[Official] Note 3 Verizon Bootloader Unlock

[mrmy]

can you do this on N900A !!!!!

 

[{davros}]

Can't get jrkruse's app to go past the install the unlock.bin.... second root access never pops up etc. The zip version the app won't even install..... really didn't want to do the pc method but I guess it's next.


On a fresh OF1, busy box, etc etc. Ugh...



Sent from my SM-N900V using Tapatalk

 

[NeoMagus]

Looking at fixing this, unfortunately I had a funeral this weekend and was quite busy with other things going on.

The problem with that for me is...if I odin OF1...then I have to use the yemen root exploit...and as I've said before....I don't trust it to be as harmless as they make it out to me.

This bootloader unlock I am comfortable with...I can see the full source code so know what it's doing. If needed I can compile a version for 4.4.2 or wait until the author gets around to it....which is better for all.


Sent from my Note 3 via Tapatalk

Did you ever make a 4.4.2 version apk or did you end up upgrading to unlock? Don't really want to nuke my phone either if something is still in the works

 

[donc113]

Did you ever make a 4.4.2 version apk or did you end up upgrading to unlock? Don't really want to nuke my phone either if something is still in the works

Nope...I am waiting on Ryan....it's his program...and I am not in any hurry.

All I want to do is replace SafeStrap with TWRP so I can boot directly in recovery should the need arise.


Sent from my Note 3 via Tapatalk

 

[ryanbg]

@ryanbg

You are a beast, sir. I just casually dropped in here after a very long absence and saw this. Your persistence is remarkable. If I end up doing this you've got some beer money coming your way. (Believe it or not I am still using MJ7 and Safestrap - didn't want to give up the tether bug.)

I went over to @beaups github repository and read through the code, and looked at some constants & blob values in your binary.

I'm sort of mystified by the SD Card backup - it happens on the 2nd invocation of the program, just before the dev_sig blob is kanged into ABOOT. Is it used following the second reboot? Maybe the kanging somehow trips the "boot from SD card and overwrite mmcblk0 with it's contents" mode?

I assume that your dev_cid and dev_sig are a matched pair from a legit VZW dev phone & that there is no currently known means to avoid having all users of this method share the same CID value. (I vaguely remember that all dev edition users had unique sig blobs, indicating that the signing operation occurs with a either with a unique hardware private key on the phone itself - or one-time only at the factory, so that use of ODIN on a dev phone destroys the "dev edition" status)

Not a huge deal unless big red decides to squash all users of a single CID... including the dev edition owner with the legitimate device.

Ignoring the obvious need of the ioctl to be present in the phone's kernel (& root privilege), does this method implicitly require a specific release, or is the cid <==> sig pair sort of independent of the contents of aboot/tz/sbl1 etc?

Thanks for your hard work and everything you have done for the wider Galaxy community.

bftb0

Just a matching CID and signature. Thanks! You can thank @beaups for finding the backdoor in Samsung eMMC so this method could be a reality.

 

[IslandKxng]

Wow after all this time I've finally done it. I used the apk file originally posted above. It took two tries but it worked perfectly.

 

[alexp1289]

Wow after all this time I've finally done it. I used the apk file originally posted above. It took two tries but it worked perfectly.

It's supposed to take 2 times. Once to change the cid and once to unlock the bootloader.

Sent from my SM-N900V using Tapatalk

 

[dreadcool]

Does this work on one specific version of the verizon galaxy note 3 phone because i keep getting:
[+] CID at boot time is/was: 11010030333247453404daa490c26100
[-]dont try this on non-samsung eMMC, seriously.

 

[donc113]

Does this work on one specific version of the verizon galaxy note 3 phone because i keep getting:
[+] CID at boot time is/was: 11010030333247453404daa490c26100
[-]dont try this on non-samsung eMMC, seriously.

CID must start with 15



Sent from my Note 3 via Tapatalk

 

[dreadcool]

Is there anyway I can change that? What can I do?

 

[knighthawk65]

CID

Is there anyway I can change that? What can I do?

Mine says the same thing

 

[alexp1289]

Mine says the same thing

Nothing you can do because your emmc chip is made by Toshiba not Samsung. Therfore it's not vulnerable to the unlock (at least it's not thought to be vulnerable not sure if it's being worked on).

Sent from my SM-N900V using Tapatalk

 

[donc113]

The backup is triggered after the first reboot (cid change) and before aboot is modified. Its just a safety mechanism.

--beaups

I've got 4.4.2 Your unlock code fails with the "only works on (some) Samsung..." on my Note 3 (SM-N900V).

I looked at your code on github and see that fail is invoked by a fail of the strstr () from /proc/cmdline where it looks for the string "amsung" yet a cat of /proc/cmdline clearly includes two instances of the word "samsung". (Your nearly useless compat check)

Yes..my CID does start with '15'

So...playing around...I copied and modified your code a bit...to force a return of 1 from the compat check function and to modify the define of CID1 location to where CID is located on a 4.4.2 ROM (....mmc1/mmc1:0001/cid)

Anyway...after running my modifed version...it does in fact...change the CID to the appropriate dev_cid and shut phone down. I reboot and rerun my modified version...it says yup...got the dev_cid and does its backup of loaders...announces success and shuts phone down.

But bootloader remains locked. Whether I pull battery and then power on or just power on. Several tries.

Any idea what's up with the /proc/cmdline fail and why after I modify where CID is located...it changes CID but won't do its magic to aboot even though it says it does?



Added in edit:

Oh yea...why does my Note 3 have 2 different cid's? I am GUESSING because it has 2 different eMMC chips...but don't know enough about the hardware.

One starts with 15, the other with 03



[email protected]:/ $ su
[email protected]:/ # cd /sys
for i in `find . -depth -name cid -print` <
> do
> echo $i
> cat $i
> done
./devices/msm_sdcc.1/mmc_host/mmc1/mmc1:000
1/cid
1501004d424734474..........db000
./devices/msm_sdcc.3/mmc_host/mmc2/mmc2:e62
4/cid
0353445355333247..........00b700
[email protected]:/sys #




Sent from my Note 3 via Tapatalk

 

[openbottle]

I've got 4.4.2 Your unlock code fails with the "only works on (some) Samsung..." on my Note 3 (SM-N900V).
Oh yea...why does my Note 3 have 2 different cid's? I am GUESSING because it has 2 different eMMC chips...but don't know enough about the hardware.

One starts with 15, the other with 03



[email protected]:/ $ su
[email protected]:/ # cd /sys
for i in `find . -depth -name cid -print` <
> do
> echo $i
> cat $i
> done
./devices/msm_sdcc.1/mmc_host/mmc1/mmc1:000
1/cid
1501004d424734474..........db000
./devices/msm_sdcc.3/mmc_host/mmc2/mmc2:e62
4/cid
0353445355333247..........00b700
[email protected]:/sys #

Sent from my Note 3 via Tapatalk

---------- Post added at 11:29 PM ---------- Previous post was at 10:46 PM ----------



Sent from my Note 3 via Tapatalk

mmc2 is your external sdcard.

 

[donc113]

mmc2 is your external sdcard.

Thanks...that makes sense!

Sent from my Note 3 via Tapatalk

 

[openbottle]

Thanks...that makes sense!

Sent from my Note 3 via Tapatalk

I am in the same boat as you. I modified the source, compiled the binary and it still crashed at "go back to google". Same as the original binary.
I am going to have to dig a little deeper in the source.

 

[donc113]

I am in the same boat as you. I modified the source, compiled the binary and it still crashed at "go back to google". Same as the original binary.
I am going to have to dig a little deeper in the source.

I just told the nearly_useless_compat_check () to return 1

And changed the define of CID1 to be:

#define CID1 "/sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/cid"

No other changes...it ran 1st time and did infact change cid to the new value

Ran 2nd time...it said the new cid is the dev cid and supposedly "fixed" aboot and backed up the loaders to the extSD card.

Shut down...but pulling battery and restarting didn't unlock aboot.

Ran a 2nd run ...same..said it fixed aboot but it was still locked.

Just to put things back...I created a new version that put my original cid back...that worked fine too.



Sent from my Note 3 via Tapatalk

 

[openbottle]

I am getting same result as you. CID and Aboot signature changed, but no developer mode. Maybe it just doesn't work with 4.4.2.

 

[macgyver40]

I just told the nearly_useless_compat_check () to return 1

And changed the define of CID1 to be:

#define CID1 "/sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/cid"

No other changes...it ran 1st time and did infact change cid to the new value

Ran 2nd time...it said the new cid is the dev cid and supposedly "fixed" aboot and backed up the loaders to the extSD card.

Shut down...but pulling battery and restarting didn't unlock aboot.

Ran a 2nd run ...same..said it fixed aboot but it was still locked.

Just to put things back...I created a new version that put my original cid back...that worked fine too.



Sent from my Note 3 via Tapatalk

I don't know much about this but would guess the aboot is different in some way.

Sent from my SM-N900V

 

[bftb0]

@openbottle @donc113

do a hexdump of @ryanbg 's binary (*or better yet an objdump -j .text) and you will see that the replacement dev_cid and dev_sig are not the same values as in @beaups github code. I suppose that the valid dev CID values for a particular phone type are not shared between models, and beaups' code was for a different Galaxy model.

That's my uneducated guess anyway. Otherwise ryanbg would have had little reason to recompile.


*mo betta if it is compiled with arm support, but I just used a crappy cygwin x86 version.

---------- Post added at 07:13 PM ---------- Previous post was at 07:01 PM ----------

ps you could always (binary) edit ryanbg's binary.

/proc/cmdline => /proc/zzzline (note same string length, so all offsets remain the same)

then put your own "zzzline" in /proc & add some of your own symlinks in /sys to point at the correct CID file.

A bit tedious as it needs to be done twice (once per boot).