Discussion: Downgrading ME7 to MDK via JTAG

Skitals

Senior Member
Sep 7, 2010
242
91
0
I'm resurrecting this topic because as of August 28th, h311sdr0id, a recognized developer, reported that it is possible:

I would also like to report that I am able to downgrade our device from the ME7 OTA back down to the MDK (for root and recovery).
These are the most details he has posted:

I can use JTAG to bring a device to a state where it can then be flashed with the MDK via odin. This is nothing new. JTAG has been around forever. It just takes the S4 to a sort of generic state where any stock odin firmware can be flashed. Whether it be ME7 or some other/future update, it can be done and I have recovered my SCH-I545 from an OTA ME7 update at least 5 times and brought it back to MDK to re-unlock and re-root.

JTAG isn't anything to mess around with or anything that can be learned overnight/a week/a year/etc. Its very dangerous. There are services you can pay for on eBay for recovering bricked devices, but there are very few people that do it. And even fewer than that who know how to do more than just unbrick a device. I myself am at the very bottom of the totem pole I'm regards to JTAG. But, I have unbricking/downgrading any of the S4 variants down to an art. And that's about all I can do really well. I am trying to work on the bootloader also, but it is very difficult stuff that I am learning more about everyday.

I mainly wanted to share this with contributors and developers and anyone else that really really needed their device to be fixed (for a good purpose). Or anyone else that was in need of this kind of help badly.
After that, he closed the thread on August 29th. He most recently teased on September 4th:

Sorry for the delay guys. I have been downgrading phones (JTAG) and working on the new HELLS-KITCHEN in addition to this ROM (and three other devices I support).
IMO, being able to downgrade to an exploitable bootloader is a MUCH more desirable alternative to Safestrap. JTAG isn't without its inherent risks, but many of us already have JTAG capabilities, or would be skilled enough and willing to spend $100 for a RIFF box to downgrade our phone. This is a topic that is VERY worthy of discussion.

I personally have a RIFF Box, and if I figure this out I am more than willing to "pass it forward"... I'm sure we can quickly get together a list of trusted volunteers to downgrade phones for other forum members.
 

Noremacam

Senior Member
Feb 23, 2008
54
8
0
Is it possible to JTAG to GPE or developer edition?

««I used to be a Serial Flasher...now I'm just a Cereal Flasher.»»
developer mode is set via a efuse. Once that fuse is blown, it can never be developer mode again. All Verizon phones come with that fuse blown, so it'll never be able to be turned into a developer phone. Since they don't make a google phone edition that is compatible with Verizon's network, that's not possible either.

Sorry. Someone correct me if I'm wrong.
 

Skitals

Senior Member
Sep 7, 2010
242
91
0
developer mode is set via a efuse. Once that fuse is blown, it can never be developer mode again. All Verizon phones come with that fuse blown, so it'll never be able to be turned into a developer phone. Since they don't make a google phone edition that is compatible with Verizon's network, that's not possible either.

Sorry. Someone correct me if I'm wrong.
I don't know about the dev edition, but I've surely heard that the ME7 also blew a QFuse... yet that apparently hasn't stopped h311sdr0id.
 
  • Like
Reactions: j510

Skitals

Senior Member
Sep 7, 2010
242
91
0
the qfuse is checked prior to flashing, but not during booting.
I posted on the RIFF JTAG support forum and got a reply from legija, the RIFF product manager:

As far as we know - this is impossible at the moment.
Writing dump from older version wont help since there are also QFUSE changed.
This requires a bit more time to be investigated.
I'm not entirely sure how to qfuses are used, or what was tripped with the ME7 update. But it doesn't make a whole lot of sense if all it does is prevent from downgrading in download mode. Per h311sdr0id, "I can use JTAG to bring a device to a state where it can then be flashed with the MDK via odin."

For this to be the case, it would need to check for a certain fuse for the flashing routine, but the boot secure values would need to be unchanged.

Which brings me to my question, what is unique about JTAG such that this would be possible, but you couldn't achieve the same results via lets say dd. What is preventing you from using dd to overwrite the ME7 bootloader and other partitions? If it isn't a hardware qfuse check preventing it from booting, what is the holdup?

Either way, I've got a RIFF box sitting on my table ready to go if I get a little more guidance on how to proceed :cool:
 

Noremacam

Senior Member
Feb 23, 2008
54
8
0
I posted on the RIFF JTAG support forum and got a reply from legija, the RIFF product manager:

Which brings me to my question, what is unique about JTAG such that this would be possible, but you couldn't achieve the same results via lets say dd. What is preventing you from using dd to overwrite the ME7 bootloader and other partitions? If it isn't a hardware qfuse check preventing it from booting, what is the holdup?

Either way, I've got a RIFF box sitting on my table ready to go if I get a little more guidance on how to proceed :cool:
dd won't work because of ARM's TrustZone prohibits write access to that area, even with kernel level access/root. Only the Odin interface is capable of making those changes(and blocking Samsung's undesired changes).... except through jtag which bypasses that.

I've read a LOT to try to understand that issue, and that's the best I can come up with, so I may be wrong on a few things.

One of the areas that are worth looking to exploit is their implementation of TrustZone, to see if you can get free write access to the bootloader to downgrade that way - but it'd be a painful process since a successful initial exploit would leave the phone unbootable and in need of jtag anyways. If the exploit exists in TrustZone it'd be a pain to turn into a usable unlock.
 
Last edited:

Skitals

Senior Member
Sep 7, 2010
242
91
0
dd won't work because of ARM's TrustZone prohibits write access to that area, even with kernel level access/root. Only the Odin interface is capable of making those changes(and blocking Samsung's undesired changes).... except through jtag which bypasses that.

I've read a LOT to try to understand that issue, and that's the best I can come up with, so I may be wrong on a few things.

One of the areas that are worth looking to exploit is their implementation of TrustZone, to see if you can get free write access to the bootloader to downgrade that way - but it'd be a painful process since a successful initial exploit would leave the phone unbootable and in need of jtag anyways. If the exploit exists in TrustZone it'd be a pain to turn into a usable unlock.
So if it's just a block in ODIN, wouldn't that be a software block? Why is the assumption that a qfuse was blown?
 

Noremacam

Senior Member
Feb 23, 2008
54
8
0
So if it's just a block in ODIN, wouldn't that be a software block? Why is the assumption that a qfuse was blown?
It's possible I am wrong on that point, however the error message displayed on the phone when attempting to Odin back to MDK suggests that it's a fuse issue.

I could be wrong - and I don't have access to a screenshot of that message right now.
 

michaelg117

Senior Member
Nov 26, 2010
911
131
0
Tucson
Can someone please explain the entire concept and process of a riff box? I've seen a lot but not really understanding how this could help us with our phone. Hell, if someone could write a guide I may just buy one.

Sent from Navi
 
  • Like
Reactions: AndroidGraphix

nicholi2789

Senior Member
Mar 19, 2013
681
183
0
Newport
Can someone please explain the entire concept and process of a riff box? I've seen a lot but not really understanding how this could help us with our phone. Hell, if someone could write a guide I may just buy one.

Sent from Navi
It's complicated. Extremely so. It's not really a practical solution and for someone who doesn't have years of experience; a quick trip to $700 paperweight-land.
Here are a couple links just for your knowledge:
http://forum.xda-developers.com/showthread.php?t=1000175
http://en.wikipedia.org/wiki/Joint_Test_Action_Group
http://www.youtube.com/watch?v=XnA8Djs55Ds
 

michaelg117

Senior Member
Nov 26, 2010
911
131
0
Tucson
It's complicated. Extremely so. It's not really a practical solution and for someone who doesn't have years of experience; a quick trip to $700 paperweight-land.
Here are a couple links just for your knowledge:
http://forum.xda-developers.com/showthread.php?t=1000175
http://en.wikipedia.org/wiki/Joint_Test_Action_Group
http://www.youtube.com/watch?v=XnA8Djs55Ds
What other things is this used for..?
Like, where do people get "experience" with riff box and JTAG other then just practice with phones? I never heard about it before hand.

Sent from Navi
 
  • Like
Reactions: WarEagleUS

Skitals

Senior Member
Sep 7, 2010
242
91
0
What other things is this used for..?
Like, where do people get "experience" with riff box and JTAG other then just practice with phones? I never heard about it before hand.

Sent from Navi
I would disagree with the last poster. It's really not complicated, you just need soldering experience. At that point, dumnping/flashing/unbricking are literally almost one click operations with the RIFF software.

The verizon S4 is kind of a PITA because the JTAG contacts are on the back of the motherboard, so you need to fully tear down the phone. But once you get to them, the solder pads are actually very large, and there isn't much near them to mess up.

There are certainly hazards, though.Yesterday when I tearing my phone down and popping off the antenna, the antenna connector ripped off the board. That thing is TINY. I had to use a multimeter to determine which of four points was signal and which were ground, prep the points, strip and tin the antenna wire, solder, and secure with hot glue. That is where experience comes in. But you don't need JTAG experience... just experience working on small electronics :)
 
Last edited:
  • Like
Reactions: j510

mlin

Senior Member
Dec 27, 2007
4,635
1,221
0
I would disagree with the last poster. It's really not complicated, you just need soldering experience. At that point, dumnping/flashing/unbricking are literally almost one click operations with the RIFF software.

The verizon S4 is kind of a PITA because the JTAG contacts are on the back of the motherboard, so you need to fully tear down the phone. But once you get to them, the solder pads are actually very large, and there isn't much near them to mess up.

There are certainly hazards, though.Yesterday when I tearing my phone down and popping off the antenna, the antenna connector ripped off the board. That thing is TINY. I had to use a multimeter to determine which of four points was signal and which were ground, prep the points, strip and tin the antenna wire, solder, and secure with hot glue. That is where experience comes in. But you don't need JTAG experience... just experience working on small electronics :)
Which is why its not really a practical solution.

Sent from my SCH-I545 using Tapatalk 2
 
  • Like
Reactions: nicholi2789

Dra$tiK

Senior Member
Jun 19, 2010
65
7
0
Cottage Grove
Guinea pig?

I'm buying a s4 from craigslist and I would be willing to take a bone stock ME7 and send it to someone who has a riff box.. :) just want the unlocked potential in the s4.
 

sound-mind

Member
Sep 9, 2006
26
40
0
developer mode is set via a efuse. Once that fuse is blown, it can never be developer mode again. All Verizon phones come with that fuse blown, so it'll never be able to be turned into a developer phone. Since they don't make a google phone edition that is compatible with Verizon's network, that's not possible either.

Sorry. Someone correct me if I'm wrong.
You can turn a developer edition into a non-developer edition by flashing ME7. Thus, it is a soft fuse (efuse?), not a qfuse (hard fuse?). It appears any device can be turned into a developer edition *unless* ME7 is blowing a hard fuse that is checked by MDK as well. I doubt MDK is checking for a non-existent qfuse state. The only difference between the dev edition and the vzw are the early bootloaders. The ME7 Odin package replaces them so you lose the unlocked bootloader.

So yeah, I think you can turn a non-dev edition into a dev edition if you have an MDK and the dev-edition bootloader images. I don't have one to test, so this is just my untested opinion and will likely brick something.
 

eskomo

Senior Member
May 13, 2008
360
102
0
Michigan
You are incorrect. You cannot turn a non Dev into a Dev edition. Read up on eFuse vs qFuse and how they are implimeted and how they trip and what they do, what checks for them and when. Then read up on what makes the Dev version different than non Dev versions. You will see that it is not possible because the fuse is already tripped on non Dev version. No going back.

ME7 doesn't work on non Verizon phones. :(

Sent from my SPH-L720 using xda app-developers app
 
Last edited:

Skitals

Senior Member
Sep 7, 2010
242
91
0
You are incorrect. You cannot turn a non Dev into a Dev edition. Read up on eFuse vs qFuse and how they are implimeted and how they trip and what they do, what checks for them and when. Then read up on what makes the Dev version different than non Dev versions. You will see that it is not possible because the fuse is already tripped on non Dev version. No going back.

ME7 doesn't work on non Verizon phones. :(

Sent from my SPH-L720 using xda app-developers app
This is correct. All non-dev versions have the dev qfuse tripped no matter the firmware. And for clarification... the MDK bootloader was never unlocked. It was an exploit (loki) that bypassed the security checks AFTER the bootloader. For the user, the end result was practically the same... it allowed custom recovery and custom kernels.

There is an excellent writeup by Dan Rosenberg who created the Loki exploit. I recommend everyone reads it.

That vulnerability in aboot was patched in ME7, and doesn't allow downgrades via ODIN. But the theory is if we can get around those downgrade blocks, we would get loki back.

The "easiest" way would be via JTAG. Noremacam pointed out if we get around TrustZone we could potentially get write access to the bootloader and downgrade that way. A TrustZone exploit is actually exactly what Dan Rosenberg for his Motorola bootloader unlock. Again, another excellent writeup on that exploit is here.

The Motorola full-unlock was possible because those phones had an inherently unlockable bootloader, where it could be unlocked with a valid unlock token for your particular device. When you legit unlock the bootloader with a valid token, it blows a qfuse. The exploit tripped that qfuse, and bingo, the bootloader is unlocked.
 

Noremacam

Senior Member
Feb 23, 2008
54
8
0
The Motorola full-unlock was possible because those phones had an inherently unlockable bootloader, where it could be unlocked with a valid unlock token for your particular device. When you legit unlock the bootloader with a valid token, it blows a qfuse. The exploit tripped that qfuse, and bingo, the bootloader is unlocked.
We now know there is a "state" the phone can be in that will re-allow the flashing of the older firmware. Instead of using a trustzone exploit to unlock the bootloader, a trustzone exploit could instead be used to bring the phone back to the state that enabled the flashing of the older firmware.
 
  • Like
Reactions: j510