[G975U] DISCUSSION on Root/BL Unlock

Search This thread

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Hello!

I just picked up a SM-G975U to play with.

Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!

I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.

Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.

Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.

I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.

I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.

I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.

This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.

To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.

After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.

After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.

I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.

What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
some screens
 

Attachments

  • IMG_20190510_192607.jpg
    IMG_20190510_192607.jpg
    513.2 KB · Views: 6,282
  • IMG_20190510_191753.jpg
    IMG_20190510_191753.jpg
    508.4 KB · Views: 6,224
  • IMG_20190510_191727.jpg
    IMG_20190510_191727.jpg
    511.4 KB · Views: 6,250

krazy_smokezalot

Senior Member
Sep 24, 2010
2,569
1,206
Washington DC
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*♂️
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*♂️

haha I did own an epic 4g touch back in the day.. was more lurking way back then but who knows lol

for an update, no luck yet lol. been messin with combo on g975u but no easy way in yet. I have managed to change some stuff on efs and other partitions.

the binary checks sammy implemented starting in the s9 devices sucks.

I am still looking though.
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.

dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.

uid 1000 is a step in the right direction tho... beats shell 2000 uid
 

dave357

Senior Member
Oct 16, 2012
68
22
Corpus Christi TX
I am definitely interested in learning more and being a part of this convo fellas! I have been in the Bus for at least 8 years now and want to learn the next step which is how to navigate around the S10 S10+ Security Features. Anyone mind showing me a few ropes please?
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.

There is no scripts lol. I can't share the method or files to get to combo.

An update however, I noticed with system prices you can access the efs folder.

I found a way to pass kernel cmdline to the bootloader to set ro props.

I am still messing with it and need an rma as I messed up my efs and can't get cell service now lol
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Is S10+ Snapdragon will get root / magisk in anytime soon?

Who knows lol. Similar to N9 seems like I'm only one working on it lol

Currently stuck In a boot loop as i found a exploit for kernel cmdline injection and set ro.secure=0 which it didn't like. I didn't read the info sammy posted on new securities on s10 lineup around additional security around RKP and Knox Verified Boot. It is not the same as say pixel devices as they added onto it
 

Chibisuke1219

Member
Apr 23, 2018
29
3
I was told in the other thread that what i had found was more than likely BS but if u still what the link i can give it also am still willing to use my phone as some help if u need it

Edit: switching phone sry guys but keep workin hard i will keep looking for new s10 + finds even though i wont have it and ill keep u updated with whatever i find
 
Last edited:

Ph3n0x

Member
May 23, 2017
24
6
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.
 
  • Like
Reactions: kangorilla

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.

wont work.. secure check fail since signed with dif keys
 

xRaZeR_FuZioNx

Senior Member
Aug 17, 2014
132
121
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.

dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.

uid 1000 is a step in the right direction tho... beats shell 2000 uid
Since you have UID 1000 access, wouldn't you be able to dump the partitions off the phone?
If so, why not dump each of the writable partitions and then compare checksums/bits before and after doing the unlock?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    Hello!

    I just picked up a SM-G975U to play with.

    Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!

    I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.

    Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.

    Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.

    I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.

    I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.

    I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.

    This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.

    To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.

    After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.

    After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.

    I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.

    What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
    7
    Wow what a read! I have an AT&T S10+ so I am going to join in here even though I don't understand some things that are being talked of.

    Would it be possible to attach a dongle via the USB-C port on the phone that sends a pulse to the CPU or bootloader making it temporarily crash long enough to run unsigned code? I know Samsung injected something called vault keeper which was like an extra layer of security or something. I am just speculating here.

    vaultkeeper is there but not really applicable from what ive seen so far.. with my exploits you can set flash lock to 0 which will grey out the oem lock in settings and say bl is unlocked as well as itll say oem unlocked in dl mode..

    however despite all this im only able to temporarily oem unlock.. what i mean is that i can oem unlock in dl mode.. reboot straight back into dl mode.. flash a modified img which fails... hard reset and get the red warning saying theres a custom firmware installed but from here it goes to factory reset and after the wipe the red warning is gone and device is not unlocked..

    i know it is unlocked for a brief moment in this process because of the warning as well as the logs indicate "IsUnlocked:1" and indicates its oem unlocked before it then reads "IsUnlocked:0" again..

    I am going through logs n tests trying to pinpoint exactly when its "unlocked".. I have hope.. this is probably closest any locked usa variants have been since good ole s4 s5 note 4 days to a bl unlock :)

    i am also testing methods to write firmware such as modded system..

    this stuff is new to me on samsung so its slow moving as im learning as i go.. with pie and beyond theres multiple security measures in place that werent there before such as vbmeta, metadata, hashes, footers, SAR, etc etc.. when i figure one thing out somethin else pops up to stop me lol but this is what makes it fun :)
    6
    So, is it possible to unlock bootloader on SD S10 plus???
    I am thinking buying one.
    Thanks

    i am actually imching closer n closer.. been workin it all day today lol
    6
    i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.

    dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.

    uid 1000 is a step in the right direction tho... beats shell 2000 uid
    5
    Just wanted to let you know I appreciate everyone's hard work. Even if we never get a rootable AT&T samsung device ever again, it's heartening to know there are still people dedicated to the cause out there, lol.