[HOW-TO][EXYNOS/SNAPDRAGON] Root S20 series and upgrade firmware

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
Applicable Models:
All Exynos models including but not limited to:
SM-G980F or SM-G980F/DS (S20)
SM-G981B or SM-G981B/DS (S20)
SM-G985F or SM-G985F/DS (S20+)
SM-G986B or SM-G986B/DS (S20+)
SM-G988B or SM-G988B/DS (S20 Ultra)
All BL-unlockable Snapdragon models including but not limited to:
SM-G9810 (S20, Hong Kong, Taiwan, China mainland)
SM-G9860 (S20+, Hong Kong, Taiwan, China mainland)
SM-G9880 (S20 Ultra, Hong Kong, Taiwan, China mainland)
SM-G981N (S20, Korea)
SM-G986N (S20+, Korea)
SM-G988N (S20 Ultra, Korea)

Japanese model (SC-*) also use Snapdragon but I can't not confirm that its bootloader is unlockable.
It is known that bootloader can NOT be unlocked on U.S. models (U/U1) .

Frequently used key combinations of S20 series:
FORCE REBOOT: Hold "Volume Down" and "Bixby/Power" button.
DOWNLOAD MODE: With the phone off, hold "Volume Down" and "Volume Up" button, connect your phone to a computer via a cable. Release the buttons after you see the "Warning" screen and then press "Volume Up"
RECOVERY MODE: With the phone off, hold "Volume Up" and "Bixby/Power" button.

Some facts:
1. S20 series uses dynamic partition which means there is only one "super" partition (instead of "system", "vendor", "product").
3. S20 series uses A-only partition which means there is only one set of system partition.
3. S20 series uses 2 stage init (2SI).
4. KNOX will be tripped after you flash a custom image. As a result, Samsung Pay and Secure Folder will become permanently (even after restore to stock firmware) unusable and your warranty may be voided. However, many jurisdictions including the European Union has law mandating manufacturer to provide hardware warranty even if user modifies the software.
5. Samsung devices are almost impossible to hard brick (render the device unusable without a hardware-level repair) as critical sections including the bootloader are well-protected. However, if you do things incorrectly, you may soft brick your phone, but that can usually be resolved by resetting to factory settings (wipe data and cache) or restoring to stock firmware (check out Stage 4).

Tools needed:
On your computer:
1. Odin 3.14.4 or newer
2. Samsung Android USB driver
3. SamFirm or other tools/websites to download official firmwares
4. Android Verified Boot Metadata Image with verification disabled (vbmeta_disabled.tar)
On your device:
1. Magisk Manager

Stage 1: Know your model and carrier code (CSC)
1. Open "Settings"
2. Go to "About phone" -> "Software information"
3. Pay attention to "Service provider SW ver."
4. Starting with "SM-", for example "SM-G9810", that's the model of your phone.
5. Immediately after that, there are two 3-letter code, for example "OZL_CHC". The second 3-letter code "CHC" is your CSC.
6. Remember your model and CSC.
Screenshot_20200409-191910_Settings.jpg

Stage 2: Unlock the bootloader
WARNING: ALL data on your device, including apps, settings and files in internal storage, will be lost. You do not need to repeat this if you didn't re-lock your bootloader.
1. Open "Settings"
2. Turn on "Developer mode" by going to "About phone" -> "Software information" and pressing "Build number" for several times.
3. Go to main menu of "Settings" and at the bottom you will find "Developer options"
4. Go to "Developer options". You will find a toggle "OEM unlocking". Turn it on.
Screenshot_20200409-191950_Settings.jpg
5. Skip to step 8 if your device reboots to "Unlock bootloader?" screen. Make sure the toggle is on and then turn off your phone.
6. With the phone off, hold "Volume Down" and "Volume Up" button, connect your phone to a computer via a cable. (don't use charging only cables)
7. Release the buttons after you see the "Warning" screen. Then, hold the "Volume Up" button.
8. You will see "Unlock bootloader?" screen. Proceed and unlock your bootloader by pressing "Volume Up" button.
9. Your device will be reset to factory settings. Proceed with the Setup Wizard. Only connect to network via Wi-Fi or cellular and skip everything else. (to save time as data will be cleared again later.)
10. Repeat step 1-4 to validate that "OEM Unlocking" is on. If it is not, turn it on.
11. Repeat step 6.
12. Release the buttons after you see the "Warning" screen. This time, press (not hold) the "Volume Up" button.
13. You will see "Downloading" screen. On the top left, there are some important info.
14. Pay attention to "OEM LOCK" and "REACTIVATION LOCK". If both of them are "OFF", you have unlocked the bootloader.
IMG_0226.jpg

Stage 3: Disable Android Verified Boot
1. Reboot to DOWNLOAD mode. If you are already in the download mode, skip to step 2.
2. Download Odin 3.14.4 or newer and make sure Samsung USB drivers are installed.
3. Open Odin and put the vbmeta_disabled.tar into USERDATA slot and click "Start"
4. Your device will reboot but it will not boot into system as vbmeta signature has changed.
5. Your device will reboot into RECOVERY mode automatically and prompt "You have to reset your device to factory settings". Use "Volume Up" or "Volume Down" button to move and "Power/Bixby" button to select. Confirm and reset the device to factory settings.
6. This is the last time the data on the device has to be cleared. Afterwards, if you don't re-lock bootloader or re-enable the Android Verified Boot, you will not lose your data. Be aware, a stock firmware package contains a Android Verified Boot Metadata Image (vbmeta.img) with verifications enabled. You will need to flash the vbmeta_disable image (put into USERDATA slot) along with the stock firmware (use BL, AP, CP, CSC slots) to make sure AVB is not re-enabled and the data is preserved.
View attachment 4990053

With bootloader unlocked and AVB disabled, it is now possible to boot modified images on the device.

If a recovery is available and you don't want to go through the process of downloading official firmware, go to #2.

You can also download a KERNEL TAR archive of your version here:
Exynos: https://github.com/jesec/proprietary_vendor_samsung_xyzs/releases
Snapdragon: https://github.com/jesec/proprietary_vendor_samsung_xyzq/releases
and then skip to Step 6.

Stage 4: Obtain the official firmware and upgrade
1. Open SamFirm
2. Type in your model and your region (CSC) and click "Check Update"
3. "Download" and you will get a zip file.
View attachment 4990061
4. Extract it and you will get 5 files (AP, BL, CP, CSC and HOME_CSC). All files are in tar format and can be opened by 7-Zip, WinRAR or other software.
5. Check the version code, for example (G9810ZCU1ATD1). The last 4 letters (ATD1) indicates the version of the firmware. If the version is the same as your current firmware, skip to Stage 5.
Your data will be preserved if you do it right but it is good to have a backup.
6. Open Odin on your computer and reboot your device to DOWNLOAD mode.
7. Put AP, BL, CP files in their Odin slots. It takes time to verify the firmware so be patient.
8. Put HOME_CSC file in CSC slot. Be careful here. Unlike AP, BL, CP slots, you should NOT use CSC file for CSC slot. Instead, you should use HOME_CSC file. CSC file contains partition table (PIT) which will erase all your data.
9. Put vbmeta_disabled file in USERDATA slot so AVB remains disabled and your data preserved.
10. Click "Start" and wait for it to finish. Allow the device to boot into system to complete the upgrade process. Do NOT interrupt/disconnect phones/hold button. It needs to complete the process without interruption or strange BUGs may appear.
View attachment 4990063

Stage 5: Extract boot (kernel) image from firmware
If you are having trouble creating tar file, you can skip to Stage 6. (NOT RECOMMENDED as AP is basically full system image. It is huge (takes long time to flash/process) and Magisk may misbehave.)
1. Extract boot.img.lz4 from the AP file.
2. Use 7-Zip to create a tar archive which contains boot.img.lz4 only. (or "tar cvf boot.tar boot.img.lz4")
View attachment 4990065View attachment 4990067View attachment 4990069View attachment 4990071

Stage 6: Patch the boot (Kernel) image via Magisk
1. Transfer the tar archive (or the AP file if you skipped stage 5) to your phone.
2. Open Magisk Manager.
3. Click top-right "Install" button
4. Make sure "Recovery Mode" is off in Options.
5. Click "Next" and select "Select and Patch a File" in Method.
6. Select the file you transferred to your phone in step 1.
7. Click "Next" and "LET'S GO".
Screenshot_20200415-223750.jpgScreenshot_20200409-192424.jpgScreenshot_20200409-192430.jpgScreenshot_20200409-192447.jpgScreenshot_20200415-085506.jpg
8. Transfer the patched file (in Download/magisk_patched.tar) to your computer
9. Reboot the device to DOWNLOAD mode.
10. Open Odin, put patched file to AP slot and then click "Start".
11. After reboot, Magisk is installed and you will have the root access.

HOW TO upgrade the firmware
Repeat stage 4-6.

XDA:DevDB Information
Root S20 series and upgrade firmware, Tool/Utility for the Samsung Galaxy S20

Contributors
jesec

Version Information
Status: Stable

Created 2020-04-08
Last Updated 2020-04-08
 

Attachments

Last edited:

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
Other Methods:

You still need to unlock bootloader and disable AVB. (check Stage 2-3)

Recovery Magisk installation:
1. Open Odin on your computer.
2. Reboot your device to DOWNLOAD mode.
3. Put the recovery TAR flashable into AP slot.
4. Click start.
5. Use Volume Up + Power to reboot into recovery mode.
6. Install Magisk via recovery.
My recovery usually includes Magisk in "Select from root" -> ".builtin" folder. Or you can sideload the ZIP flashable of your choice via adb or https://flash.jesec.io/.

Flash pre-patched boot (Kernel) image:
Basically others have done stage 4-6 for you. Be aware that it is always safer to DIY.
You are welcomed to share your patched image to the community by replying to this thread.
Naming convention: model + firmware version (last four letters of build number) + magisk version .tar
1. Make sure that the model and firmware version of the pre-patched image is the exact SAME as yours.
2. Open Odin on your computer.
3. Reboot your device to DOWNLOAD mode.
4. Put pre-patched image into AP slot.
5. "Start"

SM-G9810_ATD1_ef9d077c.tar:
https://drive.google.com/open?id=1SxKXWHqR0aM_g457Yp7pk524_6aqp1k5
 
Last edited:

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
Some Interesting Things:

Change your CSC (carrier code):
You have to root your device. There might be some secret codes to trigger the menu without root, though.
Note that you can only change it to carrier configurations already included in your firmware.
WARNING: Your device will be reset to factory settings.

In a local terminal, type:
su
am start -n com.samsung.android.cidmanager/.preconfig.PreconfigActivity

Screenshot_20200409-100230.jpg
 
Last edited:

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
What is the purpose of disabling android verify boot?
Android Verified Boot prevents images which are not signed by Samsung to boot on the device. Obviously we don’t have Samsung’s private key and we need to modify images to obtain root access. So it has to be disabled.

Am rooted without doing this step will it cause any problems?
You must have done it somewhere in the process. Magisk will patch vbmeta.img for you if you give it a tar archive.
 
Last edited:
  • Like
Reactions: ngoralph

ngoralph

Senior Member
Apr 16, 2012
1,730
1,314
143
Android Verified Boot prevents images which are not signed by Samsung to boot on the device. Obviously we don’t have Samsung’s private key and we need to modify images to obtain root access. So it has to be disabled.
Am rooted without doing this step will it cause any problems?
 

bigback

New member
May 25, 2016
2
0
0
Stage 6: Patch the boot (Kernel) image via Magisk
can't Patch the boot (Kernel) image via Magisk
! Unable to repack boot image!
! Installation failed
---update
use 7-zip to creat tar
 
Last edited:

yodainascoda

Senior Member
Jul 4, 2017
299
161
43
Stage 6: Patch the boot (Kernel) image via Magisk
can't Patch the boot (Kernel) image via Magisk
! Unable to repack boot image!
! Installation failed
---update
use 7-zip to creat tar
you can extrsct boot and re tar it all in mixplorer then just upload to pc and flash in odin
 
  • Like
Reactions: mez981

chieco

Senior Member
Jul 6, 2011
649
199
73
Android Verified Boot prevents images which are not signed by Samsung to boot on the device. Obviously we don’t have Samsung’s private key and we need to modify images to obtain root access. So it has to be disabled.
I'm rooted for weeks now without this... can you explain more in detail what this is for? Why is it advised from you to do this step? maybe in form of examples? like I said rooted without doing this and had no issues so far.
 

ngoralph

Senior Member
Apr 16, 2012
1,730
1,314
143
I'm rooted for weeks now without this... can you explain more in detail what this is for? Why is it advised from you to do this step? maybe in form of examples? like I said rooted without doing this and had no issues so far.
Backread he already answered it on my inquiry
 

AloxeCorton

Member
May 4, 2018
13
15
0
Magisk Root on Snapdragon based SM-G9860 S20+?

First of all, thanks for putting this guide together - very useful. I did want to share my experience following these instructions.

Everything went well until Stage 6 where I installed the Magisk patched AP file. The AP file was successfully patched with the latest canary Magisk and it also installed properly in Odin (did the full AP file and not the boot image since that encountered errors while trying to repack for some reason).
The problem is that when I reboot, No Magisk installed and No root...
I tried a factory reset just to confirm but same outcome. I did use the same AP file that was used to flash the phone as well.

Anyone successfully root and install Magisk on the Snapdragon based SM-G9860 S20+ (with latest Hong Kong firmware)? I suspect it has something to do with the Magisk not being able to handle the unlocked snapdragon based phones yet (it was like that for the Galaxy 10+ last year - took an extra month to come up with a Magisk branch that was able to handle the phone). I'm also following this thread for Snapdragons based S20 but it doesn't seem to have too many details yet

Cheers

A.A.
 

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
I qouted his answer to your question asking for more details.
You must have done it somewhere in the process. Magisk will patch vbmeta.img for you if you give it a tar archive.
First of all, thanks for putting this guide together - very useful. I did want to share my experience following these instructions.

Everything went well until Stage 6 where I installed the Magisk patched AP file. The AP file was successfully patched with the latest canary Magisk and it also installed properly in Odin (did the full AP file and not the boot image since that encountered errors while trying to repack for some reason).
The problem is that when I reboot, No Magisk installed and No root...
I tried a factory reset just to confirm but same outcome. I did use the same AP file that was used to flash the phone as well.

Anyone successfully root and install Magisk on the Snapdragon based SM-G9860 S20+ (with latest Hong Kong firmware)? I suspect it has something to do with the Magisk not being able to handle the unlocked snapdragon based phones yet (it was like that for the Galaxy 10+ last year - took an extra month to come up with a Magisk branch that was able to handle the phone). I'm also following this thread for Snapdragons based S20 but it doesn't seem to have too many details yet

Cheers

A.A.
My Snapdragon S20 has been rooted with Magisk. I think probably it has problem patching the full AP file. In that case, I recommend you to research how to pack a tar file. I don't recommend you to patch the full AP as it is huge.

Also be aware that all patched file is located in /sdcard/Download and named magisk_patched.*. It is NOT in-place patch. You might accidentally use the unpatched file.
 
  • Like
Reactions: AloxeCorton

Orphee

Senior Member
Jan 31, 2008
1,677
772
143
So I tried to apply this tutorial to update my phone SM-G981F

And it can't boot. it finish in failsave recovery :

"Can't load ndroid system. your data may be corrupted..... please perform a factory reset...."

I really would like to avoid it... I flashed vbmeta_disabled.tar but no GO...

I was already rooted with Magisk patch on ATCH rom...

Edit : wiped...
 
Last edited:

ASHLEY117

Senior Member
Jun 9, 2011
980
407
93
Someshire
So I tried to apply this tutorial to update my phone SM-G981F

And it can't boot. it finish in failsave recovery :

"Can't load ndroid system. your data may be corrupted..... please perform a factory reset...."

I really would like to avoid it... I flashed vbmeta_disabled.tar but no GO...

I was already rooted with Magisk patch on ATCH rom...

Edit : wiped...
As it finishes flashing firmware hold volume buttons as it reboots. Then flash patched boot.img and reboot. Worked for me going from ATCH to ATCT today.
 

AloxeCorton

Member
May 4, 2018
13
15
0
My Snapdragon S20 has been rooted with Magisk. I think probably it has problem patching the full AP file. In that case, I recommend you to research how to pack a tar file. I don't recommend you to patch the full AP as it is huge.

Also be aware that all patched file is located in /sdcard/Download and named magisk_patched.*. It is NOT in-place patch. You might accidentally use the unpatched file.
Thanks for the help. I did try patching the TARed (using 7zip) boot.img.lz4 file but for some reason it just refuses to "repack" from within Magisk (see screen capture attached)- I'm not sure if anyone experienced this or if I'm overlooking something.
Also tried to reformat everything with the Chinese firmware instead of HK (it was a little more recent) but I got the same results. Oddly the full AP file seems to patch fine in Magisk but never produces the expected results (no Magisk installed, no root).

A.A.
 

Orphee

Senior Member
Jan 31, 2008
1,677
772
143
Thanks for the help. I did try patching the TARed (using 7zip) boot.img.lz4 file but for some reason it just refuses to "repack" from within Magisk (see screen capture attached)- I'm not sure if anyone experienced this or if I'm overlooking something.
Also tried to reformat everything with the Chinese firmware instead of HK (it was a little more recent) but I got the same results. Oddly the full AP file seems to patch fine in Magisk but never produces the expected results (no Magisk installed, no root).

A.A.
I had the same issue... I used a tool (lz4_win64_v1_9_2) to uncompress lz4 format... I kept it just as boot.img and packed in boot.tar file and it worked.
Just for info, 7-zip built wrong tar file (don't ask me why...)... I had to use cygwin for it (or a linux if you have)
 

jesec

Inactive Recognized Developer / Inactive Recognize
Jan 29, 2015
804
6,177
133
SF Bay Area
So I tried to apply this tutorial to update my phone SM-G981F

And it can't boot. it finish in failsave recovery :

"Can't load ndroid system. your data may be corrupted..... please perform a factory reset...."

I really would like to avoid it... I flashed vbmeta_disabled.tar but no GO...

I was already rooted with Magisk patch on ATCH rom...

Edit : wiped...
That's expected.

From Android 10, encryption keys are tied to AVB key (stored in vbmeta). By disabling AVB, you changed the AVB key from Samsung's to none. Though, if I remember correctly, some old versions have security loophole that allows you to boot a patched kernel even if AVB key is intact (recovery is still protected however). That's actually a serious breach of this additional integrity assurance. (your sensitive data is still safe nonetheless as there is a customer key tied to your password/pattern/etc)

Read more: https://source.android.com/security/keystore/version-binding

Thanks for the help. I did try patching the TARed (using 7zip) boot.img.lz4 file but for some reason it just refuses to "repack" from within Magisk (see screen capture attached)- I'm not sure if anyone experienced this or if I'm overlooking something.
Also tried to reformat everything with the Chinese firmware instead of HK (it was a little more recent) but I got the same results. Oddly the full AP file seems to patch fine in Magisk but never produces the expected results (no Magisk installed, no root).

A.A.
That should not happen. Here is a screenshot if things are done right:
Screenshot_20200415-085506.jpg

Make sure you pack the TAR right (see OP for a screenshot of boot.img.lz4.tar) and the file you transfer to your device is the TAR file (boot.img.lz4.tar if you don't change the file name).

Plus, maybe check if Magisk version is right. Make sure you use the Canary builds.
Screenshot_20200415-223750.jpg
 

yodainascoda

Senior Member
Jul 4, 2017
299
161
43
Thanks for the help. I did try patching the TARed (using 7zip) boot.img.lz4 file but for some reason it just refuses to "repack" from within Magisk (see screen capture attached)- I'm not sure if anyone experienced this or if I'm overlooking something.
Also tried to reformat everything with the Chinese firmware instead of HK (it was a little more recent) but I got the same results. Oddly the full AP file seems to patch fine in Magisk but never produces the expected results (no Magisk installed, no root).

A.A.
do it on fone thats what i did mixplorer will tar it for you then move to pc and flash
 
  • Like
Reactions: AloxeCorton