FORUMS
Remove All Ads from XDA

Successful verizon bootloader downgrade from locked firmware

154 posts
Thanks Meter: 98
 
By LupineDream, Senior Member on 27th December 2015, 07:33 AM
Post Reply Email Thread
READ ON!

I HAVE SUCCESSFULLY BYPASSED VERIZON/ATT OF4 SECURITY ON THE OF4 BUILD for the SM-S975L and have succeeded in downgrading the bootloader by hex editing. I reach the Samsung Galaxy S4 logo. This is quite the accomplishment for me.
However, I need help with unpacking the system image and reworking it to an ATT-based ROM. Knox flat out tells me "No Verizon." when I try the flash. Because you know, aboot knox and all...

Merely hex edit the version number inside your custom boot image to match the system currently installed as you flash to stock. Search for any build number strings inside mbm files and edit accordingly. My documentation is below. Screw you verizon! I just saved myself $200.

Files to keep in Odin tar with matching build number name to pass check:

Changed
S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar.md 5
to
S975LUDUAOF4_S975LTFNAOF4_S975LUDUAOF4_HOME.tar

Hex edited version numbers into:

aboot.mpm
rpm.mbm
sbl1.mbm
sbl2.mbm
tz.mbm
boot.img

Guide update: Bootloader error "No Verizon. I suppose thats the CSC?"

deleted other files from that archive.

Made new archive name of:

S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar

Placed system files in it. Rebooted and flashed. WORKED!

It will flash in Odin 3.07. Then reboot into download mode and flash the other ones with the same, you'll be downgraded and bypass the security check since you have the downgraded bootloader.

Give me credit and donate. I just saved the Verizon users' butts. As well as the tracfone ones.

If I can figure out how to unlock the straight talk bootloader I shall do. And make a flashable Odin image.



WORKING! -> SM-S975L Straight Talk on locked down firmware. http://forum.xda-developers.com/galaxy-s4/unified-development/root-sm-s975l-straight-talk-variant-of4-t3279890/post64511525

Documentation

I need a reliable way to edit mbm files I've extracted from the stock NB1 image. OF4 bootloader won't let old versions flash, so I'm going through a hex editor after removing md5 check to see what I can do as far as hex editing the version number to be newer than OF4 from the binaries. We get a fail on aboot.mbm. We are compatable, however Knox says we cannot downgrade.

Documentation on Odin flashable .tars and correct Samsung official mpm formats?
Help unpacking/repacking mpm files and root injection?
Documentation on Qualcomm Snapdragon machine code.

Update: aboot.mpm, modem, and system.img.ext4 version numbers changed, there is some kind of pattern, I see in system.img.ext: NB1 scattered throughout the code pages. I'm wondering if this is safe to change. It looks part of the code, so I'd assume no. I am seeing their routines for checksum as well there too, near there. So to the requests goes documentation on ARM assmelber, machine code. I hope this helps people like for example loki_tool. Would be nice if we had one to patch samsung images. I can make one that searches for the strings in the code in C for all the phone models, it sure would help bypass Verizon's crap. I'm so mad at them, rant rant rant onwards... Towelroot apk is going to need modified to support this build number (OF4, it is rootable since its NB1, but towelroot just checks the build number)

UPDATE 2: Flashed. Successful Nand write start. aboot is write protected even at Download mode level. Will try documented successes on Odin 3.07 for bootloader aboot flashes. Flashing it fails with a security lockup. Odin 3.09 sits there, but Odin 3.07 might work.

Update 3: Hacking the version number to current out of the Samsung Verizon images produces successful NAND write start. Developers, please note this when unlocking boot loaders. I have discovered a compromise which will allow flashing of unofficial aboot and system data. Provided the flashed bootloader does not contain checksum code.
The Following 4 Users Say Thank You to LupineDream For This Useful Post: [ View ] Gift LupineDream Ad-Free
 
 
27th December 2015, 08:07 AM |#2  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Version number seg<img src=ffs" title="Version number segffs" />

Found in codepages of aboot.mpm Don't know if changing this plain text string is enough to make it match, I have a feeling CSC is going to fail which is going to require another hack. Plus half the code pages of aboot are SA1 encrypted. Going to search through mpm packages to make them all match.
Attached Thumbnails
Click image for larger version

Name:	2015-12-27.jpg
Views:	8704
Size:	255.5 KB
ID:	3589928  
The Following User Says Thank You to LupineDream For This Useful Post: [ View ] Gift LupineDream Ad-Free
27th December 2015, 08:14 AM |#3  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
In system.img.ext4 NB1 is scattered throughout the codepages. I found it several times but not going to change until I know if it will causes a system boot failure.

Build number hex edited to OF4 to bypass CSC check. Original post updated.
The Following User Says Thank You to LupineDream For This Useful Post: [ View ] Gift LupineDream Ad-Free
27th December 2015, 12:58 PM |#4  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Bump. OP updated with link and working results.
27th December 2015, 08:13 PM |#5  
Senior Member
Flag Buenos Aires
Thanks Meter: 30
 
More
I apologize for my ignorance since I don't fully understand the OP, so allow me to ask: does this wotk on USA AT&T GS4?

If it does work, and even if it doesn't, I think you should re-make the OP because I think the majority of people won't be able to understand what you did. Just an advice, I think it would be great!

Good job btw, you are giving us a little bit of hope!
28th December 2015, 01:53 AM |#6  
Senior Member
Thanks Meter: 35
 
More
Could this be reworked to downgrade firmware on the GS4 VZW (SCH-I545) ?
The Following 4 Users Say Thank You to Matthew M. For This Useful Post: [ View ] Gift Matthew M. Ad-Free
28th December 2015, 05:24 AM |#7  
Senior Member
Thanks Meter: 401
 
Donate to Me
More
you can't downgrade bootloaders if the qfuse is blown
period end of discussion
you tamper with the bootloader by hexediting its a one way ticket to brick town on qfuse-blown vzw devices
28th December 2015, 06:04 AM |#8  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by Legitsu

you can't downgrade bootloaders if the qfuse is blown
period end of discussion
you tamper with the bootloader by hexediting its a one way ticket to brick town on qfuse-blown vzw devices

Unless of course, you have no idea what you're doing.
Does this or my guide look like I know what I'm doing? I'm root, now with disabled knox. So please don't insult me. You can flash modified loki'd aboot no issues. As long as signature matches you're gold. No qfuse. You insult someone who spends hours in a hex editor with this kind of thing, sir. I'm not technically downgrading. I'm tricking it into passing the code the downgraded kernel provides.

Bootloader screen

Verification Check: OK
0x0 KNOX Kernel Lock: Off
0x0 Verification Lock: Off
Warranty bit: 0x1 (Void)

Kernel lock and verification lock where on last night then some more tinkering got them off.
This stuff is to help people. So please mediocre responses like that are not necessary. Makes me not want to share my work sometimes.
The Following 2 Users Say Thank You to LupineDream For This Useful Post: [ View ] Gift LupineDream Ad-Free
28th December 2015, 06:22 AM |#9  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by rena14

I apologize for my ignorance since I don't fully understand the OP, so allow me to ask: does this wotk on USA AT&T GS4?

If it does work, and even if it doesn't, I think you should re-make the OP because I think the majority of people won't be able to understand what you did. Just an advice, I think it would be great!

Good job btw, you are giving us a little bit of hope!

Thank you. I appreciate it. It works on the new Straight Talk / ATT GS4 with the corrected JB 4.3 and locked kernel. But as stated the flash will blow qfuse. But I'm not sure on that one, because I blew qfuse when I tried to flash TWRP, not during my tinkering.

Current issue is that Wi-Fi freezes in the OF4 firmware because the NB1 kernel does boot the OS, but OF4 is for JB 4.3 and NB1 is for JB 4.2. I have not encountered any FCs thus far. Recovery can't be flashed yet, but modified aboot with matching build number hex hacked into it OF4 does not throw a security check fail. I got nand write start, and pass.

Best I can say is try this hack method for your device. Find a sacrificial lamb you where going to throw away with a cracked screen. Ebay works. As long as the device is fully functional. All of my dev phones are old phones I'm getting rid of. So I never wreck a daily driver and a replacement is so cheap because of a damaged model I might only pay $50-100 for a device with a cracked screen.

Samsung's root certificates are in plain code in system.img.ext4. So sign your builds with the root certs, Sha256 pack, hex hack build number, gold.

The best explanation I can offer:

You are passing downgraded code. But Knox thinks you're just re flashing the current build.
28th December 2015, 08:12 AM |#10  
Senior Member
Flag Buenos Aires
Thanks Meter: 30
 
More
Quote:
Originally Posted by LupineDream

Thank you. I appreciate it. It works on the new Straight Talk / ATT GS4 with the corrected JB 4.3 and locked kernel. But as stated the flash will blow qfuse. But I'm not sure on that one, because I blew qfuse when I tried to flash TWRP, not during my tinkering.

Current issue is that Wi-Fi freezes in the OF4 firmware because the NB1 kernel does boot the OS, but OF4 is for JB 4.3 and NB1 is for JB 4.2. I have not encountered any FCs thus far. Recovery can't be flashed yet, but modified aboot with matching build number hex hacked into it OF4 does not throw a security check fail. I got nand write start, and pass.

Best I can say is try this hack method for your device. Find a sacrificial lamb you where going to throw away with a cracked screen. Ebay works. As long as the device is fully functional. All of my dev phones are old phones I'm getting rid of. So I never wreck a daily driver and a replacement is so cheap because of a damaged model I might only pay $50-100 for a device with a cracked screen.

Samsung's root certificates are in plain code in system.img.ext4. So sign your builds with the root certs, Sha256 pack, hex hack build number, gold.

The best explanation I can offer:

You are passing downgraded code. But Knox thinks you're just re flashing the current build.

Thank you for taking time the to answer my question, I really appreciate the time and effort you are spending on this.

Since you are still working on this, I'll just wait until you finally get all the things together and fully unlock bootloader. My GS4 is also my daily driver so, following your advice, I better don't attempt to do anything until I can fully understand the whole thing.

Wish you the best of luck on this project, and thanks again for your work, dude!

Regards.
28th December 2015, 03:52 PM |#11  
Senior Member
Thanks Meter: 35
 
More
Thumbs up
Quote:
Originally Posted by LupineDream

Unless of course, you have no idea what you're doing.
Does this or my guide look like I know what I'm doing? I'm root, now with disabled knox. So please don't insult me. You can flash modified loki'd aboot no issues. As long as signature matches you're gold. No qfuse. You insult someone who spends hours in a hex editor with this kind of thing, sir. I'm not technically downgrading. I'm tricking it into passing the code the downgraded kernel provides.

Bootloader screen

Verification Check: OK
0x0 KNOX Kernel Lock: Off
0x0 Verification Lock: Off
Warranty bit: 0x1 (Void)

Kernel lock and verification lock where on last night then some more tinkering got them off.
This stuff is to help people. So please mediocre responses like that are not necessary. Makes me not want to share my work sometimes.

This sounds very promising. Thank you
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes