(dev+hack) note 3 bootloader unlock

[hobbit19]

Idell

 

[krazy_smokezalot]

cool nice to see no one has gave up on this yet hopefully you can get some devs to chime in on this

 

[MichaelMcC]

Thank you for continuing to work on this and hopefully someone will step up and assist. This is my first locked phone.

Sent from my SM-N900V using XDA Premium 4 mobile app

 

[dhufford81]

Nice! good work, hopefully someone like hash can chime in. I love to see devices that are locked down get hacked into freedom. F U Samsung!

 

[krazy_smokezalot]

Nice! good work, hopefully someone like hash can chime in. I love to see devices that are locked down get hacked into freedom. F U Samsung!

no its FU verizon

 

[droidstyle]

no its FU verizon

Exactly! T-mobile and Sprint are unlocked.

 

[hobbit19]

Friend
* not flood.
* communicate only topic

 

[johnminator]

Has anyone contacted Hashcode on this

 

[TheLoonyRebel]

I wonder perhaps if there is some kind of security check on at least MJ9 or even MJE retail that verifies the kernel in use which is causing the issue. Especially since it's seeing its the dev edition kernel. Just guessing here. This is huge progress however and hopefully we'll be able to get it unlocked soon. Way to go hobbit19!

 

[hobbit19]

I wonder perhaps if there is some kind of security check on at least MJ9 or even MJE retail that verifies the kernel in use which is causing the issue. Especially since it's seeing its the dev edition kernel. Just guessing here. This is huge progress however and hopefully we'll be able to get it unlocked soon. Way to go hobbit19!

Tomorrow I will try to flash the firmware engineering
http://forum.xda-developers.com/showthread.php?t=2567394
and try to apply it loki
http://forum.xda-developers.com/showthread.php?t=2292157
although it seems to me that the hole uses Loki already fixed there

 

[streetracer8605]

Hopefully another dev can help you out. This would be amazing progress and would finally allow us to have the phone we deserve, I really wish VZW would knock this crap off. Looks like I'll be holding out on upgrading and rerooting MJE. I'll just hang out on MI9 and see where this goes.

 

[hobbit19]

I believe
* while those who have older versions of the firmware is worth staying on them
because I could not sew dev bootloaders where there was the latest firmware.

* possible for them will then flash dev bootloaders from 4.4 dev firmware
* which we do not have.

 

[TechBSwift]

Hello everyone .

I have long been engaged in an attempt to break the bootloader and it seems to me found a way .
Recently I got the retail version of the note 3 with the old firmware MI9.
And I was able to correctly flash it with testbit
, then dev version bootloaders
https://dl.dropboxusercontent.com/u/59757245/Step2_DevEdition_Bootchain.tar.md5
https://dl.dropboxusercontent.com/u/59757245/Step1_TestBoot.tar.md5
that I gave one a developer xda and at the end of firmware MJE for dev version
( before on recent firmware on another note3 it was not possible to flash dev bootloader ) .
At the same time I did not get any errors and phone worked .
But when trying to flash a custom recovery through Odin - it produce errors .
I did root and installed Safestrap Recovery , they managed to flash recovery and modifying kernel and no errors. But after restarting the phone won't work with them pointing me to the kernel error .
But I have no problem I can roll back to dev version of the firmware and the phone works . I believe that retail version has some other protection, than those in boot.
And I would like to ask the advice to other developers that I can do now to try to break other protection from boot and firmware.

You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you to the right direction. Hashcode has a note 3 (retail).

Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of post.

 

[TechSavvy2]

You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you into the right direction. Hashcode has a note 3 (retail).

Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of threads.

Actually..... Hashcode sold his retail Note 3 on swappa, and now has a Dev Edition Note 3 :good:

 

[ryanbg]

You should reach out to Designgears, and Hashcode. Although Designgears no longer has an note 3, he did a lot of work trying to break the bootloader, if anything he can point you into the right direction. Hashcode has a note 3 (retail).

Everyone else please keep this thread clean, I know you have good intentions but it makes it very hard to read through 100's of threads.

He was able to flash the leaked engineering firmware. It was only a debugging bootloader. Although if you are still on MI9 I have some ideas. The engineering aboot I believe did not have security checks, which means Loki may be possible. I'm going to try to patch the old aboot and see if it works. Even if it did, we have no way of getting back to MI9 at the moment.

Sent from my SM-N900V using Tapatalk

 

[hobbit19]

you MI9?
you're kind of wrote in another topic that pierced the new firmware
* and you are unable to flash dev bootloader

 

[Hashcode]

Hello @hobbit19,

I want to sort of walk through your process and clarify with questions:

And I was able to correctly flash it with testbit

1. Using this file https://dl.dropboxusercontent.com/u/59757245/Step1_TestBoot.tar.md5 (which contains engineering versions of sbl1, aboot, tz. rpm and sdi partitions) you were able to set testbit? Can you go into download mode and print out the values shown there for me?

, then dev version bootloaders
https://dl.dropboxusercontent.com/u/59757245/Step2_DevEdition_Bootchain.tar.md5

2. On step 2 here, you are flashing the dev ed. partitions which match up to the previous files + NON-HLOS.bin (for the firmware partition).

I did root and installed Safestrap Recovery , they managed to flash recovery and modifying kernel and no errors. But after restarting the phone won't work with them pointing me to the kernel error .

And for this last bit: Which recovery file did you try? I believe there's nothing to stop you from actually flashing the partitions, but the signature checks will fail during the next boot (as you've seen) Did you try booting into recovery mode? (Like don't flash boot.img yet)

 

[hobbit19]

Yes, I now can flash testbit and phone starts with it.
You want what flashed boot writes?

Yes, I understand in structure of firmware and understand how it works. I flashed MJE_insecure_Kernel.zip http://d-h.st/AR6

and http://goo.im/devs/philz_touch/CWM_Advanced_Edition/hltevzw/philz_touch_6.08.9-hltevzw.zip
After flash and phone won't start I roll back to full dev firmware.
Tomorrow I can try to re-flash and try to open recovery.

Also I have idea - try to flash old dev build what exist in other thread and use loki exploit on it.
But I afraid that flash of dev build may brick phone and require jtag.

 

[hobbit19]

Now in boot mode I see

odin mode
POroduct Name SN-900V
Current binary Samsung Official
System status Official
KNOX Kernel Lock 0x0
knox warranty void 0x1
qualcomm secure boot Enable csb
RP swrev s1 , t1 ,r1, a1, p1
Write protection Enable



You have dev version? Can you show what your bootloader says?

 

[Hashcode]

Dev Ed. Download Mode:

ODIN MODE
PRODUCT NAME: SM-N900V
CURRENT BINARY: Custom
SYSTEM STATUS: Custom
KNOX KERNEL LOCK: 0x0
KNOX WARRANTY VOID: 0x1
QUALCOMM SECUREBOOT: ENABLE (CSB)
RP SWREV: S1, T1, R1, A1, P1
WRITE PROTECTION: Enable
MODE: Developer

(NOTE: I'm currently testing / debugging CM11 which explains the "Custom" items)