[DISCUSSION][S7-SNAPDRAGON]Unlock Bootloader - R&D
- Thread starter kevin71246
- Start date
-
- Tags
- android bootloader r&d samsung s7
Y
YMNDLZ
Guest
We've had access to the SM-G930U firmware for over a year now. That changes nothing with our bootloader unlock chances.
Referring to my original post, the specific feature coming correlated to Oreo is Project Treble. This link gives a more precise rundown of what Project Treble means in practice (and, once you have Oreo, determining if your device supports Treble).
https://www.xda-developers.com/project-treble-android-oreo/
This article makes reference both to new (forthcoming devices) such as the S9 - which will be Project Treble compliant at the outset - and top-line existing models that will likely receive support (manufacture dependant). So whilst I imagine the S8 may well receive a Project Treble spot-prize, I get the feeling that the S7 might just miss out.
DragonFire1024
Senior Member
I have a G930U with Marshmallow 6.0.1, flashed with the engineering root and of course the bootloader is locked. It uses SuperSU 2.76 (I have had a lot of trouble even getting it to update to SuperSU 2.79. The latest version doesn't work on this device). I have been using FlashFire for a while now; flashed three deboat scripts and Xposed. I also own an Amazon Fire 7 and an HD 8. The 7 is rooted, uses SuperSU (the latest), has a custom ROM, but the bootloader is locked. The ROM can be flashed with FlashFire (there are two for it, both are maintained currently). My question is: What is stopping a custom ROM from being flashed to this G930U using FlashFire?
Nothing, there are a couple available.
Last edited:
I found this... I don't know if this changes anything, but here you guys are anyway.
https://source.android.com/security/bulletin/2017-10-01
Original tweet: https://twitter.com/derrekr6/status/914947200257576961
https://source.android.com/security/bulletin/2017-10-01
Original tweet: https://twitter.com/derrekr6/status/914947200257576961
As someone who came to the S7 from the S5 it was only last year the community was able to unlock the Verizon S5 bootloader. Is there any chance a similar method could be applied to the S7? Has anyone tried following their process or contacting any of them for insight?
Developers/Programmers start your engines! - We can fully customize the phones, and don't even NEED to Root. Hows that sound? Well, a few "tricks" still, one being this is not supposed to be for "consumer" use, but I'm sure someone will be able to get these and hopefully 'crack' them so they don't need to be re-purchased' .. ok ok,
GO CHECK THIS OUT: https://seap.samsung.com/content/why-root-your-phone-when-you-can-customize-it-instead/
*POOF* Mind-blower! Thats a direct samsung link even! (Think they wanted us to find it?)
Developer Tools Overview: https://seap.samsung.com/sdk
Here's all the goodies, listed out, now we just need some good Devs to obtain the Keys, they won't allow still direct "root" access, but use an 'attestion' mdm (in the cloud) to authorize the call your making to the api with the correct 'key' -- (from what I understand) It appears that the Customization Key is the primary one to be interested in, may need the SSO key in order to load an actually non-rooted, non-warranty voiding truly legit version of TWRP?? There is even a guy mentioning he had g930f, rooted, and he screwed something up and had twrp and how could he fix his device? There response was "it is not made to be used in the manor of overriding knox" .. My take from that is not that they are saying don't do it!! They are simply saying write it correctly so that it is allowed by KNOX, I think there primary goal (aside from making more $$ off selling the keys) is to have 'customization' of the phones allowed in a manor that holds securities, and promotes good practice, because using these methods everything we want is obtainable, but without getting into/disabling KNOX and therefore not tampering (they hope) with the premium apps like Samsung Pay that could cause more potential problems and or malwares that could affect unsuspecting peoples..
Anyways, thats my take on it.. Hopefully a few good Devs see this post and go take a look, I think using there written out, fuilly supported methods a good Dev could make even more unique firmware than we have ever seen before on these devices! Especially with DEX being fully implemented in the newest model phones!
All I ask, keep me in mind when you make something great! I so miss the customized bootloaders and twrp.. but I do use Samsung Pay quite often, and have not had any issues withe my phone being affected by crap software..
-Dycast
GO CHECK THIS OUT: https://seap.samsung.com/content/why-root-your-phone-when-you-can-customize-it-instead/
*POOF* Mind-blower! Thats a direct samsung link even! (Think they wanted us to find it?)
Developer Tools Overview: https://seap.samsung.com/sdk
Here's all the goodies, listed out, now we just need some good Devs to obtain the Keys, they won't allow still direct "root" access, but use an 'attestion' mdm (in the cloud) to authorize the call your making to the api with the correct 'key' -- (from what I understand) It appears that the Customization Key is the primary one to be interested in, may need the SSO key in order to load an actually non-rooted, non-warranty voiding truly legit version of TWRP?? There is even a guy mentioning he had g930f, rooted, and he screwed something up and had twrp and how could he fix his device? There response was "it is not made to be used in the manor of overriding knox" .. My take from that is not that they are saying don't do it!! They are simply saying write it correctly so that it is allowed by KNOX, I think there primary goal (aside from making more $$ off selling the keys) is to have 'customization' of the phones allowed in a manor that holds securities, and promotes good practice, because using these methods everything we want is obtainable, but without getting into/disabling KNOX and therefore not tampering (they hope) with the premium apps like Samsung Pay that could cause more potential problems and or malwares that could affect unsuspecting peoples..
Anyways, thats my take on it.. Hopefully a few good Devs see this post and go take a look, I think using there written out, fuilly supported methods a good Dev could make even more unique firmware than we have ever seen before on these devices! Especially with DEX being fully implemented in the newest model phones!
All I ask, keep me in mind when you make something great! I so miss the customized bootloaders and twrp.. but I do use Samsung Pay quite often, and have not had any issues withe my phone being affected by crap software..
-Dycast
Y
YMNDLZ
Guest
Off topic @Dycast
Please don't post here unless you've actually found something which will help us unlock the bootloader, which your post doesn't help us with. No matter how powerful these tools are, they don't give you the full power and flexibility of being rooted. Also your post suggests that we need a crack to avoid paying for a license, which is against XDA rules...
Please don't post here unless you've actually found something which will help us unlock the bootloader, which your post doesn't help us with. No matter how powerful these tools are, they don't give you the full power and flexibility of being rooted. Also your post suggests that we need a crack to avoid paying for a license, which is against XDA rules...
Last edited:
So, been reading up a little bit. About T-Flash mode and stuff. Check this out:
It's saying that we can bypass signatures in Odin (is that what Odin Prince comsy does?) Also has a bunch of other good information.
It's saying that we can bypass signatures in Odin (is that what Odin Prince comsy does?) Also has a bunch of other good information.
no, comsey just ignores the sha/md5 on ghe file.. it still needs to be signed to successfully flash even in comsey odin.. comsey mainly for flashing U firmware on carrier devices and vice versa.. like on S8 lineup, comsey is needed to flash U1 firmware onto my U device..
either way the OP should pm me and we can chat on hangouts or telegram.. i have some theories.. although i have an s8+, we can help eachother out.
oh and crom apk will not work.. looked into it back on s6 daysbut now on s8+ we have asteady partition.. unfortunately the bootloader on thechinese/HK variants has a "CROM" lock on it that the apk removes to unlock the BL when KIWIBIRD is written to steady.. since usa variants dont have a "crom" lock to start, it ignores the KIWIBIRD flag altogether lol so even if u had a steady partition it most likely would not work
---------- Post added at 08:06 AM ---------- Previous post was at 08:00 AM ----------
to add, i am one the devs that rooted S8, S8+ and was there for Note 8 SamPWND and SamFAIL roots and have been lookimg for aBL unlock since.. so someone start up a telegram group and shoot me an invite lol.. i dont like back n forth n a forum, need something more real time
either way the OP should pm me and we can chat on hangouts or telegram.. i have some theories.. although i have an s8+, we can help eachother out.
oh and crom apk will not work.. looked into it back on s6 daysbut now on s8+ we have asteady partition.. unfortunately the bootloader on thechinese/HK variants has a "CROM" lock on it that the apk removes to unlock the BL when KIWIBIRD is written to steady.. since usa variants dont have a "crom" lock to start, it ignores the KIWIBIRD flag altogether lol so even if u had a steady partition it most likely would not work
---------- Post added at 08:06 AM ---------- Previous post was at 08:00 AM ----------
to add, i am one the devs that rooted S8, S8+ and was there for Note 8 SamPWND and SamFAIL roots and have been lookimg for aBL unlock since.. so someone start up a telegram group and shoot me an invite lol.. i dont like back n forth n a forum, need something more real time
Interesting. I started one if you didn't care who made it. https://t.me/joinchat/F7tVQwwAiSWDcHGDwx-GSg
yea man, hopefully other serious ppl from here and elsewhere will join that have szmmy devices.. i think if 1 figures it out it will be same or similar to s7 and s8 and note 8 etc.. s8/note 8 are on same chipset tho, i think S7 is SD 820??
Yeah S7 is a snapdragon 820.
---------- Post added at 06:48 AM ---------- Previous post was at 06:47 AM ----------
What happened to the chat?
Sorry had to revoke it. Here's a new one:https://t.me/joinchat/F7tVQwwAiSWI-IAbxKh8tw
Note it's more than just an unlocked bootloader
DragonFire1024
Senior Member
This is for the US. People are taking a crack at it
I believe z3x box bypass device is error because I've rooted my us model note 8 and where is in would give me that error z3x box would not
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
25Models: SM-G930_, SM-G935_ (Flat & Edge, all Snapdragon variants, NOT Exynos)
Developer thread only!
Work in Progress!
DONT flash anything on your phone unless you either a)Dont care of the result or b)Know what you're doing! I will take NO RESPONSIBILITY for you breaking your phone! Know the risks!
Research & Development Thread for Unlocking S7 bootloader
What is this thread?
This is a thread with all information (research) I can find regarding the locked bootloader for the S7 Snapdragon (Exynos has been unlocked so this thread will NOT cover that.) There are a lot of great seasoned Devs out there, but it seems all have given up, or remained in the dark. Flagships like the S7 we all bought because they're amazing phones, but it appears the future is locked bootloaders; if you're here then you're interested in custom ROMs. If we give up and can't 'crack this', then I'm afraid amazing phones like this will never get custom ROMs, ie, that will be a thing of the past.
In other words, there doesn't appear to be any development anymore on trying to unlock the bootloader. Hope is lost... or is it? Therefore, we need new talent. We need a new generation of developers walking into the game knowing that what they're trying to do is almost impossible. I'm hoping this thread will quickly bring any developer up to speed so we can get some "unlocking Dev rookies". We are recruiting! Come here and ask questions regarding this so hopefully you can figure this out!
I'm going to update from time to time the first few posts with critical info, links to info, etc. My goal with this thread is to put all of the great information from the community in one place. I don't way people to have to search this entire thread, rather get the info quick so they can begin developing quick, so we can get an unlocked bootloader, QUICK!
Remember, there were previous locked bootloaders, but many of them have been cracked so let's take away the 'impossibility factor'!
Who is this thread for?
- Anyone that wants to quickly be brought up to speed on the S7 locked bootload status, all the hurdles, etc
- Developers that want to be part of the future of locked bootloaders and something great!
Who can post and what posts are allowed?
- Anyone with PRODUCTIVE comments towards unlocking the bootloader or efforts already completed (regarding of fail or success)
- Developers working on this initiative
- Developers with questions for other developers regarding this
- Wanna-be developers with questions (There is no shame, and you never know if YOU just might be the rookie dev we're looking for to unlock this! If you're willing to try something to potentially brick your device, then you can play here
Or maybe you might throw out an idea that might spark an idea with someone else that leads to an unlock.) - Links to things that have been attempted
- Information you think people should know regarding this, that's not already listed. Or information you think should be in the original post so people can easily see it. (I don't want great info hidden deep in the thread, rather on the first page)
- Keep me honest! If I post nonsense or inaccurate information, WE NEED you to correct me! Last thing I want to do is steer anyone in the wrong direction!
What NOT to post:
- "+1"
- "Thanks"
- Petitions
- Bounties
- ANYTHING NEGATIVE! Negative Nancy, PLEASE go away!!
- Etc. In other words, DONT waste thread space with nonsense. (Don't let that comment confuse you however with the 'very welcoming' questions from developers; This SHOULD be a collaborative thread. Productive input certainly welcome.) The idea is to QUICKLY allow someone to read this and get ALL the info to start trying to crack this. Going through pages and pages of irrelevant or useless comments will only make the goal more difficult, or prevent our new rookies from coming up to speed and trying to unlock this bootloader.
Who am I and what am I trying to get out of this?
I'm an application engineer and developer that bought an S7 from Tmobile and found out the hard way it had no way to get a custom rom, despite TMobiles past of typically allowing this. I'm frustrated like you all & want my phone unlocked, pure and simple! Besides, this is a community, and what better of an agenda than to try and conquer what others have said, "that's impossible"!
Other Notes:
- MANY, many thanks to all the contributors out there!!! I got most of this information from other forums on XDA!
- Following few posts will have resources and additional links. This thread is new so I'll find a good organization method in time.
- PLEASE subscribe if you are (or want to be) a contributing developer, or have anything to add - or if you can answer others questions. I think a lot of this knowledge will expand to other devices, and not just Samsung, but future devices as well.
- Please let me know of anything to fix with this thread, like tags, thread description, etc.
- Make sure to send the link to this thread to people you think might be interested (but don't spam them!) Or post a link to this thread in other seemingly dead threads on unlocking this bootloader. Alone it just may be impossible to do this...but as a community, sharing all of our knowledge...we can do this!
- Still not motivated to do this? Try this: https://www.google.com/webhp?source...=1&espv=2&ie=UTF-8#q=s7+bootloader+bounties&*
- If you found this thread useful hit "Thanks"!
6Information
Quick facts
- Exynos bootloader is unlockable, which is why we won't talk about that here!
- S7 Variants https://en.wikipedia.org/wiki/Samsung_Galaxy_S7#Variants
US & China use a Snapdragon processor, all other locations use the Exynos - Knox counter: will void warranty (if you still have one!) Most could careless if there's a remote possibility of unlocking the bootloader. Methods or tampering could possibly trip this counter.
- Mostly when people say a phone is "locked", they mean locked to a CARRIER. That is NOT what we're talking about here - we're talking about a locked bootloader which allows you to install a custom ROM.
- FRP: (Factory Reset Protection) Requires username/pass after factory resetting http://www.androidcentral.com/factory-reset-protection-what-you-need-know Reset: https://xdaforums.com/galaxy-s7/how-to/samsung-factory-reset-protection-gmail-t3446788
- Bootloader version: PhoneSettings->AboutPhone->Baseband version: 5th from last number.
Ex: Bbaseband: G935UUES4AQC1 = Bootloader version 4 @thescorpion420 (Tmobile & U = ver4, China=ver2)
Locked bootloader
- Easy way to tell you bootloader locked status(?)
- What is the bootloader? Part of the Android boot process. See all about it here: http://newandroidbook.com/
- Why can't we currently unlock the bootloader? There is something called the chain of trust, whereby 'everything' from when the phone first turns on, through each 'piece' it verifies the contents of the flash is legit and from a listed trusted source (either Samsung or carrier). What controls this is the current, existing software/FW on your phone. So if we took what's there and removed these checks, we currently don't have a way to write this to your phone, since "we" aren't from the list of trusted sources. How do they enforce this? The images need to be digitally signed.
- What does it mean to digitally sign a file (or image, FW in our case)? There is a private key and public key. Samsung and/or Carrier have the private key, your phone has the public key. Author writes a new SW package, then uses a tool to get a checksum. The checksum gets encrypted with the private key. The encrypted checksum gets appended to the SW package. Using OTA (over the air deployment) or ODIN, we push the package to the phone. The phone decrypts the appended encrypted checksum using its public key, does a checksum on the remaining package, and makes sure they both match. Now you can see why we can't fake this! Only way would be to find an exploit or get the private key so we can sign these ourselves!
5Links (relevant threads)
- Potential way to unlock bootloader? https://xdaforums.com/tmobile-s7-edge/help/potential-to-unlock-bootloader-t3544220
- ROOT DISCUSSION / TEKXv2 Dev Thread Extension SM-G935T - Dev Section / Discoveries https://xdaforums.com/tmobile-s7-edge/how-to/root-discussion-future-sticky-root-t3327399
- G935AVPT cross bootloader, flash Chinese Version , support ALL lte band,Knox stil 0!! https://xdaforums.com/verizon-s7-edge/how-to/g935v-cross-bootloader-flash-chinese-t3432190/page15 or
https://xdaforums.com/att-s7-edge/how-to/g935avpt-cross-bootloader-flash-chinese-t3435043 - High-level explanation on whats going on with this locked bootloader: https://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
Resources
- Android Internals: A Confectioner's Cookbook http://newandroidbook.com/
Many thanks to Jonathan Levin for releasing that to the public for free, but please support his work via the other listed means. Also Reverse Engineering Aboot: http://newandroidbook.com/Articles/aboot.html - Samsung Source (Tmobile) http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G930T
- Bootloaders, Encryption, Signing http://www.androidpolice.com/2011/0...ncryption-signing-and-locking-let-me-explain/
- LOCK download mode (opposite but might have useful info) https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/
4Tools
Phone Apps
- Root Browser app (doesnt need root) access all files on phone (across ALL partitions?) https://play.google.com/store/apps/details?id=com.jrummy.root.browserfree&hl=en
- Phone INFO (get info about phone) https://play.google.com/store/apps/details?id=org.vndnguyen.phoneinfo&hl=en
Other
- S7 USB driver http://samsungodin.com/SamsungUSBDriver/USB_Drivers_1.5.27.0.rar
- ADB (Install Android SDK)
- DD: https://xdaforums.com/showthread.php?t=1153991 (can be "disk destroyer" if used stupidly)
- Sandbox: Possible to make a virtual S7 to test on? (including ALL partitions such as aboot, etc)
- Ubunto VM: How to build a Linux VM for Dev & testing on this: http://imicrov.com/small-tech/android-development/android-development-with-ubuntu-in-virtualbox VMWare: http://www.vmware.com/products/player/playerpro-evaluation.html Ubunto image: http://www.osboxes.org/ubuntu/
4Flashing
Info https://code.tutsplus.com/articles/an-introduction-to-android-firmware--cms-26791
- Firmware (Android ROM) is stored in a writable form of memory called NAND flash memory, the same type of memory that is used in storage devices, such as USB sticks and SD cards
- Bootloader more info
Ways to Flash
- ODIN - Odin3_v3.12_PrinceComsy (ODIN is Samsungs replacement of Fastboot) https://www.androidfilehost.com/?fid=24591023225177749 or http://samsungodin.com/ (?)
ODIN is the only possible way (that we know of). You push a download from PC to phone, it runs checksum and signature verification, if it doesnt match what it expects, it never writes from memory to phone and throws away image. This intense security likely due to Samsung pay. - ADB - No standard way to do this, but maybe something creative might work...
- Heimdall https://xdaforums.com/galaxy-s7/how-to/guide-heimdall-to-flash-firmware-t3452904 (still work? couple years since updated) Sourcecode: https://github.com/Benjamin-Dobell/Heimdall
- USB jig: https://xdaforums.com/galaxy-s7/accessories/usb-jig-t3347793/page4 eBay: http://www.ebay.com/sch/i.html?_odk....H0.Xusb+jig+s7.TRS0&_nkw=usb+jig+s7&_sacat=0 Or make your own: http://www.instructables.com/id/USB-JIG-to-give-life-to-your-Bricked-mobile/
- SD card: https://xdaforums.com/showpost.php?p=69235306&postcount=38
- Z3X Box: eBay: http://www.ebay.com/itm/2016-Z3X-BO...I-Unlock-Flash-Tool-C3300KCable-/291810363162
- Safestrap(?)
Flash Errors & What they mean:
- Failed aboot Fused 2> binary 1 - bootloader error: ?
- SECURE CHECK FAIL: No Bueno! You're trying to flash something that's not digitally signed correctly
Firmware/Files:
- AP (Application Processor or PDA or Android Partition): Android. System partition with recovery, etc. Recovery, kernel and ROM will be in this file. This is the only FW that is open source.
Typical contents of update.zip:- android-info.txt: Text file specifying the prerequisites of the build, such as the version numbers of the bootloader and the radio firmware that the build needs
- boot.img: Binary file that contains both a Linux kernel and a ramdisk in the form of a GZIP archive. The kernel is a boot executable zImage that can be used by the bootloader. The ramdisk, on the other hand, is a read-only filesystem that is mounted by the kernel during the boot process. It contains the well known init process, the first process started by any Linux-based operating system. It also contains various daemons such as adbd and healthd, which are started by the init process More info
- recovery.img: Very similar to boot.img. It has a boot executable kernel file the bootloader can use and a ramdisk. Consequently, the recovery image too can be used to start an Android device. When it is used, instead of Android, a very limited operating system is started that allows the user to perform administrative operations, such as resetting the device's user data, installing new firmware, and creating backups.
- system.img: Partition image thats mounted on the empty system directory from boot.img. Contains the Android OS binaries as well as system apps, fonts, framework JAR files, libraries, media codecs, bloatware, etc. (Most used for flashing a custom ROM)
- userdata.img: Partition image that will be mounted on the empty data directory from boot.img. Custom ROMs typically come with this image as blank so that it resets the contents of the data directory.
- BL (Bootloader): Proprietary code that is responsible for starting the Android operating system when an Android device is powered on. Typically, it checks if the operating system it is starting is authentic as well. (Checks if the boot partition has been signed using a unique OEM key, which belongs to the device manufacturer, & is private.) Ie, Locked bootloader. Fastboot, IF allowed on a device, disables this check.
- CP (Core Processor): Modem. This proprietary Radio firmware is another operating system on an independent processor called a baseband processor, independent of Android. This adds the cellular radio capabilities of the device like 3g & LTE. Qualcomm, etc develop this FW.
- CSC (Consumer Software Customization): It is specific to geographical region and carriers. It contains the software packages specific to that region, carrier branding and APN setting. Eg Wi-Fi Calling. Flashing will lose your data (factory reset). Variations of CSC may retain data.
- PIT files (Partition Information Tables) (Danger! Dont flash these unless you know what youre doing!)
Different variants of the S7 have different partition sizes; same phone/same carrier with different storage size have different PIT. One issues people were having flashing images for other variants is that the partition would fill up. A workaround would be to reformat with a correct PIT file and check "repartition" in ODIN. More info via @[Ramad] https://xdaforums.com/sho...d.php?t=999097
"Get PIT for mapping" error while flashing (indicates you need a PIT file to flash what youre trying to flash)
-Extract current PIT file from phone: http://www.**********.com/how-to-ext...alaxy-devices/ (need root)
