[BOOTLOADER] Locked bootloader research and news [Updated: 7/16/2012]

Search This thread
By:
Advanced…
invisiblek

invisiblek

Recognized Developer
Feb 24, 2010
1,580
5,833
Minnesota
www.invisiblek.org
stiltzkin said:
3732768+_3af82752f6304ffdda12fa02fd01e629.jpg


Really appreciate you trying anyway dude. Huge fan of your work on the Inc, especially on kernels.

So essentially we can overwrite the boot.img, but it's still getting checksummed/verified somewhere by the system, right? Where is that check taking place, and is it feasible to modify/overwrite that portion of the system as well? Just throwing ideas out there, even though this seems like a very long shot.

Thanks again invisiblek.
Click to expand...
Click to collapse

that's what i'm looking into next
 
  • Like
Reactions: dmbatson, TokedUp, stiltzkin and 1 other person
T

tekhna

Senior Member
Dec 31, 2007
1,214
331
invisiblek said:
well, i've got here:

9EGNt.png


Ci0gY.png


thats from flashing a custom boot.img using dd
i got the same thing yesterday flashing a kernel using cwm but, i didn't get the unlock icon by doing that

unlock icon sticks after reverting to the stock kernel using odin
Click to expand...
Click to collapse

Wow, that "Software not authorized by Verizon Wireless notification is just insidious.
 
  • Like
Reactions: Durthquake
N

NightxFall

Senior Member
Apr 23, 2012
252
29
I think we got a really good dev community going on here, and the fact that its not a Moto bootloader means we'll get this figured out in no time. We already have root, and I'm sure Samsung left us a loophole or didn't lock it down as heavily as Motorolas phones are.

Good luck to all you dev's! I'm getting my phone Monday; will be glad to help with any testing then.

Sent from my Ally using XDA
 
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
invisiblek said:
well, i've got here:

9EGNt.png


Ci0gY.png


thats from flashing a custom boot.img using dd
i got the same thing yesterday flashing a kernel using cwm but, i didn't get the unlock icon by doing that

unlock icon sticks after reverting to the stock kernel using odin
Click to expand...
Click to collapse
have you tried flashing the original unlocked vzw kernel people had issues with at first? how about a kernel from another device (ex sprint model?) because isnt the bootloader in the boot.img file? granted flashing the files is kind of risky.
 
M

majmuni

Senior Member
Jan 10, 2011
207
20
Please forgive me but i have a question about this phone. Will the phone have a place for a sim card so that we can use it internationally. thanks guys.

Sent from my SPH-D710 using xda premium
 
D

dchurch85

Senior Member
Jan 23, 2009
206
50
majmuni said:
Please forgive me but i have a question about this phone. Will the phone have a place for a sim card so that we can use it internationally. thanks guys.

Sent from my SPH-D710 using xda premium
Click to expand...
Click to collapse

Yes it has a Micro sim card slot on it. It is currently not open to use on international networks, but that feature should be unlocked in a future software update.
 
  • Like
Reactions: majmuni
S

satadru

Senior Member
Oct 31, 2008
102
11
tekhna said:
Wow, that "Software not authorized by Verizon Wireless notification is just insidious.
Click to expand...
Click to collapse

ok here's an idea:

We can boot a customized recovery, so...

boot.img -> recovery partition and boot to recovery.

if normal boot then

modified boot.img -> recovery partition

if this boots then

modify boot.img to call something else on system partition (init2?) and -> recovery partition

move init to init2 on system partition

change init on system partition such that it tells system to boot to recovery.

now normal boot -> recovery boot -> modifed kernel booted.
recovery boot -> modified kernel booted

sure you lose recovery partition here, but you can always either reflash system or modify the boot partition on the recovery to have a backup mode that starts a normal recovery.


(Discussed with JackpotClavin on IRC)
 
  • Like
Reactions: s197
N

NegativeOne

Senior Member
Jul 21, 2010
997
159
It can't boot custom kernels b/c the bootloader is encrypted, like VZW SGIII. It's the same situation.
 
JackpotClavin

JackpotClavin

Inactive Recognized Developer
Feb 27, 2011
1,024
3,814
New York
Well that's what we're looking into now. The fact that you might be able to use your recovery partition as a boot partition means booting with the recovery key combination pressed will take boot you up normally. All the recovery really happens to be is a ramdisk. We've already proven that modifying the ramdisk of the recovery.img will allow the phone to boot (the ramdisk being 1/2 of the recovery.img) and the other half being the kernel. If the kernel of the recovery partition *isn't* signed (just like the ramdisk) (this is is likely) (good news) you should be able to have a custom kernel stored on the recovery partition which means you can boot into android using the key combintion for recovery. The only downside is A: as of right now, you'll lose clockwork recovery, (but you can easily get it back) and B: Not pressing the recovery key combination will boot up the stock kernel, not the custom one
 
  • Like
Reactions: Elite49 and rmtobler
N

NightxFall

Senior Member
Apr 23, 2012
252
29
ylexot said:
Who said the S3 bootloader was encrypted? I must have missed that post.

Sent from my Transformer Prime TF201 using Tapatalk 2
Click to expand...
Click to collapse

Someone who apparently had a conversation with a Samsung rep. Even if it is encrypted, its still not locked down as much as Motos bootloaders are; as we have already found out.

Sent from my Ally using XDA
 
ylexot

ylexot

Senior Member
Dec 8, 2010
656
220
NightxFall said:
Someone who apparently had a conversation with a Samsung rep. Even if it is encrypted, its still not locked down as much as Motos bootloaders are; as we have already found out.

Sent from my Ally using XDA
Click to expand...
Click to collapse

Oh, and reps have never been wrong... You'd have better odds going with the opposite of what reps say.

Sent from my Transformer Prime TF201 using Tapatalk 2
 
  • Like
Reactions: Deleted member 3976874 and ckochinsky125
C

ckochinsky125

Senior Member
Sep 7, 2010
572
10
NightxFall said:
Someone who apparently had a conversation with a Samsung rep. Even if it is encrypted, its still not locked down as much as Motos bootloaders are; as we have already found out.

Sent from my Ally using XDA
Click to expand...
Click to collapse

and we all know how the reps are always right.....:D But anyway it is nowhere near the level of moto lock down so hope that is a good sign and the great devs can figure out how to crack it.
 
You must log in or register to reply here.

Similar threads

invisiblek
[FIRMWARE] <I535VRUCML1> (MODEM/RPM/TZ/SBL) Verizon SGS3 (SCH-I535)
Replies
1K
Views
564K
Ibuprophen
Ibuprophen
eschelon
☆ ★ | ROM | SynergyROM VZW S3 | JB 4.1.2 | Floating Multiwindows! | Apr 20 r484 |★ ☆
Replies
24K
Views
4M
GeTex
GeTex
Scott
  • Locked
[ROM][6/7/14] - CleanROM 8.2 -★| Clean! | Smooth! | Stable! | No Gimmicks! |★-
Replies
15K
Views
2M
Scott
Scott
AdamLange
[Official] Latest STOCK ROMS for VERIZON SGS3 (SCH-I535) - [Latest: I535VRBMF1]
Replies
164
Views
331K
J
jerryspring
AdamOutler
  • Locked
[R&D] Unlock Bootloaders
Replies
318
Views
368K
AdamOutler
AdamOutler

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 67
    invisiblek
    invisiblek
    tonu42 said:
    Invisiblek succesfully booted to android using "adb reboot recovery" with his modified recovery.img.

    Basically we made it look as if going to recovery, but actually continuing onto boot.img.
    Click to expand...
    Click to collapse

    thats not 100% accurate

    i flashed a modified boot.img to our recovery partition (/dev/block/mmcblk0p18)
    then rebooted into recovery
    it booted up into android using this modified boot.img

    i don't plan for this to be of any real use to us though. proof of concept really

    we need our access to /dev/block/mmcblk0p7 (where our stock boot.img actually resided)

    thing is, we can flash to mmcblk0p7 just fine, but it wont boot (wont do anything actually other than let you get back into odin mode, where you can re-flash the stock boot image, or it gives you this when you try to boot android or recovery: http://i.imgur.com/Ci0gY.png )

    rest assured. this is being worked on...
    View
    39
    B
    biff6789
    Since this is a news thread...

    It was reported in IRC within the past hour or so that supposedly BOTH kexec is likely working and noobnl (whom many of you may know from his work with AOSP ROMs) has stated that the RIL has been cracked :D

    To those who don't know what that means, kexec chainloads kernels (in simplest terms, the custom kernel loads on top of the stock kernel AFTER the bootloader checks to make sure the stock kernel has been unmodified). This was necessary if one wanted to run a non-Touchwiz ROM (such as CM, AOKP, etc) or if they just wanted to run an overclocked, undervolted kernel.

    The RIL is essentially the radio. It was also needed to run a non-Touchwiz ROM and now opens the door to Jelly Bean ROMs.

    There is still working/testing to be done, and there are no ETAs, so don't bug the devs. They're actively working on it so let them do their thing.

    What a roller coaster of a weekend :)
    View
    36
    AdamLange
    AdamLange
    Since locked Verizon SGS3 is now the main problem, i'v decided to split my kernel thread to separate one that focus directly on unlocking bootloader and progress in that matter.

    Summary of the problem

    Verizon model is protected from flashing unsigned/modified boot.img and recovery.img. Which means there is no known root method as for now for SCH-I535.
    And that is where our adventure starts ....


    Rooted stock boot.img issue:
    <ID:0/008> Firmware update start..
    <ID:0/008> boot.img
    <ID:0/008> NAND Write Start!!
    <ID:0/008> FAIL! (Auth)
    Click to expand...
    Click to collapse

    CWM Recovery.img flash issue:
    <ID:0/003> Firmware update start..
    <ID:0/003> recovery.img
    <ID:0/003> NAND Write Start!!
    <ID:0/003>
    <ID:0/003> Complete(Write) operation failed.
    Click to expand...
    Click to collapse

    Research status: 50%
    + 20% - Some devs stated that RIL is hacked and there is also sucessfull Kexec implentation in works - http://xdaforums.com/showpost.php?p=28484191&postcount=262 Stay tuned for more news. Kexec proof-of-concept thread: http://xdaforums.com/showthread.php?t=1760678
    + 20% - phone can boot from unsigned boot.img flashed to recovery partition, this will leave you without recovery and requires to boot-trough-recovery every time u rebooting phone! (thanx invisiblek)
    Links: http://xdaforums.com/showpost.php?p=28420589&postcount=47 , http://pastebin.com/eARk7r48

    + 10% - phone rooted trough system.img tricks -> http://xdaforums.com/showthread.php?t=1756885 (by invisiblek)


    ROM analysys:
    boot.img -> signed
    recovery.img -> signed
    system.img -> not signed
    cache.img -> not signed

    Update [7/7/2012]
    News about locked Verizon model is spreading over the websites and main tech-related portals. Hopefully we will get some detailed info soon.

    Update [7/7/2012]
    It looks like it has been rooted by using system.img trick (system.img is not signed)
    http://xdaforums.com/showthread.php?t=1756885
    Enjoy! and thanx to invisiblek :) good job!

    Update [07/15/2012] VZN insider confirmed this is not a true info
    One of thread members chatted with verizon reps over mail & chat and got info that there may be possible unlocker released for bootloader at vzn locked phones. Here's the screenshots of chat: http://i.imgur.com/0lX3o.png , http://i.imgur.com/ULA4X.png
    At this is not confirmed yet officialy, it may be interesting finding.

    Update [07/15/2012]
    Adam Outler posted he's own research info in separated thread, read it. It may help a bit -> http://xdaforums.com/showthread.php?t=1769411

    Update [07/16/2012]
    Galaxy S III Verizon Developer edition shows up on Samsung Website! -> http://www.samsung.com/us/mobile/cell-phones/SCH-I535MBCVZW


    Thanks!
    View
    29
    stiltzkin
    stiltzkin
    Developing right now:

    JackpotClavin and Invisiblek have successfully loaded a custom kernel using a modified recovery ramdisk. It's still very early but this is excellent news for us. As it stands, this method wipes ClockworkMod and requires the recovery key combination on every boot, but those issues can probably both be overcome with custom scripts.

    Stay tuned guys...and mash those two guys' Thanks buttons!
    View
    24
    L
    Loglud
    piiman said:
    hmmmmm kind of like your post was right?
    Click to expand...
    Click to collapse

    And your post also.

    On a good note while i was digging around last night through the source code I did notice something really nice about the SGSIII that should make you all very happy. As the guys at epic have noted, the kexec flag is marked, meaning that kexec can crash the existing kernel with one of its own. Now what does that mean you may ask. I'm glad you asked.

    For those of you that do not know there are 5 primary partitions that are contained on most phones and android devices:
    1. X-Loader
      This partition is usually the partition with the most basic hardware inits such as base gpio (buttons) and power toggles​
    2. bootloader
      This is the partition that contains what most of us as dev's hate the most, the dreaded boot signature, and boot instructions. When a bootloader is locked down it can be because of either a hardware lock, see OMAP4 processors Sec_On Pin, or a software lock, HTC's S-Off. When a bootloader is said to be locked, it can have two reasons for this, a signed header or an encryption algorithm on the entire partition.​
    3. recovery
      This partition is the one every one loves to see Clockwork Mod on. When not signed the partition can be flashed and used. ONE THING TO NOTE HERE IS THAT WHEN YOU USE THIS THREAD, YOU ARE SHOWING THAT THIS IS NOT SIGNED, Or the signature is not checked!!! This is intersting because it its self may show a security hole. The recovery might be what checks the CWM recovery flash images signature.​
    4. boot
      Perhaps one of the most interesting partitions on android devices. The boot partitions contains the binary for the kernel, and the inframs for the initilization of the os. This partition in this case has said to be signed, with a signature check in the bootloader that checks the validity of a boot partition, meaning there is no changing this.​
    5. system
      Contains most of the information on the OS. At this point all the framework and android settings get loaded. This partition is not signed, meaning we can modify to our will​
    6. userdata
      Contains the userdata, such as games and such​

    Now one thing to note is that there are two initialzation points, the first of which occurs in the boot parition and the second of which is in the system's /etc/init files. One thing that i would be interested in seeing is if you were to use this place to load in a new partition or an SD OS. for example:
    system1 partition init:
    Code: 
    kexec -l /sdcard/kernel --reuse-cmdline --ramdisk=/sdcard/ramdisk
    system2 partition can then have an init that mounts a block partition from the sdcard onto the system partition.
    Code: 
    mount /dev/block/mmc1... /system

    Now what does it all mean? This current method means that we can reload a compleatly new os onto a devices kernel and all. AKA Jelly Bean.

    For those dev which hope to find a way to make it work i point you to the following posts:

    2nd-init can be used for a second init after the first one to allow for kexec to be run (might not need this)

    kexec for ARM I might have to modify some kernel memory allocation issues but it should work none the less with the flag.
    View

New posts