FORUMS
Remove All Ads from XDA

Current ROOT Progress for G950U/G955U Snapdragon

486 posts
Thanks Meter: 812
 
Thread Closed Email Thread
***if using XDA labs app, please stop, select the 3 dot menu button in the top right, and view this thread from browser because of formatting issues with the labs app. This is to help make the OP easier to follow along with. ***

**Please Read First**
This will be the main, and ONLY thread we will keep updated for the progress of root on the Snapdragon variants of these phones from here on out.

As the other few threads are multi topic and confusing for people anticipating root, as well as for us working on it trying to sift through comments to keep each other updated. Those will be cleaned up to avoid confusion as well. This will make it easier for everyone to check back to see any new progress as I will be updating the OP whenever we make movement

**First, and foremost, I would like to recognize and thank @STF_TimelessGoD for his work on the initial post R&D Carrier Switch/Root Snapdragon. Without his time and effort putting that thread together and maintaining it, there would still be a lot of unanswered questions and we probably would not be as far as we are**

That thread will still continue for the Carrier Switching and a full guide is available at this link
[HOW TO] Carrier Switch For S8 Snapdragon


---------------------------------------------------




Current Root Progress
We are currently working on 2 main possible methods for this. Refer to each method in RED below the Key Notes.
Please, if you do not know what terms are, or what files are, Google search them to avoid filling the thread with easily answered questions

*UPDATE* 1 - 6-19_2:34pm CST
We are looking for relevant files to properly flash from EDL Mode. IF anyone can get their hands on these 3 files, specific for our chipset, PLEASE let us know.
The first 2 are the main needed, as the provisioning can possibly be made from provisioning info already on the phone.
- prog_ufs_firehose_8998_ddr.elf
- prog_ufs_firehose_8998_lite.elf
- provision_samsung.xml


*UPDATE* 2 - 6-19_9:00pm CST
We have aquired the necessary Elf files from above. Now doing more research on proper ways to use them as they are qualcomm/device specific

*UPDATE* 3 - 6-22_1:34am CST
Much much time spent combing through code of these files and tools that are able to handle them. As well as the verification process andriod uses in conjunction with qualcomm between all 3 bootloaders and the Learned a lot tonight.
We learned enough to be able to begin some new tests tomorrow that is not the same as either of the methods below. However I cannot at this time divulge the method being used and for that I am sorry!

*UPDATE* 4 - 6-28_4:35pm CST
We studied up a lot on our selinux and the way that Nougat 7.0 has changed how security works and are currently working on adb permissive with *a debuggable user* kernel. Refer to Update in key notes for more info.
-METHODS UPDATED WITH METHOD 3


Key Notes
In general order of them happening/being found out.
  1. - Pre Release Combo Firmware is only known Firm to contain Allow OEM Unlock and have SELinux set to permissive by default. However, @elliwigy went through this thoroughly and found that permissive did literally nothing to help elevate privileges as it should have, and that the OEM unlock check box didn't seem to have any effect on secureboot.

  2. - Received multiple ENG Boot files, none of them contained system write capabilities as they should have. So they were no help. Someone (leaving names out) said they had ENG Boot with full root access that he would share, but stopped all involvement in the thread and we never heard back from him. Generally, just about always, an ENG Boot has system write capabilities, as that's the point of an Engineering Kernel.

  3. - SELinux Permissive was acheived on Stock firmware by @STF_TimelessGoD but it caused the phone to not charge past 80%. Trying to get into su shell from adb says it is started as root, but doesn't actually enter root shell. @elliwigy tested this out as well with the same results. Otherwise same problems as above.

  4. - @elliwigy got ahold of an actual ENG Boot, however, trying to flash from Odin and phone returned "This is ENG binary. Please use USER binary! (boot.img)". Meaning 2 things. 1, it is a true ENG Boot with system access, and 2, Samsung really stepped up their security

  5. - Chainfire Auto root does NOT work on our devices. To be clear, Chainfire's website has a bot that auto-compiles for all new devices regardless of it being capable or not. He did take a look at our device, but decided he wasn't going to spend the mass amount of time on it that is needed, like we currently are!

  6. - Next we looked at multiple security vulnerabilities that would allow escalated privileges(access to the system) Ended up deciding against this as we do not have a dev on the project with exploit building knowledge.

  7. - I brought up EDL mode as a possibility. Which is not suppose to be supported on Samsung as it needs fastboot, normally. Without fastboot, you are suppose to use a proprietary edl cable(easily made) to force your phone into it. Which still was thought to be unaccessable on Samsung. After a lot of research on how it SHOULD be done, we had mixed results. Until @BotsOne by chance found you could get into EDL from adb command line with the phone on. So this is part of one of our methods below.

  8. - I'm looking at modifying a serial flash tool to know the partition table of our devices, to make EDL mode properly work for us. This is so we can flash individual partitions and not the whole system.

  9. *UPDATE* 2 - No need to modify a serial flash tool, as using the Elf files from earlier takes care of that work. Working with them now to fully understand and operate with them

  10. *UPDATE* 4 - With the help of a fellow dev , @akiraO1 that has much more selinux experience than us, we were able to get a foot in on changing things and making our selinux fully permissive. There is a prop setting that made it kind of tight. but changing persist.security.ams.enforcing *AND security.perf_harden* to 0 fixed most of this. But there is still much more as the fstab inside the boot.img has system set to ro. We are working on this, but things are looking up



METHOD 1
Flashing Modified Bootloader Via EDL Mode
  1. Modify a current serial flashing tool (such as the Mi flash tool) to include our partition table and options to flash to certain partitions individually
  2. Modifying the bootloader source code to to be unlocked, then flashing unlocked bootloader via EDL
  3. At that point we could Odin Twrp and then flash whatever we wanted


METHOD 2
Flashing True ENG Boot Via EDL Mode
  1. - As the first method, would need to modify a serial flashing tool for this.
  2. - First check would be to flash the True ENG Boot to the device via EDL.
  3. - Then check if it boots because you can't Odin the Eng Boot without it failing as stated in key notes above. Because EDL has elevated privileges, it will flash to the device, but we have to see upon starting, if it will still binary check and stop from booting.
  4. - If it boots, we should then be able to access su shell, and run a batch to obtain system root as usual.


METHOD 3 - Update 4
Modifying Boot Parameters with SELinux
  1. - Using the permissive boot that we figured out proper capabilities
  2. - Gain access to proper partitions to make the phone load a custom selinux profile that allows rw to system
  3. - Mount system r/w and install su binaries via adb
  4. - Modify remaining parameters needed within boot.img and create a runnable script for everyone!


^^EVERYTHING ABOVE WILL BE UPDATED AS PROGRESS IS MADE, WITH EDIT DATES. JUST LOOK FOR THE WORD *UPDATE* NEAR RELEVANT AREAS.^^


All Relevant Files, Hosted Courtesy Of @Maltego
- CLICK HERE -


------------------------------------------------------------------------------------------


Current Contributors
@elliwigy
@Maltego
@STF_TimelessGoD
@BotsOne
@mweinbach
+ @akira01
+ @Harry44

**If you would like to help or contribute in any way, please message me.**
It may take a bit to get back to you, and for that I apologize

---------------------------------------------------------------------------------------------

**Please be patient with us as this is not a simple task and it is not a standard root method that has ever been used on Samsung as EDL was not previously available**

.
The Following 149 Users Say Thank You to Acoustichayes For This Useful Post: [ View ] Gift Acoustichayes Ad-Free
 
 
18th June 2017, 06:21 AM |#2  
Acoustichayes's Avatar
OP Senior Member
Flag Corn Fields
Thanks Meter: 812
 
Donate to Me
More
**reserved**

IF YOU ARE LOOKING AT THIS FROM THE XDA LABS APP, YOU WILL OF COURSE NOTICE THE LACK OF COLORS AND SLIGHTLY AWKWARD FORMATTING.
-This is an issue with the apps ability to parse bb code format. And I cannot fix that. So just try to look for the update tags or use web browser. Sorry for the inconvenience
The Following 22 Users Say Thank You to Acoustichayes For This Useful Post: [ View ] Gift Acoustichayes Ad-Free
18th June 2017, 06:26 AM |#3  
Portal Writer
Flag Connecticut
Thanks Meter: 787
 
Donate to Me
More
We will keep working on root guys. Do not worry. We are as close as you will get to professionals.
The Following 26 Users Say Thank You to mweinbach For This Useful Post: [ View ] Gift mweinbach Ad-Free
18th June 2017, 12:29 PM |#4  
razrlover's Avatar
Senior Member
Thanks Meter: 1,448
 
More
Nice job claryfing where we are and seperating the 2 threads, I think this was greatly needed.
The Following 8 Users Say Thank You to razrlover For This Useful Post: [ View ] Gift razrlover Ad-Free
18th June 2017, 08:14 PM |#5  
Interceptor777's Avatar
Senior Member
Flag Washington D.C.
Thanks Meter: 229
 
More
Nicely constructed thread showing our progress, good job!

Also this came to my mind, what about flashing those ENG files @elliwigy got through EDL mode?
The Following 3 Users Say Thank You to Interceptor777 For This Useful Post: [ View ] Gift Interceptor777 Ad-Free
18th June 2017, 08:16 PM |#6  
Portal Writer
Flag Connecticut
Thanks Meter: 787
 
Donate to Me
More
Quote:
Originally Posted by Interceptor777

Nicely constructed thread showing our progress, good job!

Also this came to my mind, what about flashing those ENG files @eliwigly got through EDL mode?

We thought of that. We are missing 3 files we need.
18th June 2017, 09:09 PM |#7  
Interceptor777's Avatar
Senior Member
Flag Washington D.C.
Thanks Meter: 229
 
More
Quote:
Originally Posted by mweinbach

We thought of that. We are missing 3 files we need.

Ah, I'm assuming those are EDL programmer files?
18th June 2017, 09:10 PM |#8  
Senior Member
Flag Greenville
Thanks Meter: 342
 
Donate to Me
More
Quote:
Originally Posted by Interceptor777

Ah, I'm assuming those are EDL programmer files?

Correct!
18th June 2017, 09:14 PM |#9  
Portal Writer
Flag Connecticut
Thanks Meter: 787
 
Donate to Me
More
Quote:
Originally Posted by Interceptor777

Ah, I'm assuming those are EDL programmer files?

Yep. We need $3500 to get into Samsung GSPN. So we are working on alternative methods.
18th June 2017, 09:44 PM |#10  
Senior Member
Flag Greenville
Thanks Meter: 342
 
Donate to Me
More
Quote:
Originally Posted by mweinbach

Yep. We need $3500 to get into Samsung GSPN. So we are working on alternative methods.

Not necessarily that was just that one person i got a reply from another last night waiting to see the price
The Following 2 Users Say Thank You to TimelessPWN For This Useful Post: [ View ] Gift TimelessPWN Ad-Free
18th June 2017, 09:59 PM |#11  
Portal Writer
Flag Connecticut
Thanks Meter: 787
 
Donate to Me
More
Quote:
Originally Posted by STF_TimelessGoD

Not necessarily that was just that one person i got a reply from another last night waiting to see the price

well, for now. thats what we need.
The Following 2 Users Say Thank You to mweinbach For This Useful Post: [ View ] Gift mweinbach Ad-Free
Thread Closed Subscribe to Thread

Tags
eng, galaxy s8, galaxy s8+, root, snapdragon
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes