(dev+hack) note 3 bootloader unlock

[hobbit19]

Dev Ed. Download Mode:

ODIN MODE
PRODUCT NAME: SM-N900V
CURRENT BINARY: Custom
SYSTEM STATUS: Custom
KNOX KERNEL LOCK: 0x0
KNOX WARRANTY VOID: 0x1
QUALCOMM SECUREBOOT: ENABLE (CSB)
RP SWREV: S1, T1, R1, A1, P1
WRITE PROTECTION: Enable
MODE: Developer

(NOTE: I'm currently testing / debugging CM11 which explains the "Custom" items)

I have no line
MODE: Developer
perhaps even that it is necessary to flash the phone that he was
dev?

 

[hobbit19]

phone contains 23 partions.
except maybe the fact that I was able to flash
* Need more any parts of the firmware?

 

[Hashcode]

phone contains 23 partions.
except maybe the fact that I was able to flash
* Need more any parts of the firmware?

I checked the MJE aboot binary and the "MODE: Developer" string is there. So at the very least, the aboot.mbn file is usable on both devices. It just doesn't act the same due to efuse, etc.

 

[Surge1223]

Based on information we learned yesterday, every developer edition device will have aboot.mbn files with different md5s. So even if you pull aboot using

dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/sdcard/aboot.mbn

and depad it I think they'll have different md5s.

Sent from my SCH-I545 using XDA Premium 4 mobile app

 

[newuser134]

https://dl.dropboxusercontent.com/u/59757245/Step2_DevEdition_Bootchain.tar.md5
https://dl.dropboxusercontent.com/u/59757245/Step1_TestBoot.tar.md5

Is one of the links above to the stock Dev edition bootloader?

Would you happen to have a stock MJ3 dev edition modem and system backup? Or could someone get it for you? Maybe if the MJ3 files are used, the retail version phone will boot up and work with the dev edition kernel? Let me know if you have or can get the stock dev edition backup files.

 

[hobbit19]

Based on information we learned yesterday, I'm pretty sure every developer edition device will have aboot.mbn files with different md5s. So even if you pull aboot using

dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/sdcard/aboot.mbn

and depad it I think they'll have different md5s. They use a different process to flash aboot to dev devices

Sent from my SCH-I545 using XDA Premium 4 mobile app

why do you think so?

 

[hobbit19]

I checked the MJE aboot binary and the "MODE: Developer" string is there. So at the very least, the aboot.mbn file is usable on both devices. It just doesn't act the same due to efuse, etc.

is there any idea how to check if the defense through efuse?

 

[hobbit19]

Is one of the links above to the stock Dev edition bootloader?

Would you happen to have a stock MJ3 dev edition modem and system backup? Or could someone get it for you? Maybe if the MJ3 files are used, the retail version phone will boot up and work with the dev edition kernel? Let me know if you have or can get the stock dev edition backup files.

No, I unfortunately do not have other files

 

[Hashcode]

is there any idea how to check if the defense through efuse?

It's a lengthy process of disassembling aboot and seeing how the checks are made.

Also, I pulled the "param" partition on my dev edition as I remember reading on the S3's that there were several boot flags contained there:
It's mostly 0's with the following exceptions:
offset 0x00000c: 0x01
offset 0x000010: 0x01
offset 0x900000: "DLOW"+0x04
offset 0x90000c: 0x01
offset 0x900010: 0x01


Getting a retail unit param partition for comparison.
EDIT: contents of the retail unit param partition:
offset 0x000000: 0x03
offset 0x00000c: 0x01
offset 0x000010: 0x01
offset 0x900000: "DLOW"+0x04
offset 0x90000c: 0x01
offset 0x900010: 0x01

Not to get anyone too excited about that 0x03 value. Could be nothing.

 

[hobbit19]

It's a lengthy process of disassembling aboot and seeing how the checks are made.

Also, I pulled the "param" partition on my dev edition as I remember reading on the S3's that there were several boot flags contained there:
It's mostly 0's with the following exceptions:
offset 0x00000c: 0x01
offset 0x000010: 0x01
offset 0x900000: "DLOW"+0x04
offset 0x90000c: 0x01
offset 0x900010: 0x01


Getting a retail unit param partition for comparison.
EDIT: contents of the retail unit param partition:
offset 0x000000: 0x03
offset 0x00000c: 0x01
offset 0x000010: 0x01
offset 0x900000: "DLOW"+0x04
offset 0x90000c: 0x01
offset 0x900010: 0x01

Not to get anyone too excited about that 0x03 value. Could be nothing.

I had to dump aboot and param partition from my phone?

 

[hobbit19]

Can I do more on this moment? Any chance to avoid efuse without jtag?
Does old versions of testbin and dev aboot have bug for loki patcher?

 

[Hashcode]

Can I do more on this moment? Any chance to avoid efuse without jtag?
Does old versions of testbin and dev aboot have bug for loki patcher?

Here's my current theory:

• There's a "process" for turning a retail unit into a dev unit. It's not necessarily a hardware efuse but it *does* probably involve signed data.
• The reason I'm suspecting this, is because on both mine and Bean's Dev Ed. boxes the label for MJ3 was placed over a label for MJ7. These were retail devices originally.
• This also makes sense as to why dev ed. phones can be "turned into retail" units by flashing the ODIN.tar files (as they include aboot and a possible "retail" block of data at the end.

Not sure where that leaves us on this, but just tossing that out there.

 

[hobbit19]

I understand if tomorrow I can go to the custom recovery
this will increase the chances of hacking?

 

[hobbit19]

param.bin it is signed?
or we can change it in the bit value that is different from the normal version and dev

 

[newuser134]

The reason I'm suspecting this, is because on both mine and Bean's Dev Ed. boxes the label for MJ3 was placed over a label for MJ7. These were retail devices originally.

Hashcode,

Do you or Beans have a twrp backup of your dev edition boxes saved that contains the stock dev edition /modem, /boot, /data and /system of the original MJ3 firmware? Or just MJ3 /modem and /system? If so, could you possibly post them in here somewhere for download?

I know you and Bean will likely break this bootloader eventually.

Thank you

 

[Hashcode]

Hashcode,

Do you or Beans have a twrp backup of your dev edition boxes saved that contains the stock dev edition /modem, /boot, /data and /system of the original MJ3 firmware? Or just MJ3 /modem and /system? If so, could you possibly post them in here somewhere for download?

I know you and Bean will likely break this bootloader eventually.

Thank you

The /modem and /system partitions for MJ3 are actually older than the new MJE release for the retail devices. I'm not sure if they'd be valuable.

I do have them tho.

 

[Hashcode]

param.bin it is signed?
or we can change it in the bit value that is different from the normal version and dev

It's actually not signed. But like I said, I doubt the 03 value at the front is what we're looking for. That seems oddly "easy".

 

[hobbit19]

tomorrow I'll dump partition from my note 3
** and we can compare
still have dumps with Retail version of who not sews dev testbitts and dev bootloaders

 

[hobbit19]

I think it's not so easy

* as testbit not flash on the new firmware

samsung and could not have foreseen that we would get the firmware files for testbit

 

[BeansTown106]

My opinion is because of how similar mi9 and mj3 (dev edition) bootloader are they revisioned the bootloaderwi th mj7 that's why retail mj7/mje users now have a 2 on there download mode under a a=2 to be exact while mi9 users are just a=1

Sent from my SM-N900V using Tapatalk