FORUMS
Remove All Ads from XDA

[G975U] DISCUSSION on Root/BL Unlock

11,194 posts
Thanks Meter: 8,278
 
Post Reply Email Thread
Hello!

I just picked up a SM-G975U to play with.

Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!

I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.

Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.

Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.

I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.

I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.

I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.

This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.

To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.

After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.

After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.

I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.

What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
The Following 4 Users Say Thank You to elliwigy For This Useful Post: [ View ]
 
 
12th May 2019, 12:16 AM |#2  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,278
 
Donate to Me
More
some screens
Attached Thumbnails
Click image for larger version

Name:	IMG_20190510_192607.jpg
Views:	2178
Size:	513.2 KB
ID:	4757334   Click image for larger version

Name:	IMG_20190510_191753.jpg
Views:	2152
Size:	508.4 KB
ID:	4757335   Click image for larger version

Name:	IMG_20190510_191727.jpg
Views:	2174
Size:	511.4 KB
ID:	4757336  
The Following User Says Thank You to elliwigy For This Useful Post: [ View ]
12th May 2019, 01:06 AM |#3  
galaxys's Avatar
Senior Member
Flag Cosmos
Thanks Meter: 2,024
 
More
Welcome aboard! Appreciate all your work from the Note9! Kudos
The Following User Says Thank You to galaxys For This Useful Post: [ View ] Gift galaxys Ad-Free
13th May 2019, 06:01 AM |#4  
Account currently disabled
Flag Washington DC
Thanks Meter: 1,218
 
More
Hey OP I know you from somewhere.... epic touch 4g forums?🤔 I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot🤷*♂️
19th May 2019, 01:17 AM |#5  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,278
 
Donate to Me
More
Quote:
Originally Posted by krazy_smokezalot

Hey OP I know you from somewhere.... epic touch 4g forums?🤔 I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot🤷*♂️

haha I did own an epic 4g touch back in the day.. was more lurking way back then but who knows lol

for an update, no luck yet lol. been messin with combo on g975u but no easy way in yet. I have managed to change some stuff on efs and other partitions.

the binary checks sammy implemented starting in the s9 devices sucks.

I am still looking though.
The Following 3 Users Say Thank You to elliwigy For This Useful Post: [ View ]
20th May 2019, 03:04 AM |#6  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,278
 
Donate to Me
More
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.

dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.

uid 1000 is a step in the right direction tho... beats shell 2000 uid
The Following 5 Users Say Thank You to elliwigy For This Useful Post: [ View ]
20th May 2019, 03:05 AM |#7  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,278
 
Donate to Me
More
not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol
The Following User Says Thank You to elliwigy For This Useful Post: [ View ]
21st May 2019, 12:13 AM |#8  
Junior Member
Thanks Meter: 2
 
More
Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested
The Following 2 Users Say Thank You to Chibisuke1219 For This Useful Post: [ View ] Gift Chibisuke1219 Ad-Free
24th May 2019, 02:54 AM |#9  
Member
Flag Corpus Christi TX
Thanks Meter: 22
 
Donate to Me
More
I am definitely interested in learning more and being a part of this convo fellas! I have been in the Bus for at least 8 years now and want to learn the next step which is how to navigate around the S10 S10+ Security Features. Anyone mind showing me a few ropes please?
24th May 2019, 09:11 PM |#10  
Senior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by elliwigy

not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol

This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.
26th May 2019, 12:13 AM |#11  
elliwigy's Avatar
OP Recognized Developer / Retired Forum Moderator
Flag Phoenix
Thanks Meter: 8,278
 
Donate to Me
More
Quote:
Originally Posted by Chibisuke1219

Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested

Any good reads is welcome!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes