Oh - I got it to skip the sig check by using two computers, you need two mcrousb cords. Works consistently on windows, not tested on linux.
The device has to have already been introduced to both before starting, and should be in fastboot mode with all the right, unedited partitions from the 1.55.531.3 PG59IMG.zip file. It should be locked.
I had tacoroot installed on it, not sure if this matters?
Get the device into fastboot mode.
Plug it into one of the computers.
On the other one, have CWM 5.0.2.7 in your folder with fastboot, and rename it to recovery.img
Now, on that second computer that you are not plugged into with the doubleshot, open up the command window to the fastboot folder, and type this command:
Code:
fastboot oem boot recovery.img
...and hit enter.
It will hang on "waiting for device" I let this run for 1 minute and 30 seconds.
Then I very quickly swap the microusb on the phone from being plugged into the computer sitting there doing nothing to the one that has the command hanging there. Gotta be quick.
It then pushes the hanging command faster then the sig check can keep up, or something, and leads to the output two posts ago.
This tactic consistently produced the same results, but it failed because it overloaded with too many arguments - but it skips the sig check and tries to go ahead and just load up.
Once it fails it just moves on to the normal boot sequence and into the stock ROM, but with either a customized version of CWM or with a modified boot.img (try the same thing with fastboot oem boot boot.img - does that get us anywhere?) maybe we can use this technique to skip the sig check on a S-ON LOCKED device?
Given that it wasn't just a one-off random event we might be able to leverage it to launch an attack on the device or TZ more directly, but not with our current custom recovery - and we need to see what happens trying to fastboot oem boot a boot.img with a modified ramdisk to maybe work within the overflow limitation of this:
Code:
FAILED (status read failed (Too many links))