FORUMS
Remove All Ads from XDA

Successful verizon bootloader downgrade from locked firmware

154 posts
Thanks Meter: 98
 
By LupineDream, Senior Member on 27th December 2015, 07:33 AM
Post Reply Email Thread
28th December 2015, 03:52 PM |#11  
Senior Member
Thanks Meter: 35
 
More
Thumbs up
Quote:
Originally Posted by LupineDream

Unless of course, you have no idea what you're doing.
Does this or my guide look like I know what I'm doing? I'm root, now with disabled knox. So please don't insult me. You can flash modified loki'd aboot no issues. As long as signature matches you're gold. No qfuse. You insult someone who spends hours in a hex editor with this kind of thing, sir. I'm not technically downgrading. I'm tricking it into passing the code the downgraded kernel provides.

Bootloader screen

Verification Check: OK
0x0 KNOX Kernel Lock: Off
0x0 Verification Lock: Off
Warranty bit: 0x1 (Void)

Kernel lock and verification lock where on last night then some more tinkering got them off.
This stuff is to help people. So please mediocre responses like that are not necessary. Makes me not want to share my work sometimes.

This sounds very promising. Thank you
 
 
29th December 2015, 02:31 AM |#12  
AngryManMLS's Avatar
Senior Member
Thanks Meter: 1,226
 
Donate to Me
More
This is absolutely huge news to read. I am assuming once recovery is working (ie: TWRP) that perhaps could AOSP ROMs like CM13 be usable on all Verizon S4's once the downgrade is done? I'll be keeping track of the progress on this for sure.
29th December 2015, 06:41 AM |#13  
Senior Member
Thanks Meter: 406
 
Donate to Me
More
yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?
29th December 2015, 01:07 PM |#14  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by Legitsu

yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?

Said documentation on CPU integrity checks?
In that case, I'll most likely need more hardware than I currently have... Like a JTAG debugger. At least something thar can get me low level enough to reverse engineer and find out what the CPU I'd trying to verify. And match an aboot to it.
29th December 2015, 01:10 PM |#15  
OP Senior Member
Flag Kersey
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by Legitsu

yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?

Right know I have a few tools that are providing useful, IDA decompiler being one of them. But I need the documentation on the instruction sets of the CPU and hardwarespec

Going to do some digging. I'm an it student though not enrolled at Penn State. There's a campus local. I'm going to do some asking around (quite cautiously) to find any equipment needed. I need this functional model to work with. I am getting a new DD next month

Shout out to any Penn state students. This is a project that's worth the bounty. Because if a JTAG won't give me access on POST, yeah, that's a disassembly and a chip mount. And that's not something I have the funds for. At all. Even though the most backwater of websites will take an auto deskffile and 3D print me a mount for pennies on the dollar.

Im realizing where there is a bounty on this unlock.... Again. Got to do some digging. If I become neglectful of this thread I am sorry. Its because quite honestly I'm probing for assistance.
29th December 2015, 04:02 PM |#16  
Senior Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by Legitsu

yes you can spoof 'minor' version numbers(pretty sure somebody already did this a awhile back) but it's never going to boot(unless the op has discovered something new and magical that lets you remove the checksum/qfuse + chain of trust checks it most certainly will never get you back to VRUMDK or to a loki-exploitable base,which is what we need to run real custom roms and kernels
when the op demonstrates a working method to get a loki-able aboot flashed and working then I will be impressed until then status-quo remains because this looks extremely dubious from what we know of qualcomm's qfuses and knoxs bootloader shenanigans ...the status-quo has always been you so much as `touch` the aboot and its a automatic no-boot because its cryptographically signed and and there are hard-wired integrity checks in the cpu
the i545 is a completely different beast then all the other variants
@npjohnson ?

I feel like an idiot but this might help: I was I of1(the latest lollipop build) and I Odin'ed oc1(the first lollipop build). Here's the the part that is interesting: I got a soft brick and could fix it through Odin. Sorry if you guys already knew this, just wanted to help.
30th December 2015, 05:31 AM |#17  
Senior Member
Thanks Meter: 406
 
Donate to Me
More
Quote:
Originally Posted by LupineDream

Right know I have a few tools that are providing useful, IDA decompiler being one of them. But I need the documentation on the instruction sets of the CPU and hardwarespec

Going to do some digging. I'm an it student though not enrolled at Penn State. There's a campus local. I'm going to do some asking around (quite cautiously) to find any equipment needed. I need this functional model to work with. I am getting a new DD next month

Shout out to any Penn state students. This is a project that's worth the bounty. Because if a JTAG won't give me access on POST, yeah, that's a disassembly and a chip mount. And that's not something I have the funds for. At all. Even though the most backwater of websites will take an auto deskffile and 3D print me a mount for pennies on the dollar.

Im realizing where there is a bounty on this unlock.... Again. Got to do some digging. If I become neglectful of this thread I am sorry. Its because quite honestly I'm probing for assistance.

everything you wanna know is in this thread http://forum.xda-developers.com/show....php?t=2500826
pay close attention to the bits at the bottom and the posts about TZ aka trust zone
there has been a pretty massive effort at this for sometime with only sporadic progress
basicly focus shifted from unlocking to getting kexec working,which is just as good
3rd January 2016, 03:37 AM |#18  
Senior Member
Thanks Meter: 406
 
Donate to Me
More
Exclamation
for the record please nobody attempt this on a vzw device you will blow a qfuse or cause a hard brick
The Following 6 Users Say Thank You to Legitsu For This Useful Post: [ View ] Gift Legitsu Ad-Free
24th January 2016, 10:11 AM |#19  
Senior Member
Flag Los Angeles
Thanks Meter: 255
 
More
Quote:
Originally Posted by Legitsu

for the record please nobody attempt this on a vzw device you will blow a qfuse or cause a hard brick

i was about too anyone tried it anyways though?
24th January 2016, 02:06 PM |#20  
Senior Member
Thanks Meter: 35
 
More
Quote:
Originally Posted by Awesomeslayerg

i was about too anyone tried it anyways though?

.... why would anyone try it when its a 100% guarantee to hard brick on vzw

Envoyé de mon SM-G903F en utilisant Tapatalk
24th January 2016, 04:34 PM |#21  
Senior Member
Flag Los Angeles
Thanks Meter: 255
 
More
Quote:
Originally Posted by Matthew M.

.... why would anyone try it when its a 100% guarantee to hard brick on vzw

Envoyé de mon SM-G903F en utilisant Tapatalk

The reason I ask us because why would it wo r like with the other phone but not this one?
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes