Thread Closed

[EXPERIMENTAL][i9505] Possibility to Downgrade to an old Bootloader!

OP Kaito95

23rd November 2013, 06:03 PM   |  #1  
Kaito95's Avatar
OP Member
Flag Düsseldorf
Thanks Meter: 163
 
68 posts
Join Date:Joined: Sep 2012
More
before you read -> please use at your own risk!! I am not responsible for any damage!! Use it only if you have a jtag or a riffbox

Hello dear Developer,

I offer you modified files which may possible to Downgrade to an old Bootloader. Every file has the new Samsung Certificate from Android 4.3 Bootloader (XXUEMK8).
This Bootloader is based on Android 4.2.2 firmware (XXUBMGA).

My presumption is that the new Bootloader has something to do with the new Samsung Certificate inside the new Knox enabled Bootloader.
If we flash a newer firmware it will fail because the KNOX bootloader checks the certificate while we flash an older/newer bootloader.
We know that is not possible to Downgrade to an old Bootloader if it has not the same certificate.


aboot.mbn -> https://www.dropbox.com/s/isb22plz7kvnve8/aboot.mbn
rpm.mbn -> https://www.dropbox.com/s/sng6w4lyc6p8w22/rpm.mbn
sbl2.mbn -> https://www.dropbox.com/s/x8hh3livuqh6xku/sbl2.mbn
sbl3.mbn -> https://www.dropbox.com/s/inzx4396x4zdcj1/sbl3.mbn
tz.mbn -> https://www.dropbox.com/s/973ue0rdp80qgbn/tz.mbn

I'll attach you five modified files (aboot.mbn, tz.mbn, sbl2.mbn, sbl3.mbn and rpm.mbn). It's from the XXUBMGA files which has the new certificates from XXUEMK8.

I edited the old Bootloader and I replace the old certificate with the new one from Android 4.3 Bootloader. There are a few differences between the both certificates.

That means:
Updating from MJX to a newer version -> possible
Downgrading from 4.3 to 4.2.2 -> not possible -> Certificates doesn't match with the new one or with the current one
Updating the same firmware (e.g. 4.3 XXUEMK8 -> XXUEMK8) --> also possible

Older firmware like XXUEMJ5 (older than XXUEMK8) is not possible unless we include the modified files to a odin flashable firmware. If we get newer firmwares with new bootloader (certificates) we will not able to flash my modified bootloader.



UPDATE:
Now with Odin flashable tar.md5 file. Big thanks to @mike_galaxy_s
Download
FLASH IT AT YOUR OWN RISK!


Some useful information concerning the Mount Points from GT-i9505 from Android 4.3 XXUEMKE
root@jflte:/ # ls -al /dev/block/platform/msm_sdcc.1/by-name/
lrwxrwxrwx root root aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root root apnhlos -> /dev/block/mmcblk0p1
lrwxrwxrwx root root backup -> /dev/block/mmcblk0p23
lrwxrwxrwx root root boot -> /dev/block/mmcblk0p20
lrwxrwxrwx root root cache -> /dev/block/mmcblk0p18
lrwxrwxrwx root root carrier -> /dev/block/mmcblk0p28
lrwxrwxrwx root root efs -> /dev/block/mmcblk0p10
lrwxrwxrwx root root fota -> /dev/block/mmcblk0p22
lrwxrwxrwx root root fsg -> /dev/block/mmcblk0p24
lrwxrwxrwx root root hidden -> /dev/block/mmcblk0p27
lrwxrwxrwx root root m9kefs1 -> /dev/block/mmcblk0p13
lrwxrwxrwx root root m9kefs2 -> /dev/block/mmcblk0p14
lrwxrwxrwx root root m9kefs3 -> /dev/block/mmcblk0p15
lrwxrwxrwx root root mdm -> /dev/block/mmcblk0p2
lrwxrwxrwx root root modemst1 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root modemst2 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root pad -> /dev/block/mmcblk0p9
lrwxrwxrwx root root param -> /dev/block/mmcblk0p19
lrwxrwxrwx root root persdata -> /dev/block/mmcblk0p26
lrwxrwxrwx root root persist -> /dev/block/mmcblk0p17
lrwxrwxrwx root root recovery -> /dev/block/mmcblk0p21
lrwxrwxrwx root root rpm -> /dev/block/mmcblk0p7
lrwxrwxrwx root root sbl1 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root sbl2 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root sbl3 -> /dev/block/mmcblk0p5
lrwxrwxrwx root root ssd -> /dev/block/mmcblk0p25
lrwxrwxrwx root root system -> /dev/block/mmcblk0p16
lrwxrwxrwx root root tz -> /dev/block/mmcblk0p8
lrwxrwxrwx root root userdata -> /dev/block/mmcblk0p29

root@jflte:/ # cat /proc/mounts
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/secure tmpfs rw,seclabel,relatime,mode=700 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
/dev/block/dm-0 /mnt/asec/com.picsart.studio-2 ext4 ro,dirsync,seclabel,nosuid,nodev,noatime,errors=co ntinue 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,journal_c hecksum,journal_async_commit,noauto_da_alloc,data= ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,journal_c hecksum,journal_async_commit,noauto_da_alloc,error s=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/apnhlos /firmware vfat ro,relatime,uid=1000,gid=1000,fmask=0337,dmask=022 7,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/platform/msm_sdcc.1/by-name/mdm /firmware-mdm vfat ro,relatime,uid=1000,gid=1000,fmask=0337,dmask=022 7,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/platform/msm_sdcc.1/by-name/efs /efs ext4 rw,seclabel,nosuid,nodev,noatime,discard,journal_c hecksum,journal_async_commit,noauto_da_alloc,error s=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persdata /persdata/absolute ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/data/container /mnt/shell/container sdcardfs rw,nosuid,nodev,relatime,uid=1000,gid=1000 0 0
/data/media /mnt/shell/emulated sdcardfs rw,nosuid,nodev,relatime,uid=1023,gid=1023 0 0
tmpfs /storage/emulated tmpfs rw,seclabel,nosuid,nodev,relatime,mode=050,gid=102 8 0 0
/dev/block/vold/179:33 /storage/extSdCard exfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime, uid=1000,gid=1023,fmask=0002,dmask=0002,allow_utim e=0020,codepage=cp437,iocharset=utf8,namecase=0,er rors=remount-ro 0 0
tmpfs /storage/extSdCard/.android_secure tmpfs ro,seclabel,relatime,size=0k,mode=000 0 0
/data/media /storage/emulated/0 sdcardfs rw,nosuid,nodev,relatime,uid=1023,gid=1023 0 0
/data/media /storage/emulated/0/Android/obb sdcardfs rw,nosuid,nodev,relatime,uid=1023,gid=1023 0 0
/data/media /storage/emulated/legacy sdcardfs rw,nosuid,nodev,relatime,uid=1023,gid=1023 0 0
/data/media /storage/emulated/legacy/Android/obb sdcardfs rw,nosuid,nodev,relatime,uid=1023,gid=1023 0 0

root@jflte:/ # cat /proc/partitions
major minor #blocks name

7 0 17703 loop0
253 0 512000 zram0
179 0 15388672 mmcblk0
179 1 12772 mmcblk0p1
179 2 52764 mmcblk0p2
179 3 128 mmcblk0p3
179 4 256 mmcblk0p4
179 5 512 mmcblk0p5
179 6 2048 mmcblk0p6
179 7 512 mmcblk0p7
179 8 512 mmcblk0p8
179 9 16896 mmcblk0p9
179 10 13952 mmcblk0p10
179 11 3072 mmcblk0p11
179 12 3072 mmcblk0p12
179 13 780 mmcblk0p13
179 14 780 mmcblk0p14
179 15 780 mmcblk0p15
179 16 2826240 mmcblk0p16
179 17 8192 mmcblk0p17
179 18 2119680 mmcblk0p18
179 19 6144 mmcblk0p19
179 20 10240 mmcblk0p20
179 21 10240 mmcblk0p21
179 22 10240 mmcblk0p22
179 23 6144 mmcblk0p23
179 24 3072 mmcblk0p24
179 25 8 mmcblk0p25
179 26 9216 mmcblk0p26
179 27 512000 mmcblk0p27
179 28 20480 mmcblk0p28
179 29 9728000 mmcblk0p29
179 32 30657536 mmcblk1
179 33 30656512 mmcblk1p1
254 0 17703 dm-0


best regards,
Kaito95
Last edited by Kaito95; 9th December 2013 at 03:27 PM.
The Following 12 Users Say Thank You to Kaito95 For This Useful Post: [ View ]
24th November 2013, 08:36 AM   |  #2  
Senior Member
Thanks Meter: 95
 
329 posts
Join Date:Joined: Aug 2010
what about devices with a locked bootloader, Ex. Verizon and AT&T Galaxy S4 ? would this be possible to flash the modified bootloader on those phones?
This probably wont work in general because you completely forgot to take Qfuses into consideration. You cant downgrade after one of the Qfuses is blown, period. Certificates/downgrading would only work if that didn't exist.
Last edited by Easton999GS; 24th November 2013 at 08:50 AM.
24th November 2013, 12:51 PM   |  #3  
Kaito95's Avatar
OP Member
Flag Düsseldorf
Thanks Meter: 163
 
68 posts
Join Date:Joined: Sep 2012
More
Quote:
Originally Posted by Easton999GS

what about devices with a locked bootloader, Ex. Verizon and AT&T Galaxy S4 ? would this be possible to flash the modified bootloader on those phones?
This probably wont work in general because you completely forgot to take Qfuses into consideration. You cant downgrade after one of the Qfuses is blown, period. Certificates/downgrading would only work if that didn't exist.

Sorry, i don't know how about devices with a locked bootloader :/

It's only my presumption. I think there are more things that I look for a success flash. I must find the location of files which depends while flashing an old Bootloader


If someone find more information, you can post it here. I'll look it i would be glad if someone make an odin flashable tar file.


Gesendet von meinem GT-I9505 mit Tapatalk 2
mike_galaxy_s
24th November 2013, 01:54 PM   |  #4  
Guest
Thanks Meter: 0
 
n/a posts
I could make an .tar.md5 file with cygwin.

Gesendet von meinem GT-I9505 mit Tapatalk 2

---------- Post added at 02:54 PM ---------- Previous post was at 02:22 PM ----------

Here is the download link for the Odin flashable .tar.md5 file: https://www.dropbox.com/s/icb12kpbib...NGRADE.tar.md5

Flash it at your own risk!

Gesendet von meinem GT-I9505 mit Tapatalk 2
The Following 2 Users Say Thank You to For This Useful Post: [ View ]
24th November 2013, 04:12 PM   |  #5  
joiN85's Avatar
Senior Member
Flag Italy
Thanks Meter: 112
 
112 posts
Join Date:Joined: May 2011
This is sbl1.mbn from OLD mga bootloader,
please change certifiate from sbl1 mk8 bootloader!
Attached Files
File Type: rar sbl1.rar - [Click for QR Code] (38.6 KB, 389 views)
24th November 2013, 04:31 PM   |  #6  
Member
Thanks Meter: 55
 
78 posts
Join Date:Joined: Mar 2007
Are your sure of what you have done? To sign a file you need the private key... if you copied the signature from another file it shouldn't be valid.

Inviato dal mio GT-I9505 utilizzando Tapatalk
24th November 2013, 04:39 PM   |  #7  
Kaito95's Avatar
OP Member
Flag Düsseldorf
Thanks Meter: 163
 
68 posts
Join Date:Joined: Sep 2012
More
Quote:
Originally Posted by dpeddi

Are your sure of what you have done? To sign a file you need the private key... if you copied the signature from another file it shouldn't be valid.

Inviato dal mio GT-I9505 utilizzando Tapatalk

Yes, I'm very sure the certificates between the old Bootloader and the new Bootloader are different and at least they've the same bytes at the end. I'll post screenshots later you can see how many differences they are. I don't change anything on the Bootloader except the certificates

If you found anything which is useful for me please let me know


Gesendet von meinem GT-I9505 mit Tapatalk 2
24th November 2013, 04:43 PM   |  #8  
Kaito95's Avatar
OP Member
Flag Düsseldorf
Thanks Meter: 163
 
68 posts
Join Date:Joined: Sep 2012
More
Quote:
Originally Posted by joiN85

This is sbl1.mbn from OLD mga bootloader,
please change certifiate from sbl1 mk8 bootloader!

I'm on XXUEMJ5 firmware currently. If someone have the newest firmware and have rooted. Please post it here.
-> the location is on /firmware-mdm


Gesendet von meinem GT-I9505 mit Tapatalk 2
24th November 2013, 04:50 PM   |  #9  
sachs's Avatar
Senior Member
Flag Porto Alegre
Thanks Meter: 268
 
1,405 posts
Join Date:Joined: Dec 2011
More
Kaito95:

Phone:
Samsung Galaxy S4 GT-i9505
ROM:Stock Firmware XXUEMJ5 Germany DBT
Kernel:Stock Kernel
Recovery:PhilZ Touch v5.18.9
System Status: Official
Binary Status: Samsung Official


How'd you do that? recovery Philz did not you stay in 0x1? Mirroring works? you have root?


24th November 2013, 05:00 PM   |  #10  
Kaito95's Avatar
OP Member
Flag Düsseldorf
Thanks Meter: 163
 
68 posts
Join Date:Joined: Sep 2012
More
Quote:
Originally Posted by sachs

Kaito95:

Phone:
Samsung Galaxy S4 GT-i9505
ROM:Stock Firmware XXUEMJ5 Germany DBT
Kernel:Stock Kernel
Recovery:PhilZ Touch v5.18.9
System Status: Official
Binary Status: Samsung Official


How'd you do that? recovery Philz did not you stay in 0x1? Mirroring works? you have root?


I have the new Bootloader unfortunately and the knox flag stay on 0x1 but i could make binary and system status official with mobile odin and wanam xposed. On old Bootloader it stays to custom if I flash a recovery through mobile odin however. I can't test the screen mirroring functionality yet.



Gesendet von meinem GT-I9505 mit Tapatalk 2

Thread Closed Subscribe to Thread

Tags
bootloader, certificate, downgrade, i9505 downgrade knox bootloader samsung, knox
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes