• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Gear S3 Root and Kernel Source! (Android Wear Port Thread)

Search This thread

Honestly Annoying

Senior Member
May 17, 2016
482
868
chicago
twitter.com
Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :)

After doing some digging and paying zero attention in class today, I came across the kernel source files for the Exynos 7270 and the combination firmwares for the Gear 3 Classic and Frontier versions.

If you don't know what combination files are here is a great explanation but the TL;DR is that this is the internal firmware Samsung uses to reset devices, so it gives you full read/write access to the device including root access. So basically this is a pre-rooted firmware, and I assume that it is bootloader unlocked as it appears to flash an engineer sboot (bootloader), so I believe this would be the first step towards porting Android Wear/TWRP!

The kernel source is what we will actually use to port over AW/TWRP. It does not seem to have been posted before, and took me a few hours of digging to find. My watch comes in tomorrow, and after I flash this firmware I will pull the boot.img and start making a device/vendor tree to attempt and make a kernel!

Here is the kernel source for the Exynos 7270: https://github.com/HonestlyAnnoying/tizen_kernel_exynos7270
Here is the kernel source for the Gear S3 (all versions) (will upload to GitHub in the morning): Samsung Opensource
Here is the SM-R770 (Classic) combination firmware [R770XXU2BQC2]: link
Here is the SM-R760 (Frontier) combination firmware [R760XXU2BQC2]: link

The road to porting Android Wear is going to take a lot of work, and any help developing (not testing for now!) would be EXTREMELY appreciated (looking at you guys @cipherswitch @biktor_gj !;)). If you would like to help with development or would like to contribute in any way, please PM me or hit me up on Skype (honestly.annoying)!

Here is a Google Drive folder with all files I have for this, it will be updated as new things are found
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,280
5,477
@Honestly Annoying

Please, can you tell us what you see on Screen?
Maybe screenshot if posible...

I have flashed just for fun the older Z1 Combination I have... AOC1... and my SM-Z130H shows testmode Icons...
Later I can upload Screenshot... I have to remove something...

But in this Firmware I can enter all testmode Codes via Keys... like:
*#197328640#

And more... this is blocked in normal Firmware...

Cool. su work nice...
I can enter su in Shell and Super User is active... instead SDB Command:
sdb root on

Best Regards

Edit 1.
Screenshot from Combination Firmware AOC1 I have added in this Post:
https://forum.xda-developers.com/showpost.php?p=71744490&postcount=413
 
Last edited:

Honestly Annoying

Senior Member
May 17, 2016
482
868
chicago
twitter.com
@Honestly Annoying

Please, can you tell us what you see on Screen?
Maybe screenshot if posible...

I have flashed just for fun the older Z1 Combination I have... AOC1... and my SM-Z130H shows testmode Icons...
Later I can upload Screenshot... I have to remove something...

But in this Firmware I can enter all testmode Codes via Keys... like:
*#197328640#

And more... this is blocked in normal Firmware...

Cool. su work nice...
I can enter su in Shell and Super User is active... instead SDB Command:
sdb root on

Best Regards

Edit 1.
Screenshot from Combination Firmware AOC1 I have added in this Post:
https://forum.xda-developers.com/showpost.php?p=71744490&postcount=413

I'm just going to start dumping information I find in this thread
 
  • Like
Reactions: UAH1 and bonesnj0

Honestly Annoying

Senior Member
May 17, 2016
482
868
chicago
twitter.com
this is the partition scheme

Code:
sh-3.2# ls -l /dev/disk/by-partlabel
total 0
lrwxrwxrwx 1 root root 15 Apr  6 09:52 boot -> ../../mmcblk0p8
lrwxrwxrwx 1 root root 15 Apr  6 09:52 cm -> ../../mmcblk0p7
lrwxrwxrwx 1 root root 15 Apr  6 09:52 cpnvcore -> ../../mmcblk0p3
lrwxrwxrwx 1 root root 15 Apr  6 09:52 csa -> ../../mmcblk0p2
lrwxrwxrwx 1 root root 16 Apr  6 09:52 csc -> ../../mmcblk0p11
lrwxrwxrwx 1 root root 16 Apr  6 09:52 module -> ../../mmcblk0p10
lrwxrwxrwx 1 root root 15 Apr  6 09:52 param -> ../../mmcblk0p6
lrwxrwxrwx 1 root root 15 Apr  6 09:52 ramdisk1 -> ../../mmcblk0p5
lrwxrwxrwx 1 root root 15 Apr  6 09:52 ramdisk2 -> ../../mmcblk0p4
lrwxrwxrwx 1 root root 15 Apr  6 09:52 recovery -> ../../mmcblk0p9
lrwxrwxrwx 1 root root 16 Apr  6 09:52 rootfs -> ../../mmcblk0p14
lrwxrwxrwx 1 root root 16 Apr  6 09:52 steady -> ../../mmcblk0p15
lrwxrwxrwx 1 root root 16 Apr  6 09:52 system-data -> ../../mmcblk0p12
lrwxrwxrwx 1 root root 15 Apr  6 09:52 tup -> ../../mmcblk0p1
lrwxrwxrwx 1 root root 16 Apr  6 09:52 user -> ../../mmcblk0p13

Code:
sh-3.2# ls -l /dev/disk/by-label
total 0
lrwxrwxrwx 1 root root 16 Apr  6 09:52 modules -> ../../mmcblk0p10
lrwxrwxrwx 1 root root 10 Apr  6 09:52 ramdisk -> ../../ram0
lrwxrwxrwx 1 root root 15 Apr  6 09:52 ramdisk-recovery -> ../../mmcblk0p4
lrwxrwxrwx 1 root root 16 Apr  6 09:52 rootfs -> ../../mmcblk0p14
lrwxrwxrwx 1 root root 16 Apr  6 09:52 tizen -> ../../mmcblk0p13
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,280
5,477
Check this path:
/home/developer

Here is device-profile.xml inside...
This allow Privileges of all 3 Levels:
Public
Partner
Platform

But for now only if this Combination Firmware is flashed... it ignores Serial Number/DUID... maybe by these 0 Byte Flag file(s) in CSC...

Best Regards

Edit 1.
... seems my fault...
All Certs are inside...
Code:
usr/share/cert-svc/certs/code-signing/tizen

So fingerprint should be similar like in Reference devices...
Code:
usr/share/wrt-engine

Will later check with open eyes... now better sleep...
 
Last edited:
  • Like
Reactions: SturdyErde

Honestly Annoying

Senior Member
May 17, 2016
482
868
chicago
twitter.com
Check this path:
/home/developer

Here is device-profile.xml inside...
This allow Privileges of all 3 Levels:
Public
Partner
Platform

But for now only if this Combination Firmware is flashed... it ignores Serial Number/DUID... maybe by these 0 Byte Flag file(s) in CSC...

Best Regards

here ya go
 

Attachments

  • device-profile.xml
    5.2 KB · Views: 443

adfree

Senior Member
Jun 14, 2008
9,280
5,477
Thank you for device-profile.xml...

Should be same here...
https://forum.xda-developers.com/showpost.php?p=71737611&postcount=18

And maybe in all FTMA Combination files... all Gear... all Z-Mobiles...

But reason for working seems not this file... :eek: :eek: :eek:
Sorry, my fault...

But difference in these 2 folders...
Code:
usr/share/wrt-engine/fingerprint_list.xml
and in commercial devices... Certs missing...
Code:
usr/share/cert-svc/certs/code-signing/tizen

This is what I did long time ago in my rooted Zseries Firmware... :D
By "mistake"... :laugh:

I have nuked device-profile.xml... because I was tooo lazy to register my Email and Certs...

Best Regards
 
  • Like
Reactions: SturdyErde

Honestly Annoying

Senior Member
May 17, 2016
482
868
chicago
twitter.com
This is great to see! Good luck guys, hope you get this all worked out. Android Wear on the Gear S3 would be the perfect combination! :good:

I have the S3 Frontier, but not all that knowledgeable with Android dev unfortunately.

Honestly at this point any help would be greatly appreciated. Do you have any interest/time available to help out?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 117
    Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :)

    After doing some digging and paying zero attention in class today, I came across the kernel source files for the Exynos 7270 and the combination firmwares for the Gear 3 Classic and Frontier versions.

    If you don't know what combination files are here is a great explanation but the TL;DR is that this is the internal firmware Samsung uses to reset devices, so it gives you full read/write access to the device including root access. So basically this is a pre-rooted firmware, and I assume that it is bootloader unlocked as it appears to flash an engineer sboot (bootloader), so I believe this would be the first step towards porting Android Wear/TWRP!

    The kernel source is what we will actually use to port over AW/TWRP. It does not seem to have been posted before, and took me a few hours of digging to find. My watch comes in tomorrow, and after I flash this firmware I will pull the boot.img and start making a device/vendor tree to attempt and make a kernel!

    Here is the kernel source for the Exynos 7270: https://github.com/HonestlyAnnoying/tizen_kernel_exynos7270
    Here is the kernel source for the Gear S3 (all versions) (will upload to GitHub in the morning): Samsung Opensource
    Here is the SM-R770 (Classic) combination firmware [R770XXU2BQC2]: link
    Here is the SM-R760 (Frontier) combination firmware [R760XXU2BQC2]: link

    The road to porting Android Wear is going to take a lot of work, and any help developing (not testing for now!) would be EXTREMELY appreciated (looking at you guys @cipherswitch @biktor_gj !;)). If you would like to help with development or would like to contribute in any way, please PM me or hit me up on Skype (honestly.annoying)!

    Here is a Google Drive folder with all files I have for this, it will be updated as new things are found
    25
    Update: have flashed this, can confirm it has root access!! :D Pulling images now
    15
    Code:
    SDB 2.2.60

    Old, but in my eyes best SDB Version... because easy handling with right Mouse Button to mark, copy & paste.

    I have added for few OSes.. with WiFi Instruction...

    Maybe helpfull.

    Btw.
    I have used this Version also with Tizen 3 and Tizen 4...
    For me most main features work. :good:

    Like:
    Code:
    sdb root on
    sdb shell
    sdb pull
    sdb push

    Best Regards

    Edit 1.
    Nice Video for enable Debugging Option... to enable SDB communication... mandatory:
    https://www.youtube.com/watch?v=T_m3wsF7Ozs

    Edit 2.
    Added Video... how to find:
    Code:
    Debugging
    IP address

    Edit 3.
    Added Video... as example.
    How to connect SDB with device...
    Here example how to connect to remote device in RTL service... ;)
    To local device "similar"...

    Edit 4.
    The most important part to connect SDB with device over WiFi is described inside here:
    Code:
    [B][SIZE="3"][COLOR="Green"]Guidelines_on_Connecting_GearS2_device_using_WiFi.pdf
    Guidelines_on_Connecting_GearS2_device_using_WiFi_151222.pdf[/COLOR][/SIZE][/B]
    Please read FIRST! ;)
    12
    1 Way to change CSC... Sales Code.

    Tested by me with my SM-R760 with Wireless/WiFi only.
    NO USB cable required.



    Important.
    Check if Reactivation Lock is OFF...
    Own risk!
    Maybe sideeffects with RL on...



    Step 1.
    Combination Firmware:
    BQC2
    https://forum.xda-developers.com/gear-s3/development/rom-samsung-gear-s3-sm-r760-t3588082


    Step 2.
    Flash CSC only! From Retail/Stock Firmware...
    I have taken from BQH1...
    https://forum.xda-developers.com/gear-s3/development/oxa-rom-gear-s3-r760-t3695150
    Code:
    CSC_OXA_R760OXA2BQH1_usr.tar.md5


    Step 3.
    Factory Reset/Recovery

    To take effect of new CSC...

    Step 4.
    CSC Preconfig
    Code:
    *#272*719434266344#

    Simple enter this Code...

    I have set XAR for US region...
    You can choose what ever you want... own risk.

    Step 5.
    Now flash complete Firmware of your Choice.
    In my case I have now used all files from BQH1.

    BQH1 is at the moment latest Firmware for US regiaon with Sales Code XAR...


    Best Regards
    10
    Does it actually work? I suppose that Knox will be triggered with root onboard, so currently this is most important point - SPay

    It works after flashing back to my stock firmware. This firmware package is EXTREMELY limited to what it can do (eg. can't connect to a phone, all apps are disabled), it is mainly just for Samsung (and now us lol) to debug with and learn about how the boot process works with the root shell.

    The goal is to eventually:

    1. Build a working custom TIZEN kernel
    2. Build an Android kernel that boots up
    3. Port over TWRP/enable ADB through recovery
    4. Start working on Android Wear

    At this point I'm just trying to build a kernel with the sources I have, once that is done the real fun can begin ;)