FORUMS
Remove All Ads from XDA

Successful verizon bootloader downgrade from locked firmware

154 posts
Thanks Meter: 98
 
By LupineDream, Senior Member on 27th December 2015, 07:33 AM
Post Reply Email Thread
16th May 2016, 04:06 PM |#61  
Senior Member
Checotah, OK
Thanks Meter: 192
 
More
Quote:
Originally Posted by LupineDream

READ ON!

I HAVE SUCCESSFULLY BYPASSED VERIZON/ATT OF4 SECURITY ON THE OF4 BUILD for the SM-S975L and have succeeded in downgrading the bootloader by hex editing. I reach the Samsung Galaxy S4 logo. This is quite the accomplishment for me.
However, I need help with unpacking the system image and reworking it to an ATT-based ROM. Knox flat out tells me "No Verizon." when I try the flash. Because you know, aboot knox and all...

Merely hex edit the version number inside your custom boot image to match the system currently installed as you flash to stock. Search for any build number strings inside mbm files and edit accordingly. My documentation is below. Screw you verizon! I just saved myself $200.

Files to keep in Odin tar with matching build number name to pass check:

Changed
S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar.md 5
to
S975LUDUAOF4_S975LTFNAOF4_S975LUDUAOF4_HOME.tar

Hex edited version numbers into:

aboot.mpm
rpm.mbm
sbl1.mbm
sbl2.mbm
tz.mbm
boot.img

Guide update: Bootloader error "No Verizon. I suppose thats the CSC?"

deleted other files from that archive.

Made new archive name of:

S975LUDUANB1_S975LTFNANB1_S975LUDUANB1_HOME.tar

Placed system files in it. Rebooted and flashed. WORKED!

It will flash in Odin 3.07. Then reboot into download mode and flash the other ones with the same, you'll be downgraded and bypass the security check since you have the downgraded bootloader.

Give me credit and donate. I just saved the Verizon users' butts. As well as the tracfone ones.

If I can figure out how to unlock the straight talk bootloader I shall do. And make a flashable Odin image.



WORKING! -> SM-S975L Straight Talk on locked down firmware. http://forum.xda-developers.com/galaxy-s4/unified-development/root-sm-s975l-straight-talk-variant-of4-t3279890/post64511525

Documentation

I need a reliable way to edit mbm files I've extracted from the stock NB1 image. OF4 bootloader won't let old versions flash, so I'm going through a hex editor after removing md5 check to see what I can do as far as hex editing the version number to be newer than OF4 from the binaries. We get a fail on aboot.mbm. We are compatable, however Knox says we cannot downgrade.

Documentation on Odin flashable .tars and correct Samsung official mpm formats?
Help unpacking/repacking mpm files and root injection?
Documentation on Qualcomm Snapdragon machine code.

Update: aboot.mpm, modem, and system.img.ext4 version numbers changed, there is some kind of pattern, I see in system.img.ext: NB1 scattered throughout the code pages. I'm wondering if this is safe to change. It looks part of the code, so I'd assume no. I am seeing their routines for checksum as well there too, near there. So to the requests goes documentation on ARM assmelber, machine code. I hope this helps people like for example loki_tool. Would be nice if we had one to patch samsung images. I can make one that searches for the strings in the code in C for all the phone models, it sure would help bypass Verizon's crap. I'm so mad at them, rant rant rant onwards... Towelroot apk is going to need modified to support this build number (OF4, it is rootable since its NB1, but towelroot just checks the build number)

UPDATE 2: Flashed. Successful Nand write start. aboot is write protected even at Download mode level. Will try documented successes on Odin 3.07 for bootloader aboot flashes. Flashing it fails with a security lockup. Odin 3.09 sits there, but Odin 3.07 might work.

Update 3: Hacking the version number to current out of the Samsung Verizon images produces successful NAND write start. Developers, please note this when unlocking boot loaders. I have discovered a compromise which will allow flashing of unofficial aboot and system data. Provided the flashed bootloader does not contain checksum code.

Do any of ya'll realize there is a completely unlocked version of the i545 that is not a developer edition? Its called the i545L, if i were ya'll i would be trying to flash these files. Just do a firmware search online. These are the stock i545L fimwares i have aside from having the device. Its identical to the verizon model in every way except its unlocked

I545LWWUGOF2_I545LLRAGOF2_LRA.tar.md5
I545LWWUGOH1_I545LLRAGOH1_I545LWWUGOH1_HOME.tar

Would anyone want the aboot from these files?
The Following User Says Thank You to deskjet390 For This Useful Post: [ View ] Gift deskjet390 Ad-Free
 
 
16th May 2016, 04:19 PM |#62  
Senior Member
Thanks Meter: 35
 
More
Quote:
Originally Posted by deskjet390

Do any of ya'll realize there is a completely unlocked version of the i545 that is not a developer edition? Its called the i545L, if i were ya'll i would be trying to flash these files. Just do a firmware search online. These are the stock i545L fimwares i have aside from having the device. Its identical to the verizon model in every way except its unlocked

I545LWWUGOF2_I545LLRAGOF2_LRA.tar.md5
I545LWWUGOH1_I545LLRAGOH1_I545LWWUGOH1_HOME.tar

Would anyone want the aboot from these files?

I'm neither a developer nor a researcher but you might as well host them and post a link so anyone in the future can see the files if they need to
The Following User Says Thank You to Matthew M. For This Useful Post: [ View ] Gift Matthew M. Ad-Free
16th May 2016, 04:34 PM |#63  
Senior Member
Checotah, OK
Thanks Meter: 192
 
More
Okay,

I dont know where to host these massive firmware files publicly. Any ideas?
16th May 2016, 06:11 PM |#64  
Senior Member
Checotah, OK
Thanks Meter: 192
 
More
I have more firmwares for this device if needed. I work for the carrier that distributed this phone. We use verizons network for all of our devices.
Here is the link to the folder on my google drive that has two different firmwares.

I545L Firmwares
The Following 2 Users Say Thank You to deskjet390 For This Useful Post: [ View ] Gift deskjet390 Ad-Free
1st February 2018, 08:58 PM |#65  
Junior Member
Thanks Meter: 1
 
More
Hi
Can we edit modem.bin binary version with hex editor?
Like for a320f new binary is u3 and want write u2 modem.bin for repair imei
I wait your answer
Thanks.
13th February 2018, 07:58 AM |#66  
Senior Member
Flag St. Augustine, FL
Thanks Meter: 1,841
 
Donate to Me
More
Quote:
Originally Posted by deskjet390

I have more firmwares for this device if needed. I work for the carrier that distributed this phone. We use verizons network for all of our devices.
Here is the link to the folder on my google drive that has two different firmwares.

I545L Firmwares

Sorry, won't work on the i545. Already tried it years ago.

Quote:
Originally Posted by metalgold2301

Hi
Can we edit modem.bin binary version with hex editor?
Like for a320f new binary is u3 and want write u2 modem.bin for repair imei
I wait your answer
Thanks.

Nope. Would fail signature checks.
The Following 2 Users Say Thank You to npjohnson For This Useful Post: [ View ] Gift npjohnson Ad-Free
6th March 2018, 02:56 AM |#67  
klabit87's Avatar
Senior Member
Thanks Meter: 1,769
 
Donate to Me
More
@LupineDream do you still have the OF4 firmware? I have recently acquired this version of s4 and was hoping you had the full firmware version.

If not, no big deal. I will make my own. Just hoping to save some time.

Thanks.

EDIT: Nevermind i found it. Thanks.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes