[BOUNTY] $$$ to unsign a signed bootloader!

Search This thread

rmanaudio

Senior Member
Aug 27, 2010
210
11
0
GTA
UPDATE: APP/Patch released here: http://forum.xda-developers.com/showthread.php?t=888071

I am starting a bounty for the coders to find a way to unsign/unlock a signed/locked bootloader!

We all know that new JMx firmwares will load a new bootloader and lock it up... if any coder can reverse it and unsign it so we can flash customize kernals and ROM...he or she should get paid!

I will start the bounty with $10.

rmanaudio: £10
alterbridge86: $10
iuzar: £10
deezid: $10
retroqwe: £10 = $15
lux209: $10
mauilion: $10
vartanov: $10
mniewiera: $10
diigibio: £10 = $15
colham: $10
bert269: $10
chameleon057: $20
Monrad: $20
lxxxxxr: $10
Coldplay666: £10 = $15
sidster262: $10
NGP: $10
hallohome: £10 = $15
kuehnch: $20
Flash1960: £10 = $15
kromosto: $10
Unimaginative: $15
Dark-Master: $10
faust86: $10
sprecker: $20
tushar.das: $10
crisvillani: $10
cacimbo: $15
bossarts: $10

Total so far: $380 USD

Donating to CF can be done directly through this link: http://jongma.org/dx.php , alternatively at can be done to [email protected].
 
Last edited:

bunny0007

Senior Member
Jun 14, 2006
202
45
48
Randers
Im not sure if i understand it wrong, but as i understand the sbl is doing all the flash work, and boot check the signature. correct me if im worng.

So patching the sbl would be a good idea, so it dont check the signature of patch it so it will always end up with pass signature.

It may not help people with all things signed, but most with sbl unsigned will be able to flash an unsigned boot and zimage.

Another way is to see if any og the G2 spl flash is possible on galaxy tab.
 

GOF007

Senior Member
May 4, 2007
322
34
0
Yeah ROTO's ROM is great!!

And yes, signed bootloader and sbl still able to flash those firmwares.
I have both signed BL and SBL and yet I go back and forth many firmwares with no problem.
So it is not so big deal to have signed BL and SBL now, as long as there is no really great kernel released yet.

We just cant flash new bootloader and kelnel = =

And yet I +1 for the idea of the Bounty ^^
Be able to get unsigned BL and SBL back will make me feel safer ^^
 
Last edited:

rmanaudio

Senior Member
Aug 27, 2010
210
11
0
GTA
Yeah ROTO's ROM is great!!

And yes, signed bootloader and sbl still able to flash those firmwares.
I have both signed BL and SBL and yet I go back and forth many firmwares with no problem.
So it is not so big deal to have signed BL and SBL now, as long as there is no really great kernel released yet.

We just cant flash new bootloader and kelnel = =

And yet I +1 for the idea of the Bounty ^^
Be able to get unsigned BL and SBL back will make me feel safer ^^

Yes...we can flash any JM* firmware that ROTO makes because those firmwares are signed firmwares and our bootloader will except them....so can someone without signed bootloaders as their bootloader doesnt care of it is signed or not.

BUT...lets say some new JK or JL or something else new comes out that is not signed...or lets say CM 6.1 or CM 7 gets ported soon to the tab....we will not be able to load those....or even a kernal with voodoo or OC.

Please state how much you want to add to the bounty...thanks.
 

rmanaudio

Senior Member
Aug 27, 2010
210
11
0
GTA
Thanks for all the support guys...keep them coming!

I think if we get enough money we will get the attention needed for the coders to look deep into fixing this issue.

We really need this fix for the future...as I have a feeling CM 6/7 mod or gingerbread port is coming soon for the tab.
 

rmanaudio

Senior Member
Aug 27, 2010
210
11
0
GTA
You need to think bigger, $10 milion and build an RSA-1024 cracker with $10M array of FPGAs. Then maybe after 1000 years you will get the key.

Thats not a very nice post!

Maybe if it cannot be removed, it can be disabled (the bootloader check) or maybe a way to sign customized kernals and ROMs!
 

LargePrime

Senior Member
May 18, 2009
381
42
0
You need to think bigger, $10 milion and build an RSA-1024 cracker with $10M array of FPGAs. Then maybe after 1000 years you will get the key.
what is the encryption exactly? it sure ain't 1KiB.

Has anyone talked to, or have contact with, the Koreans? If there is a cracking vector, to goes through South Korea.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 18
    GT-P1000 hacking

    This is for those interested in seeing my hacking setup designed to help me bypass the protected bootloaders.

    Normally, to use a JTAG interface on a Tab, you must disassemble the unit, remove the cpu board, solder wires to the board, flash new firmware, unsolder wires, reassemble and then test.

    Let me start by saying that its very time consuming to do all that especially with out breaking something. So I decided to bring the 7 JTAG test points out to a connector on the Tabs outer case. Rooting through my parts bin I found that a SATA hard drive connector has 7 pins. So I proceeded to remove a SATA connector from an old motherboard and find a suitable place to mount it inside the Tab.

    After many measurements and a lot of grinding with a Dremel tool, I managed to mount the connector inside the Tab, just below the volume buttons. Then I made a custom cable from a SATA cable and some 6" female jumpers.

    And guess what, the whole setup works. I'm starting by doing a complete dump of the internal ROM. You can see that operation in action in the attached photo.

    I'll post my progress here.

    View attachment 488688 View attachment 488695 View attachment 488700
    6
    how do we donate?

    I accept the donations of "Thanks" when you hit the Thanks button on my posts.
    6
    Roto....the Bounty of $110 so far will go to you...you are the person who worked hard in finding away. I understand chainfire has a hand in this and the wrapper app, he will get further donations im sure...but the Bounty is for you...if you wish to move some of the money to him, that is your choice.

    Please provide us with YOUR paypal account email.

    I appreciate the offer, but I also know a lot of folks unknowingly got screwed. The reward I get will be to see everyone back in the game. I take enough from everyone else, its my turn to give.
    5
    Roto...once you do release the procedure and files...can you also post your paypal email here for us to load up your account with the Bounty $$$...thanks.

    I left all the details/files with chainfire, he will write a fool proof wrapper app to ensure the recovery is performed properly. All donations and/or bounty can go to him.

    Since theres no immediate rush, please allow chainfire the time to make the app, and for me to test it. At this point only I can test. I do not want anyone to brick their tab doing this recovery.
    5
    good news

    I've successfully restored non-protected bootloaders twice using heimdall,redbend, bmlunlock and dd. The problem is I don't know the exact sequence that it needs to be done in yet. Any other sequence results in a full brick. And theres a lot of permutations of steps. I'll go at it again tomorrow, its way late now.

    FWIW, this is just one of many ideas I have, so Im pretty sure I can work this out.

    Without a JTAG box theres no way anyone could figure this out.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone