[G975U] DISCUSSION on Root/BL Unlock

Search This thread
Not for free. I don't agree with this type of commercialization here. I have been able to root, theme, etc for free for years. now it has been compromised and disappointing.

Go get a degree and write embedded controls SW and make real money. I have a EE degree, but it's all been applied engineering. Basically, making other people's **** work in a system and vehicle level.
 
Last edited:
  • Like
Reactions: sremick

ldeveraux

Senior Member
Nov 20, 2008
2,544
916
Lenovo Thinkpad Tablet
Nexus Q
Not for free. I don't agree with this type of commercialization here. I have been able to root, theme, etc for free for years. now it has been compromised and disappointing.

Go get a degree and write embedded controls SW and make real money. I have a EE degree, but it's all been applied engineering. Basically, making other people's **** work in a system and vehicle level.
If someone does an amount of work or provides a service, it's up to them whether they charge for it, not you.
 

woodman

Senior Moderator / Moderator Committee Lead
Staff member
Jul 21, 2012
16,025
2
38,769
42
🌲 France
OnePlus 7T
Hi,

so it's now time to not derail the thread and to avoid any drama. Please stay civil before it's too late and before the moderation team has to take any actions here.

Thanks!

woodman
Senior Moderator
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Hello!

    I just picked up a SM-G975U to play with.

    Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!

    I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.

    Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.

    Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.

    I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.

    I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.

    I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.

    This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.

    To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.

    After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.

    After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.

    I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.

    What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
    7
    Wow what a read! I have an AT&T S10+ so I am going to join in here even though I don't understand some things that are being talked of.

    Would it be possible to attach a dongle via the USB-C port on the phone that sends a pulse to the CPU or bootloader making it temporarily crash long enough to run unsigned code? I know Samsung injected something called vault keeper which was like an extra layer of security or something. I am just speculating here.

    vaultkeeper is there but not really applicable from what ive seen so far.. with my exploits you can set flash lock to 0 which will grey out the oem lock in settings and say bl is unlocked as well as itll say oem unlocked in dl mode..

    however despite all this im only able to temporarily oem unlock.. what i mean is that i can oem unlock in dl mode.. reboot straight back into dl mode.. flash a modified img which fails... hard reset and get the red warning saying theres a custom firmware installed but from here it goes to factory reset and after the wipe the red warning is gone and device is not unlocked..

    i know it is unlocked for a brief moment in this process because of the warning as well as the logs indicate "IsUnlocked:1" and indicates its oem unlocked before it then reads "IsUnlocked:0" again..

    I am going through logs n tests trying to pinpoint exactly when its "unlocked".. I have hope.. this is probably closest any locked usa variants have been since good ole s4 s5 note 4 days to a bl unlock :)

    i am also testing methods to write firmware such as modded system..

    this stuff is new to me on samsung so its slow moving as im learning as i go.. with pie and beyond theres multiple security measures in place that werent there before such as vbmeta, metadata, hashes, footers, SAR, etc etc.. when i figure one thing out somethin else pops up to stop me lol but this is what makes it fun :)
    6
    So, is it possible to unlock bootloader on SD S10 plus???
    I am thinking buying one.
    Thanks

    i am actually imching closer n closer.. been workin it all day today lol
    6
    i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.

    dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.

    uid 1000 is a step in the right direction tho... beats shell 2000 uid
    5
    Just wanted to let you know I appreciate everyone's hard work. Even if we never get a rootable AT&T samsung device ever again, it's heartening to know there are still people dedicated to the cause out there, lol.