[BOOTLOADER] Locked bootloader research and news [Updated: 7/16/2012]
- Thread starter AdamLange
- Start date
Every one of the US versions, Sprint, ATT, TMobile, Verizon all have different hardware radio inside. So a Sprint phone works on Sprint only, Verizon on Verizon only, TMobile on TMobile only, ATT on ATT only. We shop by service first, hardware second. That's mainly because none of the networks work with each other. LTE on ATT is not the same as LTE on Verizon. 4G on TMobile is not the same as 4G on Sprint. Even though they sometimes use similar frequencies, they use different hardware on the towers and in the devices.
Stupidest system ever. Kill the carrier subsidy model.
I have no problem with it because all the other carriers have crap service compared to Verizon. I would not want a bunch of customers from Sprint bogging down the Verizon network because Sprint has not invested in their network.
Service comes first. Hardware second. As it should be. It does me no good to get a wonderful handset like the HTC EVO 4G if the network is garbage.
The carrier-subsidy model is anti-competitive because it forces consumers into long-term contracts. In places without the carrier-subsidy model prices are lower, networks tend to be higher quality, and consumers can truly vote with their dollars. You'd see better networks in the US in general if we got rid of this nonsense.
I don't see the problem. I have been renewing my Verizon contract, every two years, for 10 years or so now. In exchange for that they have built the largest and fastest LTE network around. I get crazy stupid speeds everywhere I go and because I have been with them all along I got to keep my unlimited data. I get better reception than all the other carriers everywhere I go. I get a 24% discount from my employer as well. They also have one of the best device selections. The Razr Maxx and GSIII to name two which I own. If the only thing I have to give up is a locked bootloader on the GSIII, I'm fine with that.
We are now off topic a bit much so lets get back to locked bootloader discussion.
Last edited:
I don't see the problem. I have been renewing my Verizon contract, every two years, for 10 years or so now. In exchange for that they have built the largest and fastest LTE network around. I get crazy stupid speeds everywhere I go and because I have been with them all along I got to keep my unlimited data. I get better reception than all the other carriers everywhere I go. I get a 24% discount from my employer as well. They also have one of the best device selections. The Razr Maxx and GSIII to name two which I own. If the only thing I have to give up is a locked bootloader on the GSIII, I'm fine with that.
We are now off topic a bit much so lets get back to locked bootloader discussion.
Heh, this isn't off-topic--the carrier subsidy model is what allows them to lock bootloaders.
OK, so as far as the specs data are accurate the SPRINT's version of SGS3 covers THE SAME network ranges/types as VZN ones.
Cellular_Networks: CDMA800 (BC0), CDMA1900 (BC14)
Cellular-Data+Links: cdmaOne, CDMA2000 1xRTT, CDMA2000 1xEV-DO Rel. 0, CDMA2000 1xEV-DO Rev A
So unlocked sprint's version (without simlock) + the VZN card should do the job
u will get the unlocked bootloader
Verizon uses the 700mHz band for their gsm lte.. 800mhz for cdma voice.. and 1900mhz cdma 3g
Sent from my SCH-I535 using xda premium
could be a good chance we can use our old trusty "bootmenu" from the droid x and modify it in a way that we modify hijack to pull the bootmenu and then bootmenu would have options for reboot to cwm reboot to normal kernel and reboot to modified kernel.. if stock it would just continue boot if cwm or custom kernel it would flash that selection to recovery partition and reboot to recovery partition making u either boot to cwm or to ur custom kernel.. also it would have a default setting option for u to choose wether it be custom or normal kernel so u dont always have to use it while booting.. this is just me and wizard0f0s brainstorming but to me it makes perfect sense.. now i just need my phone to come in so i can play guinny pig on this whole thing
basically between this and the possibility of kexec working too we have options and im pretty much sure at this point we will be flashing custom kernels.. slim slim chance we wont be but imho way higher of a chance of a workaround
basically between this and the possibility of kexec working too we have options and im pretty much sure at this point we will be flashing custom kernels.. slim slim chance we wont be but imho way higher of a chance of a workaround
Last edited:
Because of? they are incompatible with anything?
so you cant just buy a phone from a shop and use VZN simcard in it? thats weird. And they still got clients?
@jamesnmandy: i got a weird feeling that youre somehow connected to VZN ...
No ****, I got the same feeling.. Sounds like your in bed with Verizon
Is this of any help? (On further review, it's the MSM8660, not the MSM8960 we have.) I'll keep looking....
From: http://www.anyclub.org/2012/05/how-to-enabledisable-secure-boot.html
And perhaps:
http://www.anyclub.org/2012/05/qpst-emergency-download-support.html
Maybe someone over there, that knows the SOC better (or has the SOC documentation) might be able to collaborate to understand how to work around our issues, or at least point out the most efficient attack vector.
From: http://www.anyclub.org/2012/05/how-to-enabledisable-secure-boot.html
And perhaps:
http://www.anyclub.org/2012/05/qpst-emergency-download-support.html
Maybe someone over there, that knows the SOC better (or has the SOC documentation) might be able to collaborate to understand how to work around our issues, or at least point out the most efficient attack vector.
Last edited:
sorry, just very happy with my service......and have been using a Charge forever that never got any CM/AOSP love either, so I have seen what is possible as long as you have root, debloat and custom Touchwiz based roms...and it is good. Not as good as CM/AOSP granted like on the Fascainte, but still not a deal breaker all things considered.
if thats the snapdragon s4 then i'd assume so.. we might just have 3 options now.. granted this would be the best as it would just be like having an unlocked phone
This.
Fewer providers and proprietary networks means they easily lock us into whatever they decide to charge and provide. Plus, we get the added limitation (for LTE) that phones are only "investments" within the same provider network - again, we're locked into their proprietary scheme. Sounds like Apple products.
It used to be that we rented phones from Ma Bell. Times have changed for landlines, but we're doing much of it all over x100 for wireless networks, IMHO.
- ooofest
Hells yes! Beans and wizard are now on the bandwagon! In case you guys don't know they've worked magic with MIUI and more on the DX. I'm so glad you guys are jumping ship with me. Can't wait for Fedex tomorrow!
Sent from wizards MIUI on DX.
Let me just preface this post with I am not a rom developer, so some of the assumptions listed below might not be correct. It is just based on my understanding of what I have researched so far. Also, this information is based off of the secure boot feature in the MSM7XXX chipset, but I don't think the procedures/sequences should differ too much. If someone has a way to analyze which qfuses are blown, I think it might help greatly in finding a way to get around the signed boot loader.
Qualcomm secure booting sequence on an MSM7XXX phone
An explanation of what qfuses are
How to blow the qfuses
Qualcomms secure boot configuration which is enabled our phones
The debug qfuse
So from my understanding of this, unless someone can analyze and is willing to blow the qfuses on their phone to see what will work, we might have to wait on a signed engineering bootloader leak. Of course, that is all based on the assumption that the secure boot in MSM8960 is still similar/identical to the secure boot feature in the MSM7XXX chipsets. Like I said though this is all based on my understanding of it, so someone with more experience could see a different solution from the information above.
Sources for the info in quotes:
http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
Qualcomm secure booting sequence on an MSM7XXX phone
An explanation of what qfuses are
How to blow the qfuses
Qualcomms secure boot configuration which is enabled our phones
The debug qfuse
So from my understanding of this, unless someone can analyze and is willing to blow the qfuses on their phone to see what will work, we might have to wait on a signed engineering bootloader leak. Of course, that is all based on the assumption that the secure boot in MSM8960 is still similar/identical to the secure boot feature in the MSM7XXX chipsets. Like I said though this is all based on my understanding of it, so someone with more experience could see a different solution from the information above.
Sources for the info in quotes:
http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
i spent many years traveling the country with phones from every major carrier, that's how I know it's the best, that and years of watching people on other networks complain about how their service sucks.....it's not hard to see
This is an important thread. Let's all stay on topic pleas.
Sent from my DROIDX using xda app-developers app
Similar threads
- Locked
Top Liked Posts
-
There are no posts matching your filters.
-
67
thats not 100% accurate
i flashed a modified boot.img to our recovery partition (/dev/block/mmcblk0p18)
then rebooted into recovery
it booted up into android using this modified boot.img
i don't plan for this to be of any real use to us though. proof of concept really
we need our access to /dev/block/mmcblk0p7 (where our stock boot.img actually resided)
thing is, we can flash to mmcblk0p7 just fine, but it wont boot (wont do anything actually other than let you get back into odin mode, where you can re-flash the stock boot image, or it gives you this when you try to boot android or recovery: http://i.imgur.com/Ci0gY.png )
rest assured. this is being worked on...39Since this is a news thread...
It was reported in IRC within the past hour or so that supposedly BOTH kexec is likely working and noobnl (whom many of you may know from his work with AOSP ROMs) has stated that the RIL has been cracked
To those who don't know what that means, kexec chainloads kernels (in simplest terms, the custom kernel loads on top of the stock kernel AFTER the bootloader checks to make sure the stock kernel has been unmodified). This was necessary if one wanted to run a non-Touchwiz ROM (such as CM, AOKP, etc) or if they just wanted to run an overclocked, undervolted kernel.
The RIL is essentially the radio. It was also needed to run a non-Touchwiz ROM and now opens the door to Jelly Bean ROMs.
There is still working/testing to be done, and there are no ETAs, so don't bug the devs. They're actively working on it so let them do their thing.
What a roller coaster of a weekend36Since locked Verizon SGS3 is now the main problem, i'v decided to split my kernel thread to separate one that focus directly on unlocking bootloader and progress in that matter.
Summary of the problem
Verizon model is protected from flashing unsigned/modified boot.img and recovery.img. Which means there is no known root method as for now for SCH-I535.
And that is where our adventure starts ....
Rooted stock boot.img issue:
CWM Recovery.img flash issue:
Research status: 50%
+ 20% - Some devs stated that RIL is hacked and there is also sucessfull Kexec implentation in works - http://xdaforums.com/showpost.php?p=28484191&postcount=262 Stay tuned for more news. Kexec proof-of-concept thread: http://xdaforums.com/showthread.php?t=1760678
+ 20% - phone can boot from unsigned boot.img flashed to recovery partition, this will leave you without recovery and requires to boot-trough-recovery every time u rebooting phone! (thanx invisiblek)
Links: http://xdaforums.com/showpost.php?p=28420589&postcount=47 , http://pastebin.com/eARk7r48
+ 10% - phone rooted trough system.img tricks -> http://xdaforums.com/showthread.php?t=1756885 (by invisiblek)
ROM analysys:
boot.img -> signed
recovery.img -> signed
system.img -> not signed
cache.img -> not signed
Update [7/7/2012]
News about locked Verizon model is spreading over the websites and main tech-related portals. Hopefully we will get some detailed info soon.
Update [7/7/2012]
It looks like it has been rooted by using system.img trick (system.img is not signed)
http://xdaforums.com/showthread.php?t=1756885
Enjoy! and thanx to invisiblek good job!
Update [07/15/2012] VZN insider confirmed this is not a true info
One of thread members chatted with verizon reps over mail & chat and got info that there may be possible unlocker released for bootloader at vzn locked phones. Here's the screenshots of chat: http://i.imgur.com/0lX3o.png , http://i.imgur.com/ULA4X.png
At this is not confirmed yet officialy, it may be interesting finding.
Update [07/15/2012]
Adam Outler posted he's own research info in separated thread, read it. It may help a bit -> http://xdaforums.com/showthread.php?t=1769411
Update [07/16/2012]
Galaxy S III Verizon Developer edition shows up on Samsung Website! -> http://www.samsung.com/us/mobile/cell-phones/SCH-I535MBCVZW
Thanks!29Developing right now:
JackpotClavin and Invisiblek have successfully loaded a custom kernel using a modified recovery ramdisk. It's still very early but this is excellent news for us. As it stands, this method wipes ClockworkMod and requires the recovery key combination on every boot, but those issues can probably both be overcome with custom scripts.
Stay tuned guys...and mash those two guys' Thanks buttons!24
And your post also.
On a good note while i was digging around last night through the source code I did notice something really nice about the SGSIII that should make you all very happy. As the guys at epic have noted, the kexec flag is marked, meaning that kexec can crash the existing kernel with one of its own. Now what does that mean you may ask. I'm glad you asked.
For those of you that do not know there are 5 primary partitions that are contained on most phones and android devices:
- X-Loader
This partition is usually the partition with the most basic hardware inits such as base gpio (buttons) and power toggles - bootloader
This is the partition that contains what most of us as dev's hate the most, the dreaded boot signature, and boot instructions. When a bootloader is locked down it can be because of either a hardware lock, see OMAP4 processors Sec_On Pin, or a software lock, HTC's S-Off. When a bootloader is said to be locked, it can have two reasons for this, a signed header or an encryption algorithm on the entire partition. - recovery
This partition is the one every one loves to see Clockwork Mod on. When not signed the partition can be flashed and used. ONE THING TO NOTE HERE IS THAT WHEN YOU USE THIS THREAD, YOU ARE SHOWING THAT THIS IS NOT SIGNED, Or the signature is not checked!!! This is intersting because it its self may show a security hole. The recovery might be what checks the CWM recovery flash images signature. - boot
Perhaps one of the most interesting partitions on android devices. The boot partitions contains the binary for the kernel, and the inframs for the initilization of the os. This partition in this case has said to be signed, with a signature check in the bootloader that checks the validity of a boot partition, meaning there is no changing this. - system
Contains most of the information on the OS. At this point all the framework and android settings get loaded. This partition is not signed, meaning we can modify to our will - userdata
Contains the userdata, such as games and such
Now one thing to note is that there are two initialzation points, the first of which occurs in the boot parition and the second of which is in the system's /etc/init files. One thing that i would be interested in seeing is if you were to use this place to load in a new partition or an SD OS. for example:
system1 partition init:
system2 partition can then have an init that mounts a block partition from the sdcard onto the system partition.Code:kexec -l /sdcard/kernel --reuse-cmdline --ramdisk=/sdcard/ramdisk
Code:mount /dev/block/mmc1... /system
Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.
For those dev which hope to find a way to make it work i point you to the following posts:
2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)
kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag. - X-Loader
New posts
-
-
How can I overlay multiple transparrent pngs on the fly?- Latest: Lucathepcnerd
