарf■*вh■*вар`■*вар^■*варпЇРлЇР*ђйУЯсу**ЖарV■*вЯсс**Ж(8 00љтSсљт8@Р!Sсі(ђР*/рЯс*/рЯс*/рp@-жTAЪт@ЈЯарї**вPс2
асC■*вPPРG
0ЪтарЈЯ+■*в@PР<
ар(ас ас0ар*■*вPс+
0ЋтSсЯ
ар ас0■*в`PР▄ЪтасЈЯ ас0ар■*вPс
ар■*в■*вар■*вUс
ар ■*варpђйУЋт8AР!Sс(ЂњЯЃр**Ж|Ът`ЯсЈЯ■*вЬ**ЖlЪт`ЯсЈЯ■*вС**Ж\Ът`ЯсЈЯ
■*в▀**ЖLЪт`ЯсЈЯ■*в┌**Ж<Ът`ЯсЈЯ■*в▄**Ж,Ът`ЯсЈЯ■§*в┘**Ж ▄Я!Tгђљ@╚Ътp@-жЈЯ╠§*в╝PЪт╝`ЪтPЈЯLЁР`ЈЯ!^ЁРнСар├§*вTрЩ**
ас┬§*вљЪтасЈЯ▓§*вPPР║ъ■*в@PРpЪтарЈЯЂРя■*в@PРарpђйУPЪтарЈЯЕ§*варpђйУ<ЪтарЈЯБ§*варpђйУ(ЪтЈЯ┬§*варpђйУhл 8x ╠8@-ж
асасФ§*вPPР
XЪтXЪтЈЯЈЯњ§*в*асас0арарЊ§*в8ЪтарЈЯД§*в@араръ§*вар8ђйУЪтЈЯю§*вар8ђйУп`└t┤Ът@-жЈЯњ§*вр■*вpс@ар
Pс љЪтЈЯЅ§*вѕЪтЈЯ0**в@PР арђйУpЪтЈЯ§*вhЪтЈЯ|§*в`ЪтЈЯy§*вв**ЖTЪтарЈЯP§*варђйУ@ЪтЈЯo§*в8ЪтЈЯl§*в0ЪтЈЯi§*варђйУђP8Уг ,Tl*O-ж╚PЪт лMР0ас0Їт0═тИљЪтU§*в┤ђЪтPЪу░pЪт░`Ът░аЪт љЈЯђЈЯpЈЯ`ЈЯ
аЈЯTPЁР
@арЖM§*в░PР
ар
C§*варJ§*в ар?§*варF§*варарF§*варар=§*варPсарЖ**ар:§*в░ас ар лЇР*ЈйУар4§*в ар лЇР*ЈйУВцг░░░(Ът@-жЈЯ§*вЪтЪуTђР#§*вЪт@йУЈЯИ**Ж╝Android/sys/devices/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid/sys/devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid/sys/class/mmc_host/mmc0/mmc0:0001/cid%2hhx[+] CID at boot time is/was: %02x/dev/block/mmcblk0r/dev/block/mmcblk1r+/dev/block/platform/msm_sdcc.1/by-name/aboot[-] couldn't stat aboot partition[-] out of memory, wtf?[-] couldn't open aboot[-] can't read aboot[-] fseek[-] really bad time to fail. Don't reboot, try again[+] programming new CID [-] wtf[-] cid_backdoor failed %d
[-] program_cid failed %d
[-] wtf, can't get 4k???/proc/cmdlineamsung[+] backing up loaders, this will take a few minutes[-] you MUST have a 1GB or greater sd card inserted[-] 4GB or greater is recommended[-] do NOT patch this out of code![-] something went wrong backing up loaders[-] figure it out[+] loaders successfully backed up[-] dev sig fail, error %d
(Yes/No)%03syesnoType "Yes" or "No"

============================== samdunk unlock 0.0.1 ==============================

this application comes with NO WARRANTY (express or implied)
this binary may not be rehosted, repackaged, one-clicked, etc.
there is no support provided for this application
this application has been tested on the Verizon Galaxy S5 only
it may work on the AT&T Galaxy S5, and possibly other similar Galaxy devices
there are no compatibility checks, do your research first
if run on an incompatible phone, it will likely permanently ruin the device
we STRONGLY advise against running any binary not obtained from the official source
official source is available at http://github.com/beaups/SamsungCID
SD card is required, all data on the SD card will be destroyed
changing to this developer CID may have other implications
the psn derived from the CID may be used for critical services
changing this psn may cause unexpected behavior or loss of services
continue at your own risk, you've been warned


aboot dev signature research credit to ryanbg
http://xdaforums.com/member.php?u=766721

eMMC vulnerability, exploit, and the code you are running by beaups (sean beaupre)
http://xdaforums.com/member.php?u=711482
Do you understand the implications of these warnings?
[-] you must be root to use this[-] sorry you can't agree to the terms :([-] this is for (some) Samsung devices only[-] it WILL kill other devices. go back to google[-] can't get current CID, find it and fix the code[-] don't try this on non-samsung eMMC, seriously.[+] device not yet dev CID, now changing to dev CID[+] success! powering off device, power back on and verify CID[+] then run this binary again to finish the process[-] fail[+] dev CID matching, proceding to unlock[+] success! powering off device, hopefully its not bricked!****************ѕ/пС0Щ**o( (
ь▄С`.h. x.!ч**ox.h.`.p.DВВВВВВВВВВВВВВВВВВВВВВВВВВВ┬ FoТrЭ├Ћу═Г2сЧ╗ђ║╔ДzЇ_*Ѓћь\вVu>ЖДЄй*
Pzpi7ЃрщПЩ,Ч│ЖЧЭzoТsu*(Й▄#╣╔Ї▀t,я╚K
,ѓ*А,)Фщцm┐бС'zOю▀Њ!7x9╣p*Рао└g─ }
{/љжP╩¤ф'.y╝ЇЌхв^ЮўЩ
цmф▓а^їІр"C╣4еD,A0єr▀Ы╔{┌_]и}С)Д«sІq┐ѓlNЊZнСЅњЅU,ьЁV|6Џх7@*││зъ»┬Ж2┐╔JЮ¤ђън:ГќsOldЃ└)ЈW\
X УЅSA§'N╩R218MAe~TЧGCC: (GNU) 4.8GCC: (GNU) 4.9 20140827 (prerelease)7С┐intЕн7XТІСЭ/¤.lR Ca7┼"lYbЎГЬ┼87┌H%ЄYб█ы9)┤╦*РЫ_╩і┐"<ЩИK@DL@юM%EpTl@ _pm@ _rn% _wo%vtL JuL _bfwmx%╔{Э|O ┤}n$я~Ї(Йи,Шѓ0 _upё@8 _urЁ%<*ѕй@▒Ѕ═C _lbїDKЈ%LѕљP
%O Э@
%n Э Н %U
Ї Э  %t
%г Э г %▓ █Њ
E═ћ
EПћиЉF
█ЭћљH Гч %о%~ arg~ Г+7 )7$ќ7(>7,Г70}74Е78P~</ Ѕ@
~йћ (7є87e97╝:7Љ;7 i<7c=
7"ћт─%_buf─Эi─%░┼7nк_йШє%ЂcidєН8A%ї `юargA7fdA%,retB%XLCЭЉег ┬ЗRHQ0P}Я ▀R}QђТбѓ|PvўQ%В <юЏfdQ%wretR%
ЂeQtPВ┼▒§~
ЂђQtP
P№
ЂQзPP Ь╠я \%(
Яю_cid\Н╣fd_%*i_%$buf`УЉHh
ЩQt|
R Q}е
4:RuQwPt~л
ЩNQtУ
ЩQts% lюЫfds%acidsНўrett%PLuЭЉе( ┬лRHQ0P}h ▀R}QђТбѓ|PзPet юu─ѕІѕ LюmcidІНтiї% а PИ P]Pv╠ fP:ќ%н Pю*!OќгhfdЌ%ЅfzўsЉpС Щ╩Q2PзPЭ ▀ЬR}QЫцљђxPt PtЦА%$ 4юl retб%iб%infБl Д"Бl █iц7bufЦr ЉУ*{@ ┬ЁR@<$Q0P} T ћ t ћ ѕ «г ┘кSwR1Q@<$Pu╠ §┌Pwн §ЬPvВ § PwЗ § Pv
* Pv 
(
§G Pw
§[ Pv@
§PwП
█Ѓ #ћ**"X
4ю╣ 2;$=Q%Hu%S;Лл%ї
ёюЂ sigлЭ»retЛ%л░Л%fмl 1bufМНЄ"iн,П&outё'"В
ыl
(=2ч)%H/%Sча
mђ
Pt░
=Њ
Q1╚
ћД
PtС
┘╠
StR1Q(PuWт
R0Pt(« StR1Q
8 Pt <(D§6 PtTvJ Pu ёЄ ўЄ гЄ └Є нЄ УЄ*x%*юe +fd%N+ret%ѓ+i%╠ PDPт PvTfЭ P:dЩ Q2p Puї_3 PuгPG Qt─P[ Qt пЄ*,%ѕю"
+f-l -+buf.НK+ret/%=К Q1P
 ,ћ@┘* R
Q1PuPа
Pu\v
Pu pЄ*э>%ѕСю╗
+ret?%Ю ўЄ ю* ╝Є ╚╣ СЄ *Є ЧЄPЪ
Qt $Є 0Є <Є*{T%lВю╗,0Tг§-V╗ЉPїЄ PзP ─║нЄ&Pz▄н:PuСЄNPyВнbPuЭж|QtPx║ќQwPtнфPu4нPu
█╦ћ*иp%X<ю hЄ xн.ѕ╗
/TЅDўюc,БЅ%,еЅc?0retі%0cidІi-бїiЉh d* xЄ ё╦ ўЄ аe ░ЏЪP}└│P} пЄ УЄ ЗЄ
уR@P} $Є (Ђ <Є HЄP)"P ▄■!C `Є pЄ ђЄ ё"
ўЄа)P ▄■!Cг
█yћ
Пё12┘ћy3юi2
█▒#ћ*3Ла04\Э▀ Э % ћ5в ќ%Щ % %65F
I% г %65A Ѕ4 % Э ,7ф%P г г65=э%f г68u ║% %5ч Ё%ћ %5Юсl « г г5▀№,м м , , l п95У,§ Э , , l 5)П% l 7├>%( l 51 ў%= %5┬ ЭW , ,5Vь%v l Г %:╩ !Є Э8 ц%а г5t
@Н║ г г5Ї
<%н г г57Я%ж l 5я■%* г6; Mь5
)%) м м ,<i,% %% U$ > : ; I$ >  I  : ; 
: ; I8
: ; I8
'I I &I
I!I/ .?: ; 'I : ; I: ; I4: ; I.?: ; 'I@ЌB: ; I4: ; I4: ; IЅѓ1іѓЉBЅѓ14: ; IЅѓЋB14: ; I.1@ЌB1.?: ; '@ЌB Ѕѓ1!: ; I"4: ; I#!I/$1%41&
: ;'1RUX Y (1) U*.?: ;'I@ЌB+4: ;I,: ;I-4: ;I.ЅѓЋB1/.?: ;'@ЌB04: ;I1!24: ; I?<34: ; I?4.?'I4<5.?: ; 'I<67.?: ;'I<8.?: ; n'I<9&:.?: ; '<;.?: ; 'I<<.?: ; 'I<ї а Pа У UУ В зPЪї ц Qц У VУ В зQЪї Я 0ЪЯ В PВ Ч PЧ * Q* 
T

Q
(
зPЪ(
4
P4
ћ
Uћ

зPЪ└
 Uh
{
P└

Pл

PУ
*
Pћ
е
uзPЪе

uзP#Ъ░
И
uзPЪ  P D UD g Pg t зPЪ Q p Vp t зQЪt x Px ѕ зPЪѕ ћ Pћ г Uг ╚ uqЪ╚ н зPЪа г 0Ъг ░ tu#Ъ░ И tu#ЪИ ╚ tu#Ън с Pс $ зPЪС э Pэ TT d Pd 0
W0
4
P4
X
Wt ё Pё Є SЄ ─ V─ ╦ S╦ п VС 0
V8
<
P<
X
VX
h
Ph
|
зPЪ|
ђ
Pђ
ї
зPЪh
x
Px
|
pXЪё
ѕ
Pѕ
ї
sђђ<Ъї
ю
Pю
зPЪ0DVёѕ *Ъўю *Ъг░ *Ъ└─ *Ънп *ЪУ *Ъ╚
н
Pн
DT\tTѕ─T─╚P╚нTнп0Ъ░

P└
DU\tUѕпUп▄P▄УUУ0Ъа
»
PtxPВ
0U\tUѕюU░─U`lQltudoPo╠U╠лPлUpђPђїTїаPа┤T┤ИPИ╠T 80Ъ8< t2Ъ<D
2 t"ЪDt t2Ъ╠ t2Ъ8<P<?SPdUdhPhѕUTXPXdTц░P░╚T╚▄P▄TPTPlTlІPІXзPЪDcPc▄зPЪDcQc▄зQЪ$ї  DўВ
Ч
\tї ћD▄ч
/home/ryan/Downloads/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/lib/gcc/arm-linux-androideabi/4.9/include/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/asm-generic/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/sysunlock_n4.cstddef.hstdint.hint-ll64.hposix_types.htypes.hstdio.hioctl.hunistd.hfcntl.hmalloc.h<built-in>string.hreboot.hї └JLё//00c+//001i1+1KgM+ѕO-*3Iз/Q╝ыj/tJЃKЃJ
║JLє-1/2wJ .,y./3*0/21i/Ё.10,hЮM/-j1+1/KgKgF2ijёю1LЪ ѓzfKБa3)/KK
.vfKK6bJ/KK/gfNK║g/gGL014ЃPKPЃP^оJ./.цЩJ/LKLЙJ/K-
J/-!f/-Lq./-L./-Le./-yf/-0t+1hыMLЃO/OЪN/v.ЃOЃsJg<3gNЪI/KЪK/x.g
║+1K/-/4Ogghx.ggєt║ggg
t2*0j,2L33r.0033s.nO)3/qJKKhk)3)/K
.wf J#-/fg/-
Dѕ1+1ёg3fQJgg1lЄLggr.gg.зggggKo.g.g2ggg"getuidresponse__builtin_putsprogram_cidflagsfsyncfflushpostsleep_min_usblockdevunsigned intversion_lbfsize_flagsdata_timeout_nsstrcasecmpcid_backdoorbackup_loaders_readputcharcalloc_cookiewrite_dev_signaturefind_signature_offsetwrite_flagnearly_useless_compat_checkfpos_tblkszdata_ptrmmc_movi_vendor_cmdidatalong long unsigned intreboot__sFILEprogram_dev_cid_offsetmmc_ioc_cmddev_cidputssize_toffsetprompt_userfilenofree__uint64_t__kernel_ssize_tioctlchar_extcloseopcodessize_t__u32_closeioc_blockdev_sizelong long intprintf_base_file__padfseekmemsetdunnosizeheader__builtin_putchar__kernel_off_tblocksfopenargcargvpostsleep_max_us_write__u64uid_tdev_sig__sFscanfshort intlong intdo_dev_loadersfreadget_cidoutfmemcmpuint64_tfclosequestion__uid_treadopen_blksizemainsizetypelong unsigned intstrstrquery_usertypeunsigned char__kernel_long_tcmd_timeout_ms__sbuf/home/ryan/Downloads/SamsungCIDfwritesigned charoff_tshort unsigned intimg_headerGNU C 4.9 20140827 (prerelease) -mbionic -march=armv5te -mfloat-abi=soft -mfpu=vfp -mtls-dialect=gnu -g -O2 -fPIEshow_cidmemaddress_sizeold_cidsscanf_nbufFILEwhoknows__kernel_uid32_tis_acmd_seekunlock_n4.c_ubufis_samsung_emmc ****|
ї `BёЁєјBXhВ <BёјT╬─$(
ЯBёЁєЄјH8@
B  lBёЁєјBXn t  ѕ LBёЁєј^╬к┼─ н PBёјDX
B D8$ 4BёЁєЄјBћђBўђX
B N
B T
B X
4ї
ёBёЁєј*DёЁєјѕBЃёЁјѕСDёј0lВB$ё ЁєЄѕЅіІјD0X
$B H$X<DЃјP╬├DўBёјDV
B  GNUgold 1.11A*aeabi 5TE 
ы*▄T l ё `. h. 2x.
p. ы*ћ %ћ ,ы*ї У В 
(
Э
 p t ╠ н  $ H
X
ВЯxѕDl@XѕDц0г
8▄Q*|Xl _2lђ.*uѕ/ВІЌx.
Еh. И`. Кp. НDў┌уї `чВ <(
Я"'. l:t Jѕ LSZbн Ptz$ 4ЅЈќюБф░X
4кї
ё┌руВы*ѕ$ѕС3lВ>IPV[X<gnu|0ё2ї2ы*Њ2ы*Ъ2ы*crtbegin_dynamic.c$a$dcrtbrand.cabitagunlock_n4.c__atexit_handler_wrapper_startatexit__dso_handle_DYNAMIC_GLOBAL_OFFSET_TABLE___libc_init__PREINIT_ARRAY____INIT_ARRAY____FINI_ARRAY____CTOR_LIST__main__cxa_atexitmmc_movi_vendor_cmdmemsetioctlcid_backdoorget_cidopenreadsscanfprogram_cidis_samsung_emmcshow_cidprintfputcharioc_blockdev_sizeclosebackup_loadersfopenfwritefreadfclosefilenofsyncfind_signature_offsetwrite_dev_signaturecallocfseekfreeputsprogram_dev_cidnearly_useless_compat_checkstrstrdo_dev_loadersquery_userstrcasecmpfflushscanf__sFprompt_usergetuidmemcmprebootdev_sigdev_cid_edata__bss_start_end.preinit_array.init_array.fini_array.debug_abbrev.text.got.comment.note.android.ident.rel.plt.bss.ARM.attributes.debug_aranges.debug_ranges.dynstr.debug_str.interp.debug_info.rel.dyn.note.gnu.gold-version.dynsym.hash.debug_line.debug_frame.debug_loc.dynamic.shstrtab.strtab.symtab.rodata.dataгЯ ((Ў((ьУ╠└ СС0^ пbВВX6DDP Jћћ52гг `.`h.hx.xђ.ђ*<p/pљ=0 g2"A0"5┤E";(ђ5SМ8`|3@(І[@0ЬІ@А0ЊDЩюI╔ИKlpнK+-Lа5%аRцDUC
 
1

19lmyers

Senior Member
Mar 26, 2015
54
2
xdaahmedaiwy said:
This script unlocked the note 4 ,S5 ,and more..the devoloper says if you want to use it on other Samsung devices...read below...






ELF(*4ѕV4 ( 444ЯЯхх``.`.░┤ђђ.ђ.**QтtdRтtd``.`.аа/system/bin/linker
!',18?GMSZ`gnt{ЂєІњЮцф»Хй─2ы*╦2ы*О2ы*__libc_init__cxa_atexitmemsetioctlopenreadsscanfprintfputcharclosefopenfwritefreadfclosefilenofsynccallocfseekfreeputsstrstrstrcasecmpfflushscanf__sFgetuidmemcmpreboot_edata__bss_start_endlibc.solibdl.so 

p/t/x/|/ђ/ё/ћ/ў/ю/а/ц/е/г/░/┤/И/
╝/└/─/
╚/╠/л/н/п/▄/Я/С/У/В/*/З/Э/Ч/Я-тЯЪтЯЈЯ*Йтї)кЈР╩їРїщ╝ткЈР╩їРёщ╝ткЈР╩їР|щ╝ткЈР╩їРtщ╝ткЈР╩їРlщ╝ткЈР╩їРdщ╝ткЈР╩їР\щ╝ткЈР╩їРTщ╝ткЈР╩їРLщ╝ткЈР╩їРDщ╝ткЈР╩їР<щ╝ткЈР╩їР4щ╝ткЈР╩їР,щ╝ткЈР╩їР$щ╝ткЈР╩їРщ╝ткЈР╩їРщ╝ткЈР╩їРщ╝ткЈР╩їРщ╝ткЈР╩їРЧЭ╝ткЈР╩їРЗЭ╝ткЈР╩їРВЭ╝ткЈР╩їРСЭ╝ткЈР╩їР▄Э╝ткЈР╩їРнЭ╝ткЈР╩їР╠Э╝ткЈР╩їР─Э╝ткЈР╩їР╝Э╝т@-ж0аслMР0Їт0Їт0Їт0ЇтЬ**вPс
0ЪтЈЯ┌**влЇРђйУ┤вPсЪтЈЯм**вШ**ЖвPс

арЮвPс&║
арыв0ПтSс

пЪтЈЯ┬**вТ**Ж╠ЪтЈЯЙ**в─ЪтЈЯ╗**в▀**ЖИЪт
арЈЯЂР аск**вPс
юЪтЈЯ»**в╣вPсѕЪтЈЯЕ**вђЪтЈЯд**вxЪт╣**в╚**ЖpЪтЈЯа**в─**ЖdЪтЈЯю**в└**ЖXЪтЈЯў**ввPсш**DЪтЈЯњ**в(ЪтЦ**в┤**ЖѕСЭ'pї└▄■!C╠л╠ЯPс@-жђй0*/рђйУ\└ЪтH-жX Ът░ЇРлMР└ЈЯL0Ът юуHЪт тD Ът0юу0т<0Ътюут юу тІР юуас0KР,**влKРѕйУ|&У***В*******З***Э***ар ЪтЪт ЈЯЈЯ!**Жљ(X***p@-жHлMРPар`ар
арасH ас**вBасЯас>└ас0асар
арЪтPЇт4@ЇтЯЇт└Їт 0Їт**вHлЇРpђйУ│H└@-жар@арЪтР**варЪт▀**варЪт@йУ█**ЖВbг№P№Ь╠я*@-жPар└Ът@ас$лMРарЈЯ@Їт@Їт@Їт@Їт@Їт@Їт@Їт@Їты■*вPс║
ар ас№■*в
@ар PсlpЪт `ЇРpЈЯар арар@ёРу■*вTрPЁРэ**ас$лЇР*ђйУ8ЪтарЈЯО■*вPст**ф$ЪтарЈЯЛ■*вPс▀**╩Яс№**Жd░8p@-жHлMРPар`ар
арасH ас╗■*в@ас0асхЯас└асар
арRас$Ът@`Їт4PЇт0Їт(0Їт@Їт ЯЇт$└Їт«■*вHлЇРpђйУ│H└лт@Рoраар*/рp@-жPар4Ът4`ЪтЈЯг■*в@EР`ЈЯPЁРЗтард■*вTрЩ**
асp@йУц■*Ж░─@-жаслMРњ■*в@PР┌,Ът
арі■*варџ■*вл═р0љр
лЇРђйУаслЇРђйУrђ*@-жпMРлMРас(ас
арu■*вЪтЪтЈЯЈЯѕ■*в
PарpPР3
УЪтУЪтЈЯЈЯђ■*в`PРJа,Ж~■*вPс
@TР
ас ас0арарx■*вас ас0арPсар№**арs■*варq■*вЯспЇРлЇР*ђйУарk■*варi■*вЯспЇРлЇР*ђйУарf■*вh■*вар`■*вар^■*варпЇРлЇР*ђйУЯсу**ЖарV■*вЯсс**Ж(8 00љтSсљт8@Р!Sсі(ђР*/рЯс*/рЯс*/рp@-жTAЪт@ЈЯарї**вPс2
асC■*вPPРG
0ЪтарЈЯ+■*в@PР<
ар(ас ас0ар*■*вPс+
0ЋтSсЯ
ар ас0■*в`PР▄ЪтасЈЯ ас0ар■*вPс
ар■*в■*вар■*вUс
ар ■*варpђйУЋт8AР!Sс(ЂњЯЃр**Ж|Ът`ЯсЈЯ■*вЬ**ЖlЪт`ЯсЈЯ■*вС**Ж\Ът`ЯсЈЯ
■*в▀**ЖLЪт`ЯсЈЯ■*в┌**Ж<Ът`ЯсЈЯ■*в▄**Ж,Ът`ЯсЈЯ■§*в┘**Ж▄Я!Tгђљ@╚Ътp@-жЈЯ╠§*в╝PЪт╝`ЪтPЈЯLЁР`ЈЯ!^ЁРнСар├§*вTрЩ**
ас┬§*вљЪтасЈЯ▓§*вPPР║ъ■*в@PРpЪтарЈЯЂРя■*в@PРарpђйУPЪтарЈЯЕ§*варpђйУ<ЪтарЈЯБ§*варpђйУ(ЪтЈЯ┬§*варpђйУhл 8x ╠8@-ж
асасФ§*вPPР
XЪтXЪтЈЯЈЯњ§*в*асас0арарЊ§*в8ЪтарЈЯД§*в@араръ§*вар8ђйУЪтЈЯю§*вар8ђйУп`└t┤Ът@-жЈЯњ§*вр■*вpс@ар
PсљЪтЈЯЅ§*вѕЪтЈЯ0**в@PРарђйУpЪтЈЯ§*вhЪтЈЯ|§*в`ЪтЈЯy§*вв**ЖTЪтарЈЯP§*варђйУ@ЪтЈЯo§*в8ЪтЈЯl§*в0ЪтЈЯi§*варђйУђP8Уг ,Tl*O-ж╚PЪтлMР0ас0Їт0═тИљЪтU§*в┤ђЪтPЪу░pЪт░`Ът░аЪтљЈЯђЈЯpЈЯ`ЈЯ
аЈЯTPЁР
@арЖM§*в░PР
ар
C§*варJ§*вар?§*варF§*варарF§*варар=§*варPсарЖ**ар:§*в░асарлЇР*ЈйУар4§*варлЇР*ЈйУВцг░░░(Ът@-жЈЯ§*вЪтЪуTђР#§*вЪт@йУЈЯИ**Ж╝Android/sys/devices/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid/sys/devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid/sys/class/mmc_host/mmc0/mmc0:0001/cid%2hhx[+] CID at boot time is/was: %02x/dev/block/mmcblk0r/dev/block/mmcblk1r+/dev/block/platform/msm_sdcc.1/by-name/aboot[-] couldn't stat aboot partition[-] out of memory, wtf?[-] couldn't open aboot[-] can't read aboot[-] fseek[-] really bad time to fail. Don't reboot, try again[+] programming new CID [-] wtf[-] cid_backdoor failed %d
[-] program_cid failed %d
[-] wtf, can't get 4k???/proc/cmdlineamsung[+] backing up loaders, this will take a few minutes[-] you MUST have a 1GB or greater sd card inserted[-] 4GB or greater is recommended[-] do NOT patch this out of code![-] something went wrong backing up loaders[-] figure it out[+] loaders successfully backed up[-] dev sig fail, error %d
(Yes/No)%03syesnoType "Yes" or "No"

============================== samdunk unlock 0.0.1 ==============================

this application comes with NO WARRANTY (express or implied)
this binary may not be rehosted, repackaged, one-clicked, etc.
there is no support provided for this application
this application has been tested on the Verizon Galaxy S5 only
it may work on the AT&T Galaxy S5, and possibly other similar Galaxy devices
there are no compatibility checks, do your research first
if run on an incompatible phone, it will likely permanently ruin the device
we STRONGLY advise against running any binary not obtained from the official source
official source is available at http://github.com/beaups/SamsungCID
SD card is required, all data on the SD card will be destroyed
changing to this developer CID may have other implications
the psn derived from the CID may be used for critical services
changing this psn may cause unexpected behavior or loss of services
continue at your own risk, you've been warned


aboot dev signature research credit to ryanbg
http://xdaforums.com/member.php?u=766721

eMMC vulnerability, exploit, and the code you are running by beaups (sean beaupre)
http://xdaforums.com/member.php?u=711482
Do you understand the implications of these warnings?
[-] you must be root to use this[-] sorry you can't agree to the terms :([-] this is for (some) Samsung devices only[-] it WILL kill other devices. go back to google[-] can't get current CID, find it and fix the code[-] don't try this on non-samsung eMMC, seriously.[+] device not yet dev CID, now changing to dev CID[+] success! powering off device, power back on and verify CID[+] then run this binary again to finish the process[-] fail[+] dev CID matching, proceding to unlock[+] success! powering off device, hopefully its not bricked!****************ѕ/пС0Щ**o((
ь▄С`.h. x.!ч**ox.h.`.p.DВВВВВВВВВВВВВВВВВВВВВВВВВВВ┬ FoТrЭ├Ћу═Г2сЧ╗ђ║╔ДzЇ_*Ѓћь\вVu>ЖДЄй*
Pzpi7ЃрщПЩ,Ч│ЖЧЭzoТsu*(Й▄#╣╔Ї▀t,я╚K
,ѓ*А,)Фщцm┐бС'zOю▀Њ!7x9╣p*Рао└g─}
{/љжP╩¤ф'.y╝ЇЌхв^ЮўЩ
цmф▓а^їІр"C╣4еD,A0єr▀Ы╔{┌_]и}С)Д«sІq┐ѓlNЊZнСЅњЅU,ьЁV|6Џх7@*││зъ»┬Ж2┐╔JЮ¤ђън:ГќsOldЃ└)ЈW\
XУЅSA§'N╩R218MAe~TЧGCC: (GNU) 4.8GCC: (GNU) 4.9 20140827 (prerelease)7С┐intЕн7XТІСЭ/¤.lR Ca7┼"lYbЎГЬ┼87┌H%ЄYб█ы9)┤╦*РЫ_╩і┐"<ЩИK@DL@юM%EpTl@_pm@_rn%_wo%vtLJuL_bfwmx%╔{Э|O ┤}n$я~Ї(Йи,Шѓ0_upё@8_urЁ%<*ѕй@▒Ѕ═C_lbїDKЈ%LѕљP
%OЭ@
%nЭН%U
ЇЭ%t
%гЭг%▓█Њ
E═ћ
EПћиЉF
█ЭћљHГч%о%~arg~Г+7 )7$ќ7(>7,Г70}74Е78P~</ Ѕ@
~йћ(7є87e97╝:7Љ;7i<7c=
7"ћт─%_buf─Эi─%░┼7nк_йШє%ЂcidєН8A%ї`юargA7fdA%,retB%XLCЭЉег┬ЗRHQ0P}Я▀R}QђТбѓ|PvўQ%В<юЏfdQ%wretR%
ЂeQtPВ┼▒§~
ЂђQtP
P№
ЂQзPPЬ╠я\%(
Яю_cid\Н╣fd_%*i_%$buf`УЉHh
ЩQt|
R Q}е
4:RuQwPt~л
ЩNQtУ
ЩQts%lюЫfds%acidsНўrett%PLuЭЉе(┬лRHQ0P}h▀R}QђТбѓ|PзPetюu─ѕІѕLюmcidІНтiї% аPИP]Pv╠fP:ќ%нPю*!OќгhfdЌ%ЅfzўsЉpСЩ╩Q2PзPЭ▀ЬR}QЫцљђxPtPtЦА%$4юlretб%iб%infБlД"Бl█iц7bufЦrЉУ*{@┬ЁR@<$Q0P} Tћ tћ ѕ«г┘кSwR1Q@<$Pu╠§┌Pwн§ЬPvВ§PwЗ§Pv
*Pv
(
§GPw
§[Pv@
§PwП
█Ѓ#ћ**"X
4ю╣2;$=Q%Hu%S;Лл%ї
ёюЂsigлЭ»retЛ%л░Л%fмl1bufМНЄ"iн,П&outё'"В
ыl
(=2ч)%H/%Sча

Pt░

Q1╚
ћД
PtС
┘╠
StR1Q(PuWт
R0Pt(«StR1Q
8Pt <(D§6PtTvJPu ёЄ ўЄ гЄ └Є нЄ УЄ*x%*юe+fd%N+ret%ѓ+i%╠ PDPтPvTfЭP:dЩQ2pPuї_3PuгPGQt─P[Qt пЄ*,%ѕю"
+f-l-+buf.НK+ret/%=КQ1P
,ћ@┘*R
Q1PuPа
Pu\v
Pu pЄ*э>%ѕСю╗
+ret?%Ю ўЄ ю* ╝Є ╚╣ СЄ *Є ЧЄPЪ
Qt $Є 0Є <Є*{T%lВю╗,0Tг§-V╗ЉPїЄPзP ─║нЄ&Pz▄н:puСЄNPyВнbPuЭж|QtPx║ќQwPtнфPu4нPu
█╦ћ*иp%X<ю hЄ xн.ѕ╗
/TЅDўюc,БЅ%,еЅc?0retі%0cidІi-бїiЉh d* xЄ ё╦ ўЄ аe░ЏЪP}└│P} пЄ УЄ ЗЄ
уR@P} $Є (Ђ <Є HЄP)"P▄■!C `Є pЄ ђЄ ё"
ўЄа)P▄■!Cг
█yћ
Пё12┘ћy3юi2
█▒#ћ*3Ла04\Э▀Э%ћ5вќ%Щ%%65F
I%г%65AЅ4%Э,7ф%Pгг65=э%fг68u║%%5чЁ%ћ%5Юсl«гг5▀№,мм,,lп95У,§Э,,l5)П%l7├>%(l51ў%=%5┬ЭW,,5Vь%vlГ%:╩!ЄЭ8ц%аг5t
@Н║гг5Ї
<%нгг57Я%жl5я■%*г6;Mь5
)%)мм,<i,%%%U$>:;I$>I:;
:;I8
:;I8
'II&I
I!I/.?:;'I :;I:;I4:;I.?:;'I@ЌB:;I4:;I4:;IЅѓ1іѓЉBЅѓ14:;IЅѓЋB14:;I.1@ЌB1.?:;'@ЌB Ѕѓ1!:;I"4:;I#!I/$1%41&
:;'1RUXY(1)U*.?:;'I@ЌB+4:;I,:;I-4:;I.ЅѓЋB1/.?:;'@ЌB04:;I1!24:;I?<34:;I?4.?'I4<5.?:;'I<67.?:;'I<8.?:;n'I<9&:.?:;'<;.?:;'I<<.?:;'I<їаPаУUУВзPЪїцQцУVУВзQЪїЯ0ЪЯВPВЧPЧ*Q*
T

Q
(
зPЪ(
4
P4
ћ


зPЪ└
Uh
{
P└




*

е
uзPЪе

uзP#Ъ░
И
uзPЪPDUDgPgtзPЪ Q pVptзQЪtxPxѕзPЪѕћPћгUг╚uqЪ╚нзPЪаг0Ъг░tu#Ъ░Иtu#ЪИ╚tu#ЪнсPс$зPЪСэPэ TTdPd0
W0
4
P4
X
WtёPёЄSЄ─V─╦S╦пVС0
V8
<
P<
X
VX
h
Ph
|
зPЪ|
ђ

ї
зPЪh
x
Px
|
pXЪё
ѕ

ї
sђђ<Ъї
ю

зPЪ0DVёѕ*Ъўю*Ъг░*Ъ└─*Ънп*ЪУ*Ъ╚
н

DT\tTѕ─T─╚P╚нTнп0Ъ░

P└
DU\tUѕпUп▄P▄УUУ0Ъа
»
PtxPВ
0U\tUѕюU░─U`lQltudoPo╠U╠лPлUpђPђїTїаPа┤T┤ИPИ╠T 80Ъ8<t2Ъ<D
2 t"ЪDtt2Ъ╠t2Ъ8<P<?SPdUdhPhѕUTXPXdTц░P░╚T╚▄P▄TPTPlTlІPІXзPЪDcPc▄зPЪDcQc▄зQЪ$їDўВ
Ч
\tїћD▄ч
/home/ryan/Downloads/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/lib/gcc/arm-linux-androideabi/4.9/include/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/asm-generic/home/ryan/Downloads/ndk/platforms/android-21/arch-arm/usr/include/sysunlock_n4.cstddef.hstdint.hint-ll64.hposix_types.htypes.hstdio.hioctl.hunistd.hfcntl.hmalloc.h<built-in>string.hreboot.hї└JLё//00c+//001i1+1KgM+ѕO-*3Iз/Q╝ыj/tJЃKЃJ
║JLє-1/2wJ.,y./3*0/21i/Ё.10,hЮM/-j1+1/KgKgF2ijёю1LЪѓzfKБa3)/KK
.vfKK6bJ/KK/gfNK║g/gGL014ЃPKPЃP^оJ./.цЩJ/LKLЙJ/K-
J/-!f/-Lq./-L./-Le./-yf/-0t+1hыMLЃO/OЪN/v.ЃOЃsJg<3gNЪI/KЪK/x.g
║+1K/-/4Ogghx.ggєt║ggg
t2*0j,2L33r.0033s.nO)3/qJKKhk)3)/K
.wfJ#-/fg/-
Dѕ1+1ёg3fQJgg1lЄLggr.gg.зggggKo.g.g2ggg"getuidresponse__builtin_putsprogram_cidflagsfsyncfflushpostsleep_min_usblockdevunsigned intversion_lbfsize_flagsdata_timeout_nsstrcasecmpcid_backdoorbackup_loaders_readputcharcalloc_cookiewrite_dev_signaturefind_signature_offsetwrite_flagnearly_useless_compat_checkfpos_tblkszdata_ptrmmc_movi_vendor_cmdidatalong long unsigned intreboot__sFILEprogram_dev_cid_offsetmmc_ioc_cmddev_cidputssize_toffsetprompt_userfilenofree__uint64_t__kernel_ssize_tioctlchar_extcloseopcodessize_t__u32_closeioc_blockdev_sizelong long intprintf_base_file__padfseekmemsetdunnosizeheader__builtin_putchar__kernel_off_tblocksfopenargcargvpostsleep_max_us_write__u64uid_tdev_sig__sFscanfshort intlong intdo_dev_loadersfreadget_cidoutfmemcmpuint64_tfclosequestion__uid_treadopen_blksizemainsizetypelong unsigned intstrstrquery_usertypeunsigned char__kernel_long_tcmd_timeout_ms__sbuf/home/ryan/Downloads/SamsungCIDfwritesigned charoff_tshort unsigned intimg_headerGNU C 4.9 20140827 (prerelease) -mbionic -march=armv5te -mfloat-abi=soft -mfpu=vfp -mtls-dialect=gnu -g -O2 -fPIEshow_cidmemaddress_sizeold_cidsscanf_nbufFILEwhoknows__kernel_uid32_tis_acmd_seekunlock_n4.c_ubufis_samsung_emmc****|
ї`BёЁєјBXhВ<BёјT╬─$(
ЯBёЁєЄјH8@
B lBёЁєјBXnt ѕLBёЁєј^╬к┼─ нPBёјDX
BD8$4BёЁєЄјBћђBўђX
BN
BT
BX

ёBёЁєј*DёЁєјѕBЃёЁјѕСDёј0lВB$ёЁєЄѕЅіІјD0X
$BH$X<DЃјP╬├DўBёјDV
BGNUgold 1.11A*aeabi 5TE
ы*▄Tlё`.h.2x.
p.ы*ћ%ћ,ы*їУВ
(
Э
pt╠н $H
X
ВЯxѕDl@XѕDц0г
8▄Q*|Xl _2lђ.*uѕ/ВІЌx.
Еh.И`.Кp.НDў┌уї`чВ<(
Я"'.l:tJѕLSZbнPtz$4ЅЈќюБф░X
4кї
ё┌руВы*ѕ$ѕС3lВ>IPV[X<gnu|0ё2ї2ы*Њ2ы*Ъ2ы*crtbegin_dynamic.c$a$dcrtbrand.cabitagunlock_n4.c__atexit_handler_wrapper_startatexit__dso_handle_DYNAMIC_GLOBAL_OFFSET_TABLE___libc_init__PREINIT_ARRAY____INIT_ARRAY____FINI_ARRAY____CTOR_LIST__main__cxa_atexitmmc_movi_vendor_cmdmemsetioctlcid_backdoorget_cidopenreadsscanfprogram_cidis_samsung_emmcshow_cidprintfputcharioc_blockdev_sizeclosebackup_loadersfopenfwritefreadfclosefilenofsyncfind_signature_offsetwrite_dev_signaturecallocfseekfreeputsprogram_dev_cidnearly_useless_compat_checkstrstrdo_dev_loadersquery_userstrcasecmpfflushscanf__sFprompt_usergetuidmemcmprebootdev_sigdev_cid_edata__bss_start_end.preinit_array.init_array.fini_array.debug_abbrev.text.got.comment.note.android.ident.rel.plt.bss.ARM.attributes.debug_aranges.debug_ranges.dynstr.debug_str.interp.debug_info.rel.dyn.note.gnu.gold-version.dynsym.hash.debug_line.debug_frame.debug_loc.dynamic.shstrtab.strtab.symtab.rodata.dataгЯ((Ў((ьУ╠└СС0^пbВВX6DDPJћћ52гг`.`h.hx.xђ.ђ*<p/pљ=0 g2"A0"5┤E";(ђ5SМ8`|3@(І[@0ЬІ@А0ЊDЩюI╔ИKlpнK+-Lа5%аRцDUC
Click to expand...
Click to collapse
Um... Is this a spam post??
 
P

Paleskin

Senior Member
Apr 15, 2010
774
51
I got haier a16c3h with locked bootloader, dirty cow works temporarily, buat still no write access on system folder, any ideas ?
 
Last edited:
capt_planit

capt_planit

Senior Member
Apr 6, 2016
63
17
Surge1223 said:
https://drive.google.com/file/d/0BzUHC9ZhB4KgNENMWVZCMjJEWEk/view?usp=drivesdk

Sent from my Nexus 6P using XDA-Developers mobile app
Click to expand...
Click to collapse

If you are trying to use Surge1223's kexec-tools (and many other versions above version 2.0.6) with a Samsung S4 monolithic kernel (no initrd) you may find that you get an error about overlapping memory segments or not enough memory to load the new kernel. Change #define BOOT_PARAMS_SIZE from 1536 to 1024 (kexec-zImage-arm.c) to free up a little memory. I guess an even smaller value is possible, but for me this did the trick.
 
E

Evil-Maiden666

Senior Member
Sep 19, 2016
56
5
Xda ad-free

Surge1223 said:
Petitions just turn into complaint threads. I wanted to give this a last shot, so I posted alot of info and plenty of references with the intent that even less experienced s4 users could learn and eventually contribute to helping unlock this bootloader. I also offered some ideas as a starting point. Ive never joined irc's or google talk sessions with others in trying to solve things, I mostly read and learned on my own and im by no means a dev. But I don't think we can unlock this unless we stop complaining and one-uping each other and start working together. I wish that people would stop asking if devs are still trying to unlock this, or being pessimistic about it and start being part of the solution by reading a little and then helping contribute to a solution. All suggestions are welcome. But if you don't know what comprises the "bootloader", learning the flashing order of the partitions at least uptil tz.mbn would benefit you greatly.

P.S.
Just because your not a dev doesn't mean you cant help, most devs are knowledgeable about their devices, but some don't know much beyond how to use android kitchen.

Sent from my XT912 using xda app-developers app
Click to expand...
Click to collapse

I am going to buy you xda ad free
 
S

StoneyJSG

Senior Member
Jul 28, 2014
1,197
194
cicuye said:
raptor734 said:
does anyone know if the samsung galaxy i545 verizon phone is able to have a unlocked bootloader? ive been looking for ages and havent found anything
The original Galaxy S4 made by Samsung for Verizon had an unlocked bootloader with a build number ending in MDK. When they started upgrading these phones, those upgrades locked the bootloader. Hence the big stink that's been raised over that issue. The original operating system was unlocked. You can still find them from time to time on Swappa and other used phone websites, but you really have to watch constantly.
Click to expand...
Click to collapse

The boot loader was never unlocked. The MDK firmware had a flaw in it that allowed loki doki to bypass the lock which was patched in the next update by Samsung / Verizon.
Click to expand...
Click to collapse
 
D

darkensx

Senior Member
Feb 18, 2011
337
1
40
Dalton NH
ASUS ROG Phone 3
what i want to know is why the fcc allowed verizon to refuse to unlock bootloaders? i mean if you pass a federal law then allow companies to optionally abide by said law then its not really a law. every carrier should have been forced to comply with that law.
also the big V claims "our devices are locked by the manufacturer" who samsung? strange because samsung tells us different (the carrier locked them) so... who made these phones verizon? if the pixel bootloader has been unlock my question is how hard is it to break the lock on our bootloader now?
 
xs11e

xs11e

Senior Member
Oct 5, 2010
752
126
Phoenix
I think you're confusing "unlock" with "unlock"! <G>

The FCC requires companies unlock their phones to use a different carrier but does NOT require the bootloader be unlocked.

"Carrier unlock" is very different from "bootloader unlock."
 
sokrboot

sokrboot

Senior Member
Aug 17, 2010
226
200
www.oldtimersclan.com
sanosuke001 said:
I've been off and on following this (totally not using my S4 any longer) and saw this paper posted recently (http://ww2.cs.fsu.edu/~ychen/paper/downgradeTZ.pdf) does this help us at all? It says it's good for the S7 but I'm not familiar enough with the differences to know.
Click to expand...
Click to collapse
This is not significant in any way that we don't already know about. The vulns they discuss are from like 2015. Not to mention the S4 and S7 are on different chipsets and processors.
 
B

bobturismo

Senior Member
Mar 20, 2009
142
20
Im probably stupid for posting this without doing more research....

I had read that people were using verizon s4 roms on sprint phones, so I would assume the reverse is possible?

Could we use odin to completely flash everything? I have no idea and I'm talking out my ass.

*cowers and blocks face from incoming objects
 
NateDogg1232

NateDogg1232

Member
Nov 29, 2014
46
5
23
Fresno
bobturismo said:
Im probably stupid for posting this without doing more research....

I had read that people were using verizon s4 roms on sprint phones, so I would assume the reverse is possible?

Could we use odin to completely flash everything? I have no idea and I'm talking out my ass.

*cowers and blocks face from incoming objects
Click to expand...
Click to collapse
This happens with ATT phones too but only with TouchWiz ROMs.

The main issue is the locked bootloader won't allow anything but TouchWiz ROMs.
 
You must log in or register to reply here.

Similar threads

open1your1eyes0
  • Locked
[BOUNTY] New Root Method Exploit or Full Bootloader Unlock ***Updated Daily***
Replies
2K
Views
452K
KennyG123
KennyG123
invisiblek
[ROM][Official][4.3] CyanogenMod 10.2 for the Verizon Galaxy S4
Replies
3K
Views
541K
Ibuprophen
Ibuprophen
invisiblek
[ROM][Official][4.4.4] CyanogenMod 11.0 Nightlies for the Verizon Galaxy S4 (jflte)
Replies
4K
Views
399K
D
Deleted member 11818907
V
[HOWTO] Enable Hidden Menus for Verizon Galaxy S4
Replies
122
Views
413K
ryanallaire
ryanallaire
open1your1eyes0
[GUIDE] Root for Verizon Galaxy S4 ***VRUAME7 Build Only!***
Replies
650
Views
364K
P
pagerj

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 64
    Surge1223
    Surge1223
    Scroll down for recent updates;

    Has anyone ever heard more from h311sdr0id about his post (see here) to get more info about this "state" that allows you to flash MDK over ME7 in Odin? I'm curious to see if we can use that state, maybe in QDL mode to somehow either push an image to the phone or communicate with it using some methods/commands that E:V:A refers to on this page and a few pages after and before. It's also possible that we then might be able to use a modified unbrick.img (see here) to restore an MDK bootloader. So far those are the two ideas that I think have the best chance.

    Also in this thread I started with the intention of compiling the entire stock firmware for the Dev edition (OYUAMDK), I mentioned at the bottom that when flashing the stock MDK restore Odin tar on an ME7 phone users usually get a "SW REV. CHECK FAIL: FUSED: 3, Binary: 1" message meaning that your current fuse counter in aboot is set to 3 but the binary your attempting to flash is set to 1 so the flashing attempt will fail and I'm willing to bet if you're on VRUDMI1 and you attempt to flash the MDK restore you will get a similar message but the FUSED: value will be set to 4, you can see the counter upped in this post from jeboo here. However, with flashing the dev OYUAMDK aboot file on S4's with a ME7 bootloader users will receive a "SECURE CHECK FAIL: aboot" message instead, I don't know if we might be able to use dev OYUAMDK aboot file and bypass the fused counter entirely, since the dev edition has an unlocked bootloader and the fuse is an efuse, so software enforced, not a hardware enforced qfuse. If anyone wants to go into more detail, or wants to expand on these ideas we I can expand on this info or we can collaborate ideas in the Dev discussion thread.

    Other points to consider:

    • If you know how to use IDA pro, and can help with the base address of the binaries, that is probably our best bet to find a vulnerability in aboot, you can see jeboo and djrbliss discuss this a bit (here) and you can see Ralekdev show his findings here, also this gives the explanation of why you see the "custom unlock" boot screen that people constantly post about in the Q&A thread. Both of these threads along with djrbliss' blog discussing the S4 aboot vulnerability that lead to Loki (here), and exploiting the TrustZone (tz.mbn) on Moto's bootloaders (here) are good starting points in trying to find a new vulnerability.
    • If you know how to hexedit, then hexedit aboot.mbn from MDK, ME7, OYUAMDK, and MI1. You can see ME7 and MI1 are similar in both size and content, while MDK and OYUAMDK are more similar to each other in size and content. Obviously OYUAMDK differs from the others in the way it checks the recovery and boot partitions, (in djrbliss' blog on the S4 exploit he says "This bootloader differs between "locked" and "unlocked" variants of the Galaxy S4 in its enforcement of signature checks on the boot and recovery partitions.") but we are able to flash all bootloader partitions from the OYUAMDK firmware restore Odin file I made except aboot, so if you have any ideas on how we might be able to exploit any of that, please feel free to share.
    • If you do hexedit a dd'ed partition (if you copy mmcblk0p6 from your phone to your pc) you will see that its padded with zeroes at the end. You have to cut the padded zeros from the dd'ed image in order for the partition to be registered as a signed partition in Odin, etc. To do this, use Linux, open a terminal and type
      Code: 
      sudo apt-get install hexedit
      then enter your password and hit enter. Then go to the folder that contains the partitions you want to hexedit (for instance type cd /home/Your user name folder/Desktop/S4partitionbackups/" where "your user name folder" is whatever your username is and "S4partitionbackups" is a folder you create on your desktop containing a backup of your partitions) If you don't have a back up of your partitions you can create them using something like the command below, substituting mmcblk0p6 and aboot.mbn with the partition(s) you are interested in.
    Code: 
    adb shell su -c 'dd if=/dev/block/mmcblk0p6 of=/sdcard/backup/aboot.mbn'
    then
    Code: 
    adb pull /sdcard/backup/aboot.mbn /home/Your user name folder/Desktop/S4partitionbackups/
    then
    Code: 
    cd /home/Your user name folder/Desktop/S4partitionbackups/
    Code: 
    hexedit aboot.mbn
    Quick guide on Hexedit controls/keys

    • shift+> will take you to the end of the hex file
    • shift+< will take you to the beginning
    • page up/page down it will take you up a page and down a page respectively
    • ctrl+c you will exit the hex file without saving any changes
    • esc+t you will truncate the file at the current location
    • ctrl+x you will save the file with all changes you have done.
    This is an example of a padded aboot.mbn, before hexediting, and prior to truncating the file a at the first "0" in the string "00 01" found between the end of the actual file and the padded zero's and repeating F's
    View attachment 2353922
    This is an example of a properly signed aboot.mbn after hexediting
    View attachment 2353923

    How to find start addresses

    First you have to open the selected bootloader with a hex file editor and look at the header, converting for little endian you can find the start addresses and offsets

    Code: 
    [B]sbl1.mbn = 0x2a000000[/B]
00000000   D1 DC 4B 84  34 10 D7 73  15 00 00 00  FF FF FF FF  ..K.4..s........
00000010   FF FF FF FF  50 00 00 00  [COLOR=Red]00 00 00 2A[/COLOR]  40 72 01 00  ....P......*@r..
00000020   40 41 01 00  40 41 01 2A  00 01 00 00  40 42 01 2A  @A..@A.*....@B.*
00000030   00 30 00 00  01 00 00 00  04 00 00 00  FF FF FF FF  .0..............

[B] sbl2.mbn = 0x2e000000[/B]
00000000   16 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 00 2E[/COLOR]  ................
00000010   40 51 02 00  40 20 02 00  40 20 02 2E  00 01 00 00  @Q..@ ..@ ......
00000020   40 21 02 2E  00 30 00 00  12 00 00 EA  5F 00 00 EA  @!...0......_...
00000030   62 00 00 EA  65 00 00 EA  68 00 00 EA  6B 00 00 EA  b...e...h...k...

[B] sbl3.mbn = 0x8ff00000[/B]
00000000   18 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 F0 8F[/COLOR]  ................
00000010   20 20 04 00  20 EF 03 00  20 EF F3 8F  00 01 00 00    .. ... .......
00000020   20 F0 F3 8F  00 30 00 00  D3 F0 21 E3  D3 F0 21 E3   ....0....!...!.
00000030   00 70 A0 E1  09 02 A0 E3  00 D0 A0 E1  DB F0 21 E3  .p............!.

[B] aboot.mbn = 0x88e00000 offset = 0x285[/B]
00000000   05 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 E0 88 [/COLOR] ................
00000010   10 56 14 00  10 25 14 00  10 25 F4 88  00 01 00 00  .V...%...%......
00000020   10 26 F4 88  00 30 00 00  06 00 00 EA  F0 38 00 EA  .&...0.......8..
00000030   F6 38 00 EA  FC 38 00 EA  02 39 00 EA  08 39 00 EA  .8...8...9...9..

[B] tz.mbn = 0x2a000000[/B]
00000000   19 00 00 00  03 00 00 00  00 00 00 00  [COLOR=Red]00 00 00 2A[/COLOR]  ...............*
00000010   C4 3A 03 00  C4 09 03 00  C4 09 03 2A  00 01 00 00  .:.........*....
00000020   C4 0A 03 2A  00 30 00 00  09 00 00 EA  90 F2 9F E5  ...*.0..........
00000030   90 F2 9F E5  90 F2 9F E5  90 F2 9F E5  84 F2 9F E5  ................

[B] rpm.mbn = 0x00020000[/B]
00000000   17 00 00 00  03 00 00 00  00 00 00 00 [COLOR=Red] 00 00 02 00[/COLOR]  ................
00000010   38 57 02 00  38 26 02 00  38 26 04 00  00 01 00 00  8W..8&..8&......
00000020   38 27 04 00  00 30 00 00  06 00 00 EA  1E 00 00 EA  8'...0..........
00000030   2C 00 00 EA  39 00 00 EA  46 00 00 EA  53 00 00 EA  ,...9...F...S...
    EDIT: 2/01/2014 - Updated OP to include where we're at

    2/01/2014

    1. Figuring out what Hellsdroid's method was - Unfortunately this seems unlikely as of now (figuring out what he did that is) On the other hand, @TMcGrath50 and I discussed a method we thought to be similar to his starting around here and then I learned how to use ida better as time went on and recently disassembled that I9505 S4 USB repair tool. I have not done a thorough analysis of the pseudocode yet though. But even so, this method has never been done before (as far as I know) and 
in addition to assuming the information in the pic below is true, and we can in fact reset the emmc on our devices with Secure Boot 3.0 (would this be a way of getting around having to reset the Secure Boot bit in the pbl to "0"?) I still think this idea needs to be refined a bit before its worth exploring because some questions remain in regards to if it would even work in the first place. For example, when a JTAG solution was tested previously, the VRUAMDK aboot.mbn didn't flash on a device with VRUAME7 after all the partitions were wrote over with VRUAMDK partitions via JTAG, why? @jeboo may be able to help answer that.

    Also, it was previously questioned whether or not the flash programmer (8064 hex) would need to be signed or not. As I have two S4's one thats working and one in QDL QHSUSB dload mode, in doing some recent testing through usb (S4 to S4) I was able to get some info back about my bricked S4, namely that I had sent it the wrong hex file ( see the last line here) because the dmesg and last_kmsg logs say something to the effect of "the the cpu clocks cannot start because its configured for the wrong device" and the last line from the my pastebin post says "8660" among other things as well.

    Status - Unknown - More Research Required


    pCgmFhal.png


    2. Using a Developer edition S4 to unlock a retail S4 - So here's what we know, the dev kernel (boot.img) is flashable and will work with retail S4's, but the recovery.img and aboot will not. Flashing the dev recovery.img will succeed in Odin/Heimdall, but if you try to boot into recovery it will inform you that your device is "tampered" and and will void your warranty by setting the Knox warranty bit to 0x1. Before I discuss why aboot.mbn wont flash consider this; neither the Developer edition of the GS4 nor the Developer edition of the Note 3 has every received an OTA or a factory Odin tar. This is not by random chance. Every Developer edition owner has a unique MD5 for their aboot. If you couple this with the fact that Dev edition devices have retail stickers under their dev stickers, you will probably come to the conclusion that Samsung/Verizon/AT&T haven't released updates to dev devices because they would have to do it on a 'per device' basis, that or risk handing us a method to convert retail devices into developer edition devices. If the method by which Samsung uses device specific info to sign developer edition aboot partitions were discovered this may work, or if their method to determine if a device is a developer edition or consumer retail edition is similar to what Dan R (djrbliss) took advantage of then this could be a possibility.
    3,4,5,6, coming up....updating...this will be a long post...advance warning.

    Status - Possibly - More Research Required
    View
    47
    Surge1223
    Surge1223
    Happy one year anniversary. I can't believe I wrote the OP one year ago today, I've learned so much since then, in fact im embarrassed to read the OP because reading it now I realize I didnt know much back when this thread started however ive learned a lot since then and thats mostly due to the contributions made in this thread and the people I have met here, so I just wanted to take a moment and say Thanks. :)

    #stillfightin
    View
    37
    Surge1223
    Surge1223
    RuggedHunter said:
    Any answer would just be a guess. My guess is ryanbg is feeling lonely on this project now...my hunch is that surge has moved on but the unsolved problem will bug him until it's solved, so his foot's in the door still... just a guess, I don't know either one personally. I think either one of them or any other dev is likely working on newer bootloaders... so maybe there's more effort on nc5 right now than on <mk2. Then again maybe a vulnerability is discovered for one of the older bootloaders and was patched in the newer ones.

    I'm sticking on mk2. My favorite ROM works best with the version for that bootloader, and if an unlock for a newer bootloader is ever available, I'll just upgrade at that point.
    Click to expand...
    Click to collapse

    Not moved on... just been busy and didn't have anything useful to contribute..until today anyways.

    I finally was able to re-patch the live kernel to allow insecure modules again. Meaning kexec and trustzone vulnerabilities are back on the table.

    The method I used to evoke the patch to the kernel is somewhat involved so I'll release it as a small apk or binary soon. For the time being this only effects vzw users, since I didn't check the att kernel.
    View
    36
    Surge1223
    Surge1223
    Cripes, we used to self-police well enough in here, lately thats not the case. Lets get our crap together before we lose this thread. Everyone here is smart enough to know if their post is useful or not, grow up people. We're giving this all the we've got, be patient. Other devs and I are in constant communication, not by pm but mostly through other means. Listen I know some of you may be frustrated with my lack of posting new info but just know that there are watching eyes on this thread that we don't want. Take the OYUAMDK thread I posted in original development, Samsung knows about that thread and I know that for a fact. I went to Best Buy and asked a Samsung rep (in the Samsung dept/area) how dev edition devices could get updates and the guy had no idea who I was but I started talking to him and he casually got more friendly and told me "Hey listen, I know theres no official dev stock images but check the XDA threads" then told me exactly where to check and said Samsung doesn't officially give dev device updates but knows they can be made/extracted, he said "someone already extracted it for the S4" so he essentially directed me to my own thread without knowing who I was. So theres a reason some stuff isn't posted here, please understand that. Also some of you are worried since there are no updates on kexec, I can confirm its being worked on.


    TLDR - Hold your horses

    Edit: Also we're working on some stuff today, I'll post an update tonight.
    View
    36
    Surge1223
    Surge1223
    Ok that's it. Its become apparent to me that far too many people are under the impression that the "bootloader" is a single entity, and that it is just too complex to understand. This is unacceptable to me. I had no idea what a bootloader was before I got this S4. Im going to detail the process first with a general overview, then again in more detail. Plus I dont see the current threads on this topic that include all we know, like the hexagon modem/kernel and the function of the tz and sbl2 are way over generalized. And discussion of the device cookie is completely missing. Ill post it in a new thread thread and link it here when im done.

    Sent from my SCH-I545 using XDA Premium 4 mobile app
    View

New posts