[BOOTLOADER] Locked bootloader research and news [Updated: 7/16/2012]

Search This thread
By:
Advanced…
rothnic

rothnic

Senior Member
Aug 18, 2010
811
278
antp121 said:
Yes but moto is hardware encrypted. Sammy is software :)

Sent from my ADR6425LVW using Tapatalk 2
Click to expand...
Click to collapse

I'm not sure where you are getting this information. The Qualcomm SecureBoot functionality allows the PBL (need hardware access to, to modify), to verify the signature of the SBL (sbl, aboot, etc). The chipset has hardware functionality where you can select one of 32 public keys to use for verification. This allows the manufacturer to have 32 different product lines signed with different private keys to maintain product separation. It is very much possible that the development bootloaders won't work on the standard verizon phone.

mattydangerfox said:
That's true, but I was just commenting on the logic of using the dev phone to develop for all others. I seriously could see Samsung doing this (as opposed to Moto) , but I just wanted to play devil's advocate.

Sent from my DROIDX using Tapatalk 2
Click to expand...
Click to collapse

This is a very possible outcome, but it is worth testing out. However, from my reading of the chipset functionality, I definitely would not volunteer to test it on mine. I'd suggest AdamOutler testing it out with his phone he'll have the ability to bring back from a brick.
 
Last edited:
OldManJames

OldManJames

Senior Member
Feb 8, 2010
270
181
You guys might want to slow down on how high your hopes are getting. I'd bet against the dev phones bootloader being our saving grace

Sent from my SCH-I535
 
LLStarks

LLStarks

Senior Member
Jun 1, 2012
2,264
1,690
It'll be useful for research if Adam doesn't figure out the locked one first.

I suspect that once we get the dev phone, it won't be as simple as copying and pasting partitions. Certain devs want to try this, but without a debricking setup, is very dangerous.
 
  • Like
Reactions: Senryo
N

NegativeOne

Senior Member
Jul 21, 2010
997
159
Most of the last two pages has been wild and uninformed speculation bridging on pure imagination.

"Dev" phones are just unlocked for hackers. It's a marketing thing. You know the modding community will continue to develop stuff like CM9 just for the DEV GSIII... Trying to divine the nature of the device based on possible reasons is just going to start rumors.
 
mattydangerfox

mattydangerfox

Senior Member
May 1, 2012
87
23
Chicago
I heard the dev GSIII was going to paint my apartment. :)

I was just trying to point out that the existence of developer phones doesn't always mean anything for the carrier models.

Sent from my DROIDX using Tapatalk 2
 
T

tonu42

Senior Member
Nov 14, 2010
1,145
439
LLStarks said:
It'll be useful for research if Adam doesn't figure out the locked one first.

I suspect that once we get the dev phone, it won't be as simple as copying and pasting partitions. Certain devs want to try this, but without a debricking setup, is very dangerous.
Click to expand...
Click to collapse

Someone that makes sense? He must be from rootzwiki, cause those are a dying breed on xda. But I agree with you 100%.

Sent from my SCH-I535 using xda app-developers app
 
L

Loglud

Senior Member
Jul 29, 2011
235
449
Google Pixel 7 Pro
piiman said:
hmmmmm kind of like your post was right?
Click to expand...
Click to collapse

And your post also.

On a good note while i was digging around last night through the source code I did notice something really nice about the SGSIII that should make you all very happy. As the guys at epic have noted, the kexec flag is marked, meaning that kexec can crash the existing kernel with one of its own. Now what does that mean you may ask. I'm glad you asked.

For those of you that do not know there are 5 primary partitions that are contained on most phones and android devices:
  1. X-Loader
    This partition is usually the partition with the most basic hardware inits such as base gpio (buttons) and power toggles​
  2. bootloader
    This is the partition that contains what most of us as dev's hate the most, the dreaded boot signature, and boot instructions. When a bootloader is locked down it can be because of either a hardware lock, see OMAP4 processors Sec_On Pin, or a software lock, HTC's S-Off. When a bootloader is said to be locked, it can have two reasons for this, a signed header or an encryption algorithm on the entire partition.​
  3. recovery
    This partition is the one every one loves to see Clockwork Mod on. When not signed the partition can be flashed and used. ONE THING TO NOTE HERE IS THAT WHEN YOU USE THIS THREAD, YOU ARE SHOWING THAT THIS IS NOT SIGNED, Or the signature is not checked!!! This is intersting because it its self may show a security hole. The recovery might be what checks the CWM recovery flash images signature.​
  4. boot
    Perhaps one of the most interesting partitions on android devices. The boot partitions contains the binary for the kernel, and the inframs for the initilization of the os. This partition in this case has said to be signed, with a signature check in the bootloader that checks the validity of a boot partition, meaning there is no changing this.​
  5. system
    Contains most of the information on the OS. At this point all the framework and android settings get loaded. This partition is not signed, meaning we can modify to our will​
  6. userdata
    Contains the userdata, such as games and such​

Now one thing to note is that there are two initialzation points, the first of which occurs in the boot parition and the second of which is in the system's /etc/init files. One thing that i would be interested in seeing is if you were to use this place to load in a new partition or an SD OS. for example:
system1 partition init:
Code: 
kexec -l /sdcard/kernel --reuse-cmdline --ramdisk=/sdcard/ramdisk
system2 partition can then have an init that mounts a block partition from the sdcard onto the system partition.
Code: 
mount /dev/block/mmc1... /system

Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.

For those dev which hope to find a way to make it work i point you to the following posts:

2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)

kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag.
 
  • Like
Reactions: fp99, rise4310, ptaros and 21 others
S

Senryo

Member
May 24, 2012
31
5
Omaha, NE
piiman said:
hmmmmm kind of like your post was right?
Click to expand...
Click to collapse

No, his was a reminder to stay on topic. Which I will reinforce.

Stay on topic guys. A mod has already cleaned this thread twice and warned of infractions the 2nd time around.

As for what the dev phone may do to help us... here's my thought on that option. I'm not sure it'll make much difference. I think the dev phone will open up more things, so that we can see the calls that are used during boot, see what the checks are specifically, and see if there's something we can do about it from the software side. I don't think we'll get far by just flashing the device with the dev phone boot images because we tried that with Sprint's, and it resulted in a brick. Sifting through the software and reading all the hardware checks via JTAG will eventually come to similar conclusions, just by different methods. If Adam has a phone in hand, I think that will lead to an answer sooner. The dev phone would only serve to clean up the code in the ROM, but that's assuming the devs, for some reason, write worse code than Samsung.

Correct me if I'm wrong =) and I hope that thought isn't off-topic.
 
  • Like
Reactions: skennelly
N

newuser134

Senior Member
Dec 18, 2009
286
92
rothnic said:
This is a very possible outcome, but it is worth testing out. However, from my reading of the chipset functionality, I definitely would not volunteer to test it on mine. I'd suggest AdamOutler testing it out with his phone he'll have the ability to bring back from a brick.
Click to expand...
Click to collapse




How do we get to and modify the PBL? Can it be done with jtag equipment? I have already learned how to disassemble my phone, and if it requires me to take it apart and learn how to use jtag, I am willing to do it. When I had an EVO 4G with Sprint, I rooted it to remove and add apps, but I never installed any custom ROMs or kernels. I probably will not install ROMs or custom kernels on this phone either, all I need is NAND backup capability and removal of bloatware, and we have already achieved that, but to show Verizon that they will never force us to do what they want, I am willing to take my phone apart, research and learn how to use jtag, and unlock my bootloader just to prove to Verizon that they will not keep me out of my own phone even if they try, because they don't have the right to. Anyway, my question is can the PBL be modified permanently if hardware access is gained, and how do you do that?
 
  • Like
Reactions: alquimista
E

ExodusC

Senior Member
Mar 29, 2010
298
57
Loglud said:
*snip*
Click to expand...
Click to collapse
Thanks for all that, Loglud. I'm familiar with this type of exploit for loading custom ROMs on previous devices I've owned, as they were Motorola devices.

It's just painful to know we won't see official CyanogenMod 9 support, because they won't acknowledge devices that don't have unlocked bootloaders, even if a method such is this would theoretically allow us to have 100% compatibility with, for example, the developer edition.

Still, I'm glad to know we have proof-of-concepts of this type of method working. My main hope is that all the awesome developers here will continue to support our device in the long run.
 
rothnic

rothnic

Senior Member
Aug 18, 2010
811
278
Loglud said:
Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.

For those dev which hope to find a way to make it work i point you to the following posts:

2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)

kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag.
Click to expand...
Click to collapse

I understand everything you are saying, but not really what you are getting at. How is what you are saying different from this: http://xdaforums.com/showthread.php?t=1760678

I don't think we will have any issues getting some form of AOSP on the phone with kexec, but the main thing slowing us down is that the device configs in CM for the S3 were private until yesterday. The vzw one is still private, but the sprint one should give us a good starting point.
 
  • Like
Reactions: flamus
N

newuser134

Senior Member
Dec 18, 2009
286
92
rothnic said:
I don't think we will have any issues getting some form of AOSP on the phone with kexec, but the main thing slowing us down is that the device configs in CM for the S3 were private until yesterday. The vzw one is still private, but the sprint one should give us a good starting point.
Click to expand...
Click to collapse



Sorry for asking this, but assuming you're not referring to Cyanogen Mod, what is CM in your post quoted above?
 
Stam2000

Stam2000

Senior Member
May 7, 2010
513
72
Coram, NY
Forgive my stupidity but could it be possible to do what was done with HTC phones using an XTC clip? That's how we had originally gotten S-Off on the Incredible 2

Sent from my HTC Incredible 2 using Tapatalk 2
 
L

Loglud

Senior Member
Jul 29, 2011
235
449
Google Pixel 7 Pro
rothnic said:
I understand everything you are saying, but not really what you are getting at. How is what you are saying different from this: http://xdaforums.com/showthread.php?t=1760678

I don't think we will have any issues getting some form of AOSP on the phone with kexec, but the main thing slowing us down is that the device configs in CM for the S3 were private until yesterday. The vzw one is still private, but the sprint one should give us a good starting point.
Click to expand...
Click to collapse

Actually there is a release of the i535 Kernel and System out there on samsungs open source site. We have known about the kexec exploit for some time now, but the problem is that we do not have a way of flashing over current partitions without signing them.

Adam and I have been talking the last couple of days about this, and he thinks he might have a solution, though I'm sure time will tell. The big thing is that for people whom are developers of roms, but not of the exploits, can develop roms, while another exploit is found. And yes rothnic it is the same, I thought I would put it in lame-mans terms though.
 
  • Like
Reactions: Marcismo55, mmsnyder and PGleo86
rothnic

rothnic

Senior Member
Aug 18, 2010
811
278
newuser134 said:
Sorry for asking this, but assuming you're not referring to Cyanogen Mod, what is CM in your post quoted above?
Click to expand...
Click to collapse

Yes I'm referring to CyanogenMod. The reason you see nightlies pop up today for the other US variants is the CM developers were working out bugs internally before starting to support officially.

---------- Post added at 04:32 PM ---------- Previous post was at 04:27 PM ----------
Loglud said:
Actually there is a release of the i535 Kernel and System out there on samsungs open source site. We have known about the kexec exploit for some time now, but the problem is that we do not have a way of flashing over current partitions without signing them.

Adam and I have been talking the last couple of days about this, and he thinks he might have a solution, though I'm sure time will tell. The big thing is that for people whom are developers of roms, but not of the exploits, can develop roms, while another exploit is found. And yes rothnic it is the same, I thought I would put it in lame-mans terms though.
Click to expand...
Click to collapse

Right, though we can kexec a kernel sitting on the sdcard with the recovery with a kexec enabled kernel since we can flash unsigned images to the recovery partition. Though we have to boot into recovery to do so. A more streamlined way to go through that process would be a great interim solution compared to the unlocked bootloader.
 
S

sydewayz

Member
Aug 5, 2010
22
3
c4v3man said:
Yes, however in the time it took you to write this post, you could have filed a complaint with the FCC. If enough people bang on their drums who knows? It's one thing to claim exemption due to securing your network. It's another to allow the exact same device without the same restrictions onto your network, thereby ignoring your previous claims that it was needed to maintain network integrity.

EDIT: And yes, I agree that the odds are stacked against us. However, much like voting and choosing between a few political candidates that don't care about you, it's still your responsibility to do so.
Click to expand...
Click to collapse

Thanks for that link.

I filed my complaint.

Locked bootloader or not, this phone rocks. I'm keeping it.
 
  • Like
Reactions: ckochinsky125
You must log in or register to reply here.

Similar threads

invisiblek
[FIRMWARE] <I535VRUCML1> (MODEM/RPM/TZ/SBL) Verizon SGS3 (SCH-I535)
Replies
1K
Views
564K
Ibuprophen
Ibuprophen
eschelon
☆ ★ | ROM | SynergyROM VZW S3 | JB 4.1.2 | Floating Multiwindows! | Apr 20 r484 |★ ☆
Replies
24K
Views
4M
GeTex
GeTex
Scott
  • Locked
[ROM][6/7/14] - CleanROM 8.2 -★| Clean! | Smooth! | Stable! | No Gimmicks! |★-
Replies
15K
Views
2M
Scott
Scott
AdamLange
[Official] Latest STOCK ROMS for VERIZON SGS3 (SCH-I535) - [Latest: I535VRBMF1]
Replies
164
Views
331K
J
jerryspring
AdamOutler
  • Locked
[R&D] Unlock Bootloaders
Replies
318
Views
368K
AdamOutler
AdamOutler

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 67
    invisiblek
    invisiblek
    tonu42 said:
    Invisiblek succesfully booted to android using "adb reboot recovery" with his modified recovery.img.

    Basically we made it look as if going to recovery, but actually continuing onto boot.img.
    Click to expand...
    Click to collapse

    thats not 100% accurate

    i flashed a modified boot.img to our recovery partition (/dev/block/mmcblk0p18)
    then rebooted into recovery
    it booted up into android using this modified boot.img

    i don't plan for this to be of any real use to us though. proof of concept really

    we need our access to /dev/block/mmcblk0p7 (where our stock boot.img actually resided)

    thing is, we can flash to mmcblk0p7 just fine, but it wont boot (wont do anything actually other than let you get back into odin mode, where you can re-flash the stock boot image, or it gives you this when you try to boot android or recovery: http://i.imgur.com/Ci0gY.png )

    rest assured. this is being worked on...
    View
    39
    B
    biff6789
    Since this is a news thread...

    It was reported in IRC within the past hour or so that supposedly BOTH kexec is likely working and noobnl (whom many of you may know from his work with AOSP ROMs) has stated that the RIL has been cracked :D

    To those who don't know what that means, kexec chainloads kernels (in simplest terms, the custom kernel loads on top of the stock kernel AFTER the bootloader checks to make sure the stock kernel has been unmodified). This was necessary if one wanted to run a non-Touchwiz ROM (such as CM, AOKP, etc) or if they just wanted to run an overclocked, undervolted kernel.

    The RIL is essentially the radio. It was also needed to run a non-Touchwiz ROM and now opens the door to Jelly Bean ROMs.

    There is still working/testing to be done, and there are no ETAs, so don't bug the devs. They're actively working on it so let them do their thing.

    What a roller coaster of a weekend :)
    View
    36
    AdamLange
    AdamLange
    Since locked Verizon SGS3 is now the main problem, i'v decided to split my kernel thread to separate one that focus directly on unlocking bootloader and progress in that matter.

    Summary of the problem

    Verizon model is protected from flashing unsigned/modified boot.img and recovery.img. Which means there is no known root method as for now for SCH-I535.
    And that is where our adventure starts ....


    Rooted stock boot.img issue:
    <ID:0/008> Firmware update start..
    <ID:0/008> boot.img
    <ID:0/008> NAND Write Start!!
    <ID:0/008> FAIL! (Auth)
    Click to expand...
    Click to collapse

    CWM Recovery.img flash issue:
    <ID:0/003> Firmware update start..
    <ID:0/003> recovery.img
    <ID:0/003> NAND Write Start!!
    <ID:0/003>
    <ID:0/003> Complete(Write) operation failed.
    Click to expand...
    Click to collapse

    Research status: 50%
    + 20% - Some devs stated that RIL is hacked and there is also sucessfull Kexec implentation in works - http://xdaforums.com/showpost.php?p=28484191&postcount=262 Stay tuned for more news. Kexec proof-of-concept thread: http://xdaforums.com/showthread.php?t=1760678
    + 20% - phone can boot from unsigned boot.img flashed to recovery partition, this will leave you without recovery and requires to boot-trough-recovery every time u rebooting phone! (thanx invisiblek)
    Links: http://xdaforums.com/showpost.php?p=28420589&postcount=47 , http://pastebin.com/eARk7r48

    + 10% - phone rooted trough system.img tricks -> http://xdaforums.com/showthread.php?t=1756885 (by invisiblek)


    ROM analysys:
    boot.img -> signed
    recovery.img -> signed
    system.img -> not signed
    cache.img -> not signed

    Update [7/7/2012]
    News about locked Verizon model is spreading over the websites and main tech-related portals. Hopefully we will get some detailed info soon.

    Update [7/7/2012]
    It looks like it has been rooted by using system.img trick (system.img is not signed)
    http://xdaforums.com/showthread.php?t=1756885
    Enjoy! and thanx to invisiblek :) good job!

    Update [07/15/2012] VZN insider confirmed this is not a true info
    One of thread members chatted with verizon reps over mail & chat and got info that there may be possible unlocker released for bootloader at vzn locked phones. Here's the screenshots of chat: http://i.imgur.com/0lX3o.png , http://i.imgur.com/ULA4X.png
    At this is not confirmed yet officialy, it may be interesting finding.

    Update [07/15/2012]
    Adam Outler posted he's own research info in separated thread, read it. It may help a bit -> http://xdaforums.com/showthread.php?t=1769411

    Update [07/16/2012]
    Galaxy S III Verizon Developer edition shows up on Samsung Website! -> http://www.samsung.com/us/mobile/cell-phones/SCH-I535MBCVZW


    Thanks!
    View
    29
    stiltzkin
    stiltzkin
    Developing right now:

    JackpotClavin and Invisiblek have successfully loaded a custom kernel using a modified recovery ramdisk. It's still very early but this is excellent news for us. As it stands, this method wipes ClockworkMod and requires the recovery key combination on every boot, but those issues can probably both be overcome with custom scripts.

    Stay tuned guys...and mash those two guys' Thanks buttons!
    View
    24
    L
    Loglud
    piiman said:
    hmmmmm kind of like your post was right?
    Click to expand...
    Click to collapse

    And your post also.

    On a good note while i was digging around last night through the source code I did notice something really nice about the SGSIII that should make you all very happy. As the guys at epic have noted, the kexec flag is marked, meaning that kexec can crash the existing kernel with one of its own. Now what does that mean you may ask. I'm glad you asked.

    For those of you that do not know there are 5 primary partitions that are contained on most phones and android devices:
    1. X-Loader
      This partition is usually the partition with the most basic hardware inits such as base gpio (buttons) and power toggles​
    2. bootloader
      This is the partition that contains what most of us as dev's hate the most, the dreaded boot signature, and boot instructions. When a bootloader is locked down it can be because of either a hardware lock, see OMAP4 processors Sec_On Pin, or a software lock, HTC's S-Off. When a bootloader is said to be locked, it can have two reasons for this, a signed header or an encryption algorithm on the entire partition.​
    3. recovery
      This partition is the one every one loves to see Clockwork Mod on. When not signed the partition can be flashed and used. ONE THING TO NOTE HERE IS THAT WHEN YOU USE THIS THREAD, YOU ARE SHOWING THAT THIS IS NOT SIGNED, Or the signature is not checked!!! This is intersting because it its self may show a security hole. The recovery might be what checks the CWM recovery flash images signature.​
    4. boot
      Perhaps one of the most interesting partitions on android devices. The boot partitions contains the binary for the kernel, and the inframs for the initilization of the os. This partition in this case has said to be signed, with a signature check in the bootloader that checks the validity of a boot partition, meaning there is no changing this.​
    5. system
      Contains most of the information on the OS. At this point all the framework and android settings get loaded. This partition is not signed, meaning we can modify to our will​
    6. userdata
      Contains the userdata, such as games and such​

    Now one thing to note is that there are two initialzation points, the first of which occurs in the boot parition and the second of which is in the system's /etc/init files. One thing that i would be interested in seeing is if you were to use this place to load in a new partition or an SD OS. for example:
    system1 partition init:
    Code: 
    kexec -l /sdcard/kernel --reuse-cmdline --ramdisk=/sdcard/ramdisk
    system2 partition can then have an init that mounts a block partition from the sdcard onto the system partition.
    Code: 
    mount /dev/block/mmc1... /system

    Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.

    For those dev which hope to find a way to make it work i point you to the following posts:

    2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)

    kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag.
    View

New posts