[GUIDE] Unlocking the Galaxys S5 Bootloader using DEV Bootloader [KK-MM]

Search This thread
By:
Advanced…
GeTex

GeTex

Senior Member
Aug 28, 2013
2,185
1,263
Fallon, NV
The S5 Bootloader Unlock is here! Huge thanks to @beaups for the research and sourcecode and tool, @ryanbg for researching this method in the firstplace, @autonomousperson For compiling the source to a app for us all, @haggertk for his CID and aboot! @jrkruse for innovating methods, one click apps, and MM methods @magic_man185 for recompiling the binary to disable SD requirements for MM, and everyone else for being patient for me being slow! Also thank you all for being a great supportive community!



I Have Updated the OP :) Hoping this is less messy and hopefully neater to deal with

DO NOT ASK ABOUT ROMS, KERNELS, OR OTHER THINGS. THIS IS ONLY FOR UNLOCKING THE BOOTLOADER. WE WILL LAUGH AT YOU IF YOU ASK ANYWAYS!!!
EMMC 15 Unlocking Bootloader


EMMC 15 Updating Unlocked Bootloaders Or Downgrading


For Rooting EMMC 11 Phones


All the methods below are only preserved for historical purposes!!! Please use the new methods above!


Warnings
READ THE ENTIRE OP AND THE POST BELOW BY @jrkruse BEFORE DOING ANYTHING AT ALL!!!!!!!!!!
THIS IS ONLY FOR THE VERIZON S5. DOES NOT WORK FOR AT&T!!!!!
This is for users with 15' Sasmung eMMC's not users with 11 Toshiba eMMC's. You can check this by reading the file
/sys/block/mmcblk0/device/cid
Just the first 2 :) 15xxxxxxxxxxxxxxxxxxxxxx or 11xxxxxxxxxxxxxxxxxxxxxxx(my number of x's are random, just read the first 2)
We still are unsure if changing the CID causes app store, verification, activation, provision, or other issues, everything you do is at your own risk!(Pretty sure it's safe)


REACTIVATION LOCK MUST BE TURNED OFF. YOU'VE BEEN WARNED



Starting notes

*REQUIRES ROOT*
If you don't have root, please goto @jrkruse thread here
https://xdaforums.com/verizon-galax...ot-method-t3561529/post71202995#post71202995/

For Method 4
You must make sure first of all you have authorized your computer in developer options and that USB debugging is on, you could also using adb tools use adb wireless if your device is configured for this!
You also on screen must grant ADB root access, please make sure of this!


Make sure you have a blank sd card, EVERYTHING on it WILL BE WIPED as a backup for the bootloader!

*If you have no root access OR SAFESTRAP you must proceed to the rooting thread, nothing below works without root*


Methods


Method 1: Primary Method (Old thanks @jrkruse) For PB1, PD1, PF4, PG2, PJ2, PL1, QA1 (MARSHMALLOW)*REQUIRES SAFESTRAP
Download these files
Bootloader_Unlock_Safestrap.apk
VZW_BPB1_ODEX_DEODEX_V9.zip
G900V_Firmware_PB1.tar.md5
S5_KLTE_USA_VZW.pit
Download and install VZW_BPB1_ODEX_DEODEX_V9.zip
Reboot to Download Mode
In Odin Under AP slot load G900V_Firmware_PB1.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
After Phone reboots pull battery reboot to download mode (pwr+voldwn+home) and make sure current binary status is official If not In Odin Under AP slot load G900V_Firmware_PB1.tar.md5 and Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
If current binary is official reboot phone and enter Rom Setup. There is no need to setup any accounts unless you plan on running this rom
Download and install Bootloader_Unlock_Safestrap.apk
Open Safestrap app and install the safestrap recovery to the system
Open safetrap app and click Reboot To Recovery Button
Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
Phone will Power Off.
Pull Battery enter TWRP Recovery (volup+pwr+home) Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom



Method 2: Unlocker via Safestrap (Old thanks @jrkruse) For OE1, OK3, PB1 (LOLLIPOP)
1. Flash this Samsung_Bootloader_Unlocker.zip in safestrap or flashfire
2. Reboot phone click on SamsungUnlocker app
3. Wait and make sure to grant SuperSu access. This may take a few seconds to come up
4. type yes in the terminal screen when it ask you (Yes/No) Hit enter on the keyboard
5. wait for phone to power off
6. reboot to bootloader and verify it says MODE: Developer
7. Flash Twrp recovery using Odin
8. Your done!



Method 3: ADB For 4.4-5.0 (OLD, OUTDATED)
This Method is old and outdated, Do not use unless the new method isn't working!!!

1. Download https://github.com/beaups/SamsungCID/blob/master/samsung_unlock
2. Download View attachment adb.7z
3. Extract adb to /adb
4. Extract samsung_unlock
5. Put samsung_unlock inside the adb folder
6. Launch adb tools
7. Select push file
8. Source is samsung_unlock
9. Destination is /data/local/tmp/
10. Select the option for Pull
11. Source is /sys/block/mmcblk0/device/cid
12. Destination is cid.txt
13. Select the option for adb shell
14. Continue after the warning
15. type the following
Code: 
su
cd /data/local/tmp/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock

Device will shut down, manually reboot
16. once it reboots, in adb tools connect to the shell again
17. Enter the following commands
Code: 
su
cd /data/local/tmp/
./samsung_unlock

18. once this is done, you can type exit twice to return to the menu of adb tools
19. Select reboot
20. Reboot to bootloader
21. Verify you now have a dev edition :)


Method 4: On Device For 4.4-5.0 (OLD, OUTDATED)
This Method is old and outdated, Do not use unless the new method isn't working!!!

1. On your device download https://github.com/beaups/SamsungCID/blob/master/samsung_unlock
2. Move to your root directory of your internal storage(if you can't figure out where that is, you shouldn't be doing this)
3. Using a root file explorer goto /sys/block/mmcblk0/device
4. Copy the file cid to your internal storage(this is a backup of your old cid, if it fails to copy, just open it as text and copy paste the text)
5. open a terminal emulator app
6. type the following
Code: 
su
cd /storage/emulated/0/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock

7. Device will poweroff, focefully power on
8. Enter the terminal again and enter the following commands
Code: 
su
cd /storage/emulated/0/
./samsung_unlock

9. Once completed reboot to bootloader using your favorite way
10. Verify you are a Developer edition phone now :)

Photo of what your Bootloader should say
IMG_20160408_085419.jpg


Working TWRP and International Rom Patch


TWRP 3.0.0 Flashable recovery zip. Can be flashed in safestrap or flashfire if you have not installed it yet
TWRP_3.0.0-0-klte-klte.zip

International Rom Patch For Data And MMS. Flash right after you flash the rom.
VZW_5.0_International_Rom_Patch_No_Boot.zip
VZW_5.0_International_Rom_Patch_VZW_BOOT.zip



Directions To Update Or Downgrade Bootloaders




If you have already Unlocked your bootloader and are running TouchWiz Rom(Stock kernel)


Download this files
PB1_Firmware_Only_NK2_Kernel.tar.md5
TWRP_Prepare.zip
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
S5_KLTE_USA_VZW.pit

In TWRP Flash TWRP_Prepare.zip
Reboot to Download Mode
In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
When finished on reboot watch for Safestrap Splash Screen and enter Safestrap
Now goto Power Menu/Reboot Menu and reboot to Download Mode
Make sure in download mode the current binary is Official. If it is not reflash In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit
Click Start on reboot enter Safestrap reboot back to download mode and make sure binary status is Official
If Binary Status is Official Pull battery restart and enter SafeStrap
Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
Phone will Power Off.
Pull Battery enter TWRP recovery Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom




[FIX] MM Users. Wifi not working? Hardkeys not working???


View attachment 3772847

Unzip recover.zip place on internal storage flash in TWRP choose install image then choose recovery.img and flash to recovery
power off device
reboot to bootloader and reflash PD1_Firmware_Modem_HLOS_No_Aboot.tar.md5 in odin uncheck auto reboot when done pull battery reboot back to recovery wipe data and cache and system reinstall rom.





Notes:


If You Bricked Your Device somehow someway



1. Download the following image https://www.androidfilehost.com/?fid=24562946973631519
2. Download https://sourceforge.net/projects/win32diskimager/
3. Attach a micro sdcard(min 16GB class 10, others may work but unsure) to your PC via a reader
4. Backup all data on the micro sdcard, EVERYTHING WILL BE ERASED
5. Extract the image from the zip
6. Select write option, select the img file, select SDcard
7. Now write
8. Pop the Sdcard into the phone, and try and power it up
9. When you do open download mode
10. Goto odin and flash a FULL STOCK TAR
11. Start from scratch

To reuse the card it will need to be formatted using fdisk, diskpart, or android



If you have issues flashing modems, firmware, or anything

jrkruse said:
Ok here is the solution
The Stock Boot.img and Stock Recover.img that match your firmware must be flashed before any firmware can be updated on your phone. What I mean by firmware is the things other than images that are flashed in odin like the modem.bin. If your just wanting to flash a custom boot or recovery image then you can just flash them you and dont need to do any of this.
So after the Stock and Recovery images are flashed the phone needs to return to a power off state. Then a reboot to stock recovery and wipe the cache. Then reboot the phone and the goto bootloader mode from there.
After doing this the phone will allow firmwares to be flashed through odin.

Instructions
Flash the Kernel_Recovery Only either odin package or zip package in custom recovery
If using Odin uncheck reboot now then flash Kernel_Recovery package pull battery Reboot to recovery (Pwr+Hme+VolUp) wipe cache reboot phone then reboot back to bootloader and flash whatever your wanting to upgrade.
Reboot phone make sure your changes applied the you can flash your custom recovery again
If Flashing In recovery, flash the zip then reboot to recovery which will now be stock recovery and wipe cache and then power off Do not reboot, the phone must go to a poweroff state
Reboot phone then reboot to bootloader and use odin to update what ever your needing to do
Reboot Phone make sure your changes took. Then reboot back to odin and flash custom recovery or use flashfire or safestrap to flash the custom recovery zip.
If for some reason the bootloader becomes locked again simply do the unlock procedure again

https://www.androidfilehost.com/?w=files&flid=53300
Click to expand...
Click to collapse

To make the SD card usable again, format using android!
Or keep it as a backup

IF YOU FLASH STOCK BACK TO THE PHONE, IT WILL RELOCK THE BOOTLOADER, Requiring your run the script ONCE and it will be unlocked again

Source Located @ https://github.com/beaups/SamsungCID


beaups said:
its done

If any bounties applicable, please donate to "make a wish foundation" or @ryanbg (he's getting married)

--beaups
Click to expand...
Click to collapse


Sourcecode
https://github.com/beaups/SamsungCID


eMMC 11 is non-exploitable

http://xdaforums.com/verizon-galaxy-s5/development/toshiba-11-series-bootloader-unlock-t3349346
 
Last edited:
  • Like
Reactions: Gentlelike, tliebeck, Poebat and 99 others
jrkruse

jrkruse

Recognized Contributor
Aug 9, 2009
9,050
13,102
Samsung Galaxy S24 Ultra
Last edited:
  • Like
Reactions: Charli3M, AlaskaLinuxUser, joemill and 40 others
H

Hariiiii

Senior Member
Oct 19, 2015
99
40
jrkruse said:
It doesn't work dev bootloaders are specific to the phone they don't work on other phones even other dev phones
Click to expand...
Click to collapse
I read in another forum somewhere about someone editing a hex value in a kernel to allow it to be loaded by odin (I think by changing some kind of version or product number). I expect if a VZW dev edition bootloader is specific to the phone, it incorporates some kind of IMEI or ESN check. Maybe it's possible to change that in the bootloader? Or perhaps it would work by spoofing the IMEI of the phone?
 
  • Like
Reactions: Lightn1ng
GeTex

GeTex

Senior Member
Aug 28, 2013
2,185
1,263
Fallon, NV
Going to take a peek then, I need a bootloader dump please? Anyone got a Dev Edition GS5?

Knowing verizon it's got a boot signature key probably with Secureboot. Damn

If thats the case, Another dead end?
 
H

Hariiiii

Senior Member
Oct 19, 2015
99
40
Bobcus Leper said:
Would this help?

https://docs.google.com/file/d/0B8a454A1K5eOSEJFMEZTUmMyeTg/edit

Sent from my Motorola XT912 using XDA Labs
Click to expand...
Click to collapse

Unfortunately, no. That only includes the kernel and ROM itself. What we need is an img of a vzw dev edition aboot.mbn. This can be acquired using the dd command.

I was looking at some of the many long threads regarding attempts at unlocking the galaxy s4 as well as beaups' galaxy s5 developer edition hack, and I've come to think that what beaups did is to edit some unprotected small flag or string somewhere which is accessed by a developer ed. bootloader to check whether the phone matches the bootloader. He ran his program FIRST, then flashed what I suspect to be a signed dev edition bootloader which booted. If we can pick through the dev edition aboot.mbn with IDA pro and see where in memory the bootloader is checking to verify the phone, maybe we can copy his exploit.

If beaups had some kind of other exploit (to bypass security or other checks), there would be no reason for him to flash a new aboot.mbn, or even if so, he would have to edit some kind of string anyways to get the dev edition bl to work.

does anyone have any thoughts or feedback (or dev edition bootloaders)?
 
  • Like
Reactions: Bobcus Leper
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
Hariiiii said:
Unfortunately, no. That only includes the kernel and ROM itself. What we need is an img of a vzw dev edition aboot.mbn. This can be acquired using the dd command.

I was looking at some of the many long threads regarding attempts at unlocking the galaxy s4 as well as beaups' galaxy s5 developer edition hack, and I've come to think that what beaups did is to edit some unprotected small flag or string somewhere which is accessed by a developer ed. bootloader to check whether the phone matches the bootloader. He ran his program FIRST, then flashed what I suspect to be a signed dev edition bootloader which booted. If we can pick through the dev edition aboot.mbn with IDA pro and see where in memory the bootloader is checking to verify the phone, maybe we can copy his exploit.

If beaups had some kind of other exploit (to bypass security or other checks), there would be no reason for him to flash a new aboot.mbn, or even if so, he would have to edit some kind of string anyways to get the dev edition bl to work.

does anyone have any thoughts or feedback (or dev edition bootloaders)?
Click to expand...
Click to collapse

When the mmc card is initialized in aboot, it loads /populates ddi_data and ddi_priv data. These contain info about the product generated from the Cid. It checks a value in qfprom and if a certain value makes it so sw_id or sw_revision isn't checked and/or is ignored. This also happens to correspond with a value of cc_type and determines if the device is a developer edition or not. I'm guessing @beaups has an exploit that writes over the mmc card Cid so the value returns from qfprom in such a way as to register as a developer edition device and this also allows the flashing of a dev edition boot chain. I'm guessing he had to flash the dev edition boot chain because the Cid hack probably wasn't going to remain permanently to whatver he wrote to it.

Maybe he'll chime in and tell me if I'm thinking on the right path/track. I'm not sure, I didn't study the function for very long, it was just something I noticed when I was going through the note 4 aboot.
 
  • Like
Reactions: GNR13 and GeTex
B

beaups

Senior Recognized Developer
Nov 28, 2007
3,276
7,257
Dublin, OH
Surge1223 said:
When the mmc card is initialized in aboot, it loads /populates ddi_data and ddi_priv data. These contain info about the product generated from the Cid. It checks a value in qfprom and if a certain value makes it so sw_id or sw_revision isn't checked and/or is ignored. This also happens to correspond with a value of cc_type and determines if the device is a developer edition or not. I'm guessing @beaups has an exploit that writes over the mmc card Cid so the value returns from qfprom in such a way as to register as a developer edition device and this also allows the flashing of a dev edition boot chain. I'm guessing he had to flash the dev edition boot chain because the Cid hack probably wasn't going to remain permanently to whatver he wrote to it.

Maybe he'll chime in and tell me if I'm thinking on the right path/track. I'm not sure, I didn't study the function for very long, it was just something I noticed when I was going through the note 4 aboot.
Click to expand...
Click to collapse

I'll reply for a change. I didn't do any research on aboot or the lock mechanism, @ryanbg did. There may be other "features", but his research indicated the eMMC cid was hashed, signed, and stored in the dev edition aboot for the device it was targeted for. So in order to flash (and more importantly boot) someone's "borrowed" dev-edition aboot, you need a cid that matches the signed hash. So, yes, I just changed the CID to match that. Then the flash is easy.

--beaups
 
  • Like
Reactions: nemiroG1, koftheworld, Veid71 and 6 others
GeTex

GeTex

Senior Member
Aug 28, 2013
2,185
1,263
Fallon, NV
beaups said:
I'll reply for a change. I didn't do any research on aboot or the lock mechanism, @ryanbg did. There may be other "features", but his research indicated the eMMC cid was hashed, signed, and stored in the dev edition aboot for the device it was targeted for. So in order to flash (and more importantly boot) someone's "borrowed" dev-edition aboot, you need a cid that matches the signed hash. So, yes, I just changed the CID to match that. Then the flash is easy.

--beaups
Click to expand...
Click to collapse

So... This would in theory be possible then? If so, I have more digging to do. THANKYOU for the response. I'm getting a grip on this
 
H

Hariiiii

Senior Member
Oct 19, 2015
99
40
Holy **** I was right kind of. We need a dev edition aboot with its corresponding Cid NOW
 
B

beaups

Senior Recognized Developer
Nov 28, 2007
3,276
7,257
Dublin, OH
Surge1223 said:
And therein lies the rub

:D
Click to expand...
Click to collapse

Indeed :p I plan to release details soon, I've been working on and off with documenting it. It won't be a "double click here to unlock", but the details will be sufficient for someone with coding/technical knowledge to turn it into a functioning tool (you seem to fit that description).

--beaups
 
  • Like
Reactions: dmarie1275, davekaz, yossijoe and 4 others
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
Hariiiii said:
Holy **** I was right kind of. We need a dev edition aboot with its corresponding Cid NOW
Click to expand...
Click to collapse







GeTex said:
So... This would in theory be possible then? If so, I have more digging to do. THANKYOU for the response. I'm getting a grip on this
Click to expand...
Click to collapse


I would suggest researching how/what the the CID does to effect these values though, fwiw, getting a dev edition aboot would be the least of your problems imho.
 
  • Like
Reactions: GeTex
H

Hariiiii

Senior Member
Oct 19, 2015
99
40
@beaups
Yes....i quickly began to realize that this was the issue. I actually have no idea where the CID is on the galaxy s5, but based on reading some of ryanbg's posts, I'm going to guess it's in the rpmb partition at mmcblk0rpmb. This post in particular seems to be the important one:
http://xdaforums.com/showpost.php?p=52454292&postcount=18

I suppose the plan would be then to mount the partition as read/write, then scan through it with a hex editor, find the location of the CID in memory, and then maybe write over it using dd like in the link below? Or maybe I'm just crazy.

http://unix.stackexchange.com/questions/214820/patching-a-binary-with-dd
 
B

beaups

Senior Recognized Developer
Nov 28, 2007
3,276
7,257
Dublin, OH
Hariiiii said:
@beaups
Yes....i quickly began to realize that this was the issue. I actually have no idea where the CID is on the galaxy s5, but based on reading some of ryanbg's posts, I'm going to guess it's in the rpmb partition at mmcblk0rpmb. This post in particular seems to be the important one:
http://xdaforums.com/showpost.php?p=52454292&postcount=18

I suppose the plan would be then to mount the partition as read/write, then scan through it with a hex editor, find the location of the CID in memory, and then maybe write over it using dd like in the link below? Or maybe I'm just crazy.

http://unix.stackexchange.com/questions/214820/patching-a-binary-with-dd
Click to expand...
Click to collapse

No, CID is in the eMMC hardware.
 
  • Like
Reactions: GeTex, Hariiiii and Bobcus Leper
You must log in or register to reply here.

Similar threads

jrkruse
DISCONTINUED_[PORT][ROM][G900V][VZW]PhoeniX ROM V15.0 MM 6.0.1[Aroma Installer Dev Bootloader]
Replies
648
Views
141K
W
Wachtergeist
autonomousperson
  • Locked
[R&D] Toshiba (11 series) Bootloader Unlock Discussion
Replies
496
Views
102K
the Doctor
the Doctor
G
Galaxy S5 ALL-IN-ONE Toolkit v1.9 Updated: (12/31/14)
Replies
228
Views
93K
V
V3racious
nitroglycerine33
[ROM] Eclipse S5 TW - v1.0.3 (12/27/14) - Real AOSP styling!! Google Experience!!
Replies
890
Views
131K
D
djr4x4
H
[ROM] [DEV ABOOT ONLY] [OFFICIAL] CyanogenMod 13.0 MM [KLTEVZW] [Nightlies]
Replies
759
Views
121K
jdrch
jdrch

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 102
    GeTex
    GeTex
    The S5 Bootloader Unlock is here! Huge thanks to @beaups for the research and sourcecode and tool, @ryanbg for researching this method in the firstplace, @autonomousperson For compiling the source to a app for us all, @haggertk for his CID and aboot! @jrkruse for innovating methods, one click apps, and MM methods @magic_man185 for recompiling the binary to disable SD requirements for MM, and everyone else for being patient for me being slow! Also thank you all for being a great supportive community!



    I Have Updated the OP :) Hoping this is less messy and hopefully neater to deal with

    DO NOT ASK ABOUT ROMS, KERNELS, OR OTHER THINGS. THIS IS ONLY FOR UNLOCKING THE BOOTLOADER. WE WILL LAUGH AT YOU IF YOU ASK ANYWAYS!!!
    EMMC 15 Unlocking Bootloader


    EMMC 15 Updating Unlocked Bootloaders Or Downgrading


    For Rooting EMMC 11 Phones


    All the methods below are only preserved for historical purposes!!! Please use the new methods above!


    Warnings
    READ THE ENTIRE OP AND THE POST BELOW BY @jrkruse BEFORE DOING ANYTHING AT ALL!!!!!!!!!!
    THIS IS ONLY FOR THE VERIZON S5. DOES NOT WORK FOR AT&T!!!!!
    This is for users with 15' Sasmung eMMC's not users with 11 Toshiba eMMC's. You can check this by reading the file
    /sys/block/mmcblk0/device/cid
    Just the first 2 :) 15xxxxxxxxxxxxxxxxxxxxxx or 11xxxxxxxxxxxxxxxxxxxxxxx(my number of x's are random, just read the first 2)
    We still are unsure if changing the CID causes app store, verification, activation, provision, or other issues, everything you do is at your own risk!(Pretty sure it's safe)


    REACTIVATION LOCK MUST BE TURNED OFF. YOU'VE BEEN WARNED



    Starting notes

    *REQUIRES ROOT*
    If you don't have root, please goto @jrkruse thread here
    https://xdaforums.com/verizon-galax...ot-method-t3561529/post71202995#post71202995/

    For Method 4
    You must make sure first of all you have authorized your computer in developer options and that USB debugging is on, you could also using adb tools use adb wireless if your device is configured for this!
    You also on screen must grant ADB root access, please make sure of this!


    Make sure you have a blank sd card, EVERYTHING on it WILL BE WIPED as a backup for the bootloader!

    *If you have no root access OR SAFESTRAP you must proceed to the rooting thread, nothing below works without root*


    Methods


    Method 1: Primary Method (Old thanks @jrkruse) For PB1, PD1, PF4, PG2, PJ2, PL1, QA1 (MARSHMALLOW)*REQUIRES SAFESTRAP
    Download these files
    Bootloader_Unlock_Safestrap.apk
    VZW_BPB1_ODEX_DEODEX_V9.zip
    G900V_Firmware_PB1.tar.md5
    S5_KLTE_USA_VZW.pit
    Download and install VZW_BPB1_ODEX_DEODEX_V9.zip
    Reboot to Download Mode
    In Odin Under AP slot load G900V_Firmware_PB1.tar.md5
    Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
    Click Start
    After Phone reboots pull battery reboot to download mode (pwr+voldwn+home) and make sure current binary status is official If not In Odin Under AP slot load G900V_Firmware_PB1.tar.md5 and Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
    Click Start
    If current binary is official reboot phone and enter Rom Setup. There is no need to setup any accounts unless you plan on running this rom
    Download and install Bootloader_Unlock_Safestrap.apk
    Open Safestrap app and install the safestrap recovery to the system
    Open safetrap app and click Reboot To Recovery Button
    Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
    SafeStrap_PB1_Bootloader_Unlock_AIO.zip
    SafeStrap_PD1_Bootloader_Unlock_AIO.zip
    SafeStrap_PF4_Bootloader_Unlock_AIO.zip
    SafeStrap_PG2_Bootloader_Unlock_AIO.zip
    SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
    SafeStrap_PL1_Bootloader_Unlock_AIO.zip
    SafeStrap_QA1_Bootloader_Unlock_AIO.zip
    Phone will Power Off.
    Pull Battery enter TWRP Recovery (volup+pwr+home) Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom



    Method 2: Unlocker via Safestrap (Old thanks @jrkruse) For OE1, OK3, PB1 (LOLLIPOP)
    1. Flash this Samsung_Bootloader_Unlocker.zip in safestrap or flashfire
    2. Reboot phone click on SamsungUnlocker app
    3. Wait and make sure to grant SuperSu access. This may take a few seconds to come up
    4. type yes in the terminal screen when it ask you (Yes/No) Hit enter on the keyboard
    5. wait for phone to power off
    6. reboot to bootloader and verify it says MODE: Developer
    7. Flash Twrp recovery using Odin
    8. Your done!



    Method 3: ADB For 4.4-5.0 (OLD, OUTDATED)
    This Method is old and outdated, Do not use unless the new method isn't working!!!

    1. Download https://github.com/beaups/SamsungCID/blob/master/samsung_unlock
    2. Download View attachment adb.7z
    3. Extract adb to /adb
    4. Extract samsung_unlock
    5. Put samsung_unlock inside the adb folder
    6. Launch adb tools
    7. Select push file
    8. Source is samsung_unlock
    9. Destination is /data/local/tmp/
    10. Select the option for Pull
    11. Source is /sys/block/mmcblk0/device/cid
    12. Destination is cid.txt
    13. Select the option for adb shell
    14. Continue after the warning
    15. type the following
    Code: 
    su
cd /data/local/tmp/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock

    Device will shut down, manually reboot
    16. once it reboots, in adb tools connect to the shell again
    17. Enter the following commands
    Code: 
    su
cd /data/local/tmp/
./samsung_unlock

    18. once this is done, you can type exit twice to return to the menu of adb tools
    19. Select reboot
    20. Reboot to bootloader
    21. Verify you now have a dev edition :)


    Method 4: On Device For 4.4-5.0 (OLD, OUTDATED)
    This Method is old and outdated, Do not use unless the new method isn't working!!!

    1. On your device download https://github.com/beaups/SamsungCID/blob/master/samsung_unlock
    2. Move to your root directory of your internal storage(if you can't figure out where that is, you shouldn't be doing this)
    3. Using a root file explorer goto /sys/block/mmcblk0/device
    4. Copy the file cid to your internal storage(this is a backup of your old cid, if it fails to copy, just open it as text and copy paste the text)
    5. open a terminal emulator app
    6. type the following
    Code: 
    su
cd /storage/emulated/0/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock

    7. Device will poweroff, focefully power on
    8. Enter the terminal again and enter the following commands
    Code: 
    su
cd /storage/emulated/0/
./samsung_unlock

    9. Once completed reboot to bootloader using your favorite way
    10. Verify you are a Developer edition phone now :)

    Photo of what your Bootloader should say
    IMG_20160408_085419.jpg


    Working TWRP and International Rom Patch


    TWRP 3.0.0 Flashable recovery zip. Can be flashed in safestrap or flashfire if you have not installed it yet
    TWRP_3.0.0-0-klte-klte.zip

    International Rom Patch For Data And MMS. Flash right after you flash the rom.
    VZW_5.0_International_Rom_Patch_No_Boot.zip
    VZW_5.0_International_Rom_Patch_VZW_BOOT.zip



    Directions To Update Or Downgrade Bootloaders




    If you have already Unlocked your bootloader and are running TouchWiz Rom(Stock kernel)


    Download this files
    PB1_Firmware_Only_NK2_Kernel.tar.md5
    TWRP_Prepare.zip
    SafeStrap_PB1_Bootloader_Unlock_AIO.zip
    SafeStrap_PD1_Bootloader_Unlock_AIO.zip
    SafeStrap_PF4_Bootloader_Unlock_AIO.zip
    SafeStrap_PG2_Bootloader_Unlock_AIO.zip
    SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
    SafeStrap_PL1_Bootloader_Unlock_AIO.zip
    SafeStrap_QA1_Bootloader_Unlock_AIO.zip
    S5_KLTE_USA_VZW.pit

    In TWRP Flash TWRP_Prepare.zip
    Reboot to Download Mode
    In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
    Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
    Click Start
    When finished on reboot watch for Safestrap Splash Screen and enter Safestrap
    Now goto Power Menu/Reboot Menu and reboot to Download Mode
    Make sure in download mode the current binary is Official. If it is not reflash In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
    Now in Odin Under PIT load S5_KLTE_USA_VZW.pit
    Click Start on reboot enter Safestrap reboot back to download mode and make sure binary status is Official
    If Binary Status is Official Pull battery restart and enter SafeStrap
    Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
    SafeStrap_PB1_Bootloader_Unlock_AIO.zip
    SafeStrap_PD1_Bootloader_Unlock_AIO.zip
    SafeStrap_PF4_Bootloader_Unlock_AIO.zip
    SafeStrap_PG2_Bootloader_Unlock_AIO.zip
    SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
    SafeStrap_PL1_Bootloader_Unlock_AIO.zip
    SafeStrap_QA1_Bootloader_Unlock_AIO.zip
    Phone will Power Off.
    Pull Battery enter TWRP recovery Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom




    [FIX] MM Users. Wifi not working? Hardkeys not working???


    View attachment 3772847

    Unzip recover.zip place on internal storage flash in TWRP choose install image then choose recovery.img and flash to recovery
    power off device
    reboot to bootloader and reflash PD1_Firmware_Modem_HLOS_No_Aboot.tar.md5 in odin uncheck auto reboot when done pull battery reboot back to recovery wipe data and cache and system reinstall rom.





    Notes:


    If You Bricked Your Device somehow someway



    1. Download the following image https://www.androidfilehost.com/?fid=24562946973631519
    2. Download https://sourceforge.net/projects/win32diskimager/
    3. Attach a micro sdcard(min 16GB class 10, others may work but unsure) to your PC via a reader
    4. Backup all data on the micro sdcard, EVERYTHING WILL BE ERASED
    5. Extract the image from the zip
    6. Select write option, select the img file, select SDcard
    7. Now write
    8. Pop the Sdcard into the phone, and try and power it up
    9. When you do open download mode
    10. Goto odin and flash a FULL STOCK TAR
    11. Start from scratch

    To reuse the card it will need to be formatted using fdisk, diskpart, or android



    If you have issues flashing modems, firmware, or anything

    jrkruse said:
    Ok here is the solution
    The Stock Boot.img and Stock Recover.img that match your firmware must be flashed before any firmware can be updated on your phone. What I mean by firmware is the things other than images that are flashed in odin like the modem.bin. If your just wanting to flash a custom boot or recovery image then you can just flash them you and dont need to do any of this.
    So after the Stock and Recovery images are flashed the phone needs to return to a power off state. Then a reboot to stock recovery and wipe the cache. Then reboot the phone and the goto bootloader mode from there.
    After doing this the phone will allow firmwares to be flashed through odin.

    Instructions
    Flash the Kernel_Recovery Only either odin package or zip package in custom recovery
    If using Odin uncheck reboot now then flash Kernel_Recovery package pull battery Reboot to recovery (Pwr+Hme+VolUp) wipe cache reboot phone then reboot back to bootloader and flash whatever your wanting to upgrade.
    Reboot phone make sure your changes applied the you can flash your custom recovery again
    If Flashing In recovery, flash the zip then reboot to recovery which will now be stock recovery and wipe cache and then power off Do not reboot, the phone must go to a poweroff state
    Reboot phone then reboot to bootloader and use odin to update what ever your needing to do
    Reboot Phone make sure your changes took. Then reboot back to odin and flash custom recovery or use flashfire or safestrap to flash the custom recovery zip.
    If for some reason the bootloader becomes locked again simply do the unlock procedure again

    https://www.androidfilehost.com/?w=files&flid=53300
    Click to expand...
    Click to collapse

    To make the SD card usable again, format using android!
    Or keep it as a backup

    IF YOU FLASH STOCK BACK TO THE PHONE, IT WILL RELOCK THE BOOTLOADER, Requiring your run the script ONCE and it will be unlocked again

    Source Located @ https://github.com/beaups/SamsungCID


    beaups said:
    its done

    If any bounties applicable, please donate to "make a wish foundation" or @ryanbg (he's getting married)

    --beaups
    Click to expand...
    Click to collapse


    Sourcecode
    https://github.com/beaups/SamsungCID


    eMMC 11 is non-exploitable

    http://xdaforums.com/verizon-galaxy-s5/development/toshiba-11-series-bootloader-unlock-t3349346
    View
    43
    jrkruse
    jrkruse
    Updated 04-08-23!!

    EMMC_11 S5 phones now have an explot that allows flashing custom boot and recovery images giving the ability to run custom AOSP based roms such as Lineage and root with Magisk root on android 6.0 bootloaders. It is not a bootloader unlock so no custom images can be flashed with odin
    View
    19
    jrkruse
    jrkruse
    Here is a tool for unlocking the bootloader that only requires you to answer yes to unlock your bootloader.
    It will also automatically backup your original cid to the sdcard and internal storage. Make sure if you have already unlocked and are running this tool again, to backup your original cid.txt files as this will overwrite it with your current cid which will be different than your original. If you havent unlocked yet then the cid.txt file will be your original

    1. Flash this Samsung_Bootloader_Unlocker.zip in safestrap or flashfire
    2. Reboot phone click on SamsungUnlocker app
    3. Wait and make sure to grant SuperSu access. This may take a few seconds to come up
    4. type yes in the terminal screen when it ask you (Yes/No) Hit enter on the keyboard
    5. wait for phone to power off
    6. reboot to bootloader and verify it says MODE: Developer
    7. Flash Twrp recovery using Odin
    8. Your done!
    View
    15
    jrkruse
    jrkruse
    Im going to try and clear some things up.
    1. TWRP is a replacement for the stock recovery it can do everything the stock recovery can do plus it can flash zips, recoveries and boot images. It can also back up and restore system and data. It can also be entered from about any state of the phone except it being bricked of course. There is no need to use safestrap or flashfire anymore. I recommend that you remove safestrap from the rom you are using as it will cause trouble, by removing I mean uninstall safestrap recovery from the system just dont simply delete the apk. Flashfire can be left if you want as it wont affect anything.

    2. You can flash TW roms as well as CM and AOSP based roms. The roms dont have to state they are for DEV edition. You will want to avoid muniz_ri upgrade roms as they flash bootloaders. In most cases if trying to flash a rom with bootloaders they will not flash but as a safety precaution avoid roms that say they flash bootloaders with the rom. Other Variants Roms can be flashed on the Verizon S5 also known as the SM-G900V. The other variants will have different letters at the end like SM-G900F witch is an international variant or SM-G900T wich is the Tmobile variant. SM-G900A ATT variant: SM-G900M Canadian variant SM-G900P Sprint variant. There are many other there are some you cant flash like the SM-G900H as this variant has a different chipset there are a few chinese and korean ones as well but you dont come across them much and they usually have some weird numbers. Now most of the other variants roms will need a patch to get data and mms working I have a patch that will work on most. Many of these roms come with there own custom TW kernels or there stock TW kernel. You can either use their kernel or you can use the verizon TW kernel on their roms. Most CM and AOSP roms will come with a kernel. Now CM and AOSP roms need to have google apps flashed in addition to the rom. These are commonly referred to as GApps

    3. You can flash custom kernel. also know as a boot.img. ASOP CM and Touchwiz All have different kernels and the proper kernel must be flashed for the type of rom. You can use other variants kernels on the Verizon S5. Most work fine but some do not. There are alot more custom kernels for CM and AOSP than Touchwiz. Just remember Touchwiz roms need Touchwiz kernels rather it be a stock TW kernel or a modded TW kernel. And Most AOSP and CM kernels are interchangeable but you cannot use a TW kernel on those two

    4. With TWRP you can use and install roms that have aroma installers. These installers give you choices throughout the install of what you want.

    5. There are a couple of Marshmallow Touchwiz Roms available for the internation S5 the SM-G900F. As of now these roms cannot be used on our phones because they require a Marshmallow bootloader and modem. You can not use other variants firmware on the Verizon S5. By firmware I mean Bootloaders, Modems Etc. There are Also 5.1.1 roms available from ATT and Tmobile. It is possible to flash these roms as they will still run on the 5.0 lollipop bootloader. You may have to use there stock 5.1.1 kernel or a modded TW 5.1.1 kernel to get them to work

    6. Roms 5.1.1 and higher require a different root method. Stock kernels have checks in them to prevent root so the kernel has to be modded to allow root. The newer SuperSU zips have a check for this and if they detect the kernel has not been modded then they will install whats called systemless root and a modded kernel ram disk. I just wanted to make people are that certain apps dont work with systemless root. If the kernel is properly modded then the old root method can be flashed

    7. If you flash a rom that is not rooted it is no big deal since you have a custom recovery simply reboot to recovery and flash A SuperSU root zip or install a different rom

    8 I recommend everyone be on lollipop bootloaders and firmware. There is no need to stay on kitkat firmware since you can now unlock the bootloader. KitKat Roms will run on lollipop bootloaders but lollipop roms will not run on kitkat bootloaders.

    9. Just because your bootloaders is unlocked does not mean you can not run a fully stock unrooted rom if you want to. A fully stock rom will run just fine with unlocked bootloader and custom recovery installed.

    10. When running custom kernels and recoveries it is normal during boot to have message at the top of your phone telling you that your basically running a custom recovery. or boot.img
    View
    14
    jrkruse
    jrkruse
    Well I guess I had better get to making some roms. No more safestrap, Now can use aroma installers,my life got easier!
    View

New posts