R&D - Potential Stock Bootloader Unlocking Functionality

eschelon · Feb 1, 2013

Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://xdaforums.com/showpost.php?p=37446000&postcount=16666. Do not kang or try to pass off our work as your own.

Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

But those who wish to give this a try on this device or others need to try the following:

Type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

Then enable the hidden menu on the device when it pops up.

Then type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL

This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

TrevE has more details in the post below

TrevE · Feb 1, 2013

Few quick facts about what is known about this stock bootloader unlock mode-

APK that controls this is hiddenmenu.apk
uses libuck for something
SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST

nosympathy · Feb 1, 2013

Nice find guys! Would love to see Adams face right now!

Sent from my SCH-I535 using xda app-developers app

LLStarks · Feb 1, 2013

Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.

nosympathy · Feb 1, 2013

LLStarks said:
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.

I would imagine it should be no different regardless of the ROM running as long as the files required for this process are untouched if they are built into the ROM itself. If you are locked and looking to use this you would have to be running a stock kernel.

What could be the consequence of it not working correctly if one of the required files is broken? As in what exactly does this do? I assume it is just telling the boot loader to allow insecure kernels and nothing else? If that is the case your chance of anything going wrong should be very low?

Sent from my SCH-I535 using xda app-developers app

alquimista · Feb 1, 2013

This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.

Sent from my SCH-I535 using xda app-developers app

eschelon · Feb 1, 2013

alquimista said:
This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone.

Sent from my SCH-I535 using xda app-developers app

Awesome. We may be able to reverse engineer that...

Just for fun, try that sboot key:

oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo

invisiblek · Feb 1, 2013

when the app fc's...

Code:

E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null

(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)

eschelon · Feb 1, 2013

invisiblek said:
when the app fc's...

Code:

E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null

(this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)

Time to hunt down that lib...

LLStarks · Feb 1, 2013

I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

I think invisiblek still has the former.

eschelon · Feb 1, 2013

LLStarks said:
I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

I think invisiblek still has the former.

Perhaps. We've actually got several ideas on how to exploit this.

atc3030 · Feb 1, 2013

Will this affect in any way the way that we (kernel devs) need to compile or configure the kernel?

Sent from my SCH-I535 using Tapatalk 2

invisiblek · Feb 1, 2013

atc3030 said:
Will this affect in any way the way that we (kernel devs) need to compile or configure the kernel?

Sent from my SCH-I535 using Tapatalk 2

Nope

I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

I've got many of the stock roms up on my goo.im if anyone wants to look through them:
http://goo.im/devs/invisiblek/i535

You can also get them here:
http://samsung-updates.com/device/?id=SCH-I535

EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
=/

Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.

LLStarks · Feb 1, 2013

Could the Java be edited to ignore the library or is it proprietary TouchWiz stuff?

invisiblek · Feb 1, 2013

LLStarks said:
Could the Java be edited to ignore the library or is it proprietary TouchWiz stuff?

I'm sure the lib is needed to actually perform the operation.

luv2increase · Feb 1, 2013

What advantage does this give us Verizon gs3 users who already have an unlocked bootloader?

Sent from my SCH-I535 using Tapatalk 2

Div033 · Feb 1, 2013

luv2increase said:
What advantage does this give us Verizon gs3 users who already have an unlocked bootloader?

Sent from my SCH-I535 using Tapatalk 2

For the most part, if you're already unlocked this doesn't mean much to you. It's in case Verizon re-locks the phone and commands Samsung to release a new bootloader with an OTA. If this happened, our current unlock method would no longer work and we'd be back at square one.

Verizon has already done this with the Note 2 but the clever Adam Outler and ralekdev (the people who were working on our unlock before we got the leaked bootloader) found another way around Verizon's BS to re-unlock the device.

What is going on here is preemptive dev work on unlocking the bootloader should Verizon strike again.

While this won't affect most of us who are already unlocked, I've seen several threads on the Note 2 forum of upset users who somehow ended up on the new OTA with no way to root.

I wonder though, is this hidden menu only in the d2vzw firmware? What about d2spr or d2att? Maybe Samsung is setting the ground work for a manufacturer unlock tool?

Sent from my SCH-I535 using Tapatalk 2

alquimista · Feb 2, 2013

Interesting Warning

Just so its out there here is the most interesting bit from the "Secure Boot" Warning window:

Code:

4. You agree that your attempt to unauthorized kernel download from the default setting or without the authorization key will lead to blocking of the device, which may permanently disable the device. Samsung will not be responsible for [blah blah]. For downloading of custom kernel, you need to follow through a special installation process as set forth in the device manual.

QUESTIONS:
A. The whole thing reads like the writer wasn't quite fluent in English. So does that mean maybe this warning could appear in other SGS3 variants? Like the intl version?
B. "Blocking of the device", what does this mean? Did they mean bricking the device or will the device phone home and explode or something?
C. "Downloading" of custom kernel? Is this process supposed to download a kernel? From where?
D. "Device manual", What device manual? I have alot of different manuals but I don't remember any of them mentioning a custom kernel download process.
E. Since this intent comes from android.provider.Telephony, is it tied in with the RIL or the modem at all, maybe even the sim card?

I did a cursory search for libuck in /system/lib and didn't find an ".so" that even came close.

Oh, I'm running Vengeance V3 with LeanKernel (v1.8). I haven't tried entering any sboot keys and I probably won't anytime soon. I just don't have enough time to do this proper (flash back to stock, monitor logs via adb and or eclipse, etc etc). At least not right now.

Ta,
ALQI

BeansTown106 · Feb 2, 2013

this is a nice find and very interesting for sure.. but with the device arleady unlocked and with imho no chance of them relocking it( if they could have they arleady would have, look at vzw note2) the only thing i see this doing is maybe helping future devices not needing exploits or leaked bootloaders. but then again the newer samsung devices have sboot's not aboot's and from what i know the security in those is definetly higher. take anything i just said with a grain of salt but i would like to see adam and/or ralekdevs opinions on this. i could be completely wrong but i dont think they would leave something this easy open.. if anyting this could have been what samsung originally wanted todo before vzw became nazi's and had them lock it up completely

---------- Post added 2nd February 2013 at 12:04 AM ---------- Previous post was 1st February 2013 at 11:53 PM ----------

invisiblek said:
Nope

I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

I've got many of the stock roms up on my goo.im if anyone wants to look through them:
http://goo.im/devs/invisiblek/i535

You can also get them here:
http://samsung-updates.com/device/?id=SCH-I535

EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
=/

Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.

this is why i think it was something that they were thinking about doing but verizon shot it down and just waned a plain old full lock

LLStarks · Feb 17, 2013

I wonder if a certain sockpuppet could get libuck for us...

R&D - Potential Stock Bootloader Unlocking Functionality

Retired Recognized Developer

Retired Recognized Developer

Senior Member

Senior Member

Senior Member

Senior Member

Attachments

Retired Recognized Developer

Recognized Developer

Retired Recognized Developer

Senior Member

Retired Recognized Developer

Senior Member

Recognized Developer

Senior Member

Recognized Developer

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Senior Member

Similar threads

Top Liked Posts