[R&D] kltevzw CID 11 locked bootloader SD bypass

[Jen290]

There is a train of thought that suggests the following may allow us to bypass the locked bootloader on Verizon S5 CID 11 (Toshiba) phones to allow custom ROMs and recoveries etc.

Think of a windows XP floppy boot disk containing NTLDR and boot.ini etc.

The idea is this,
1. Create bootable ROM SD/ debrick image from a verizon developer edition s5 to a samsung evo plus sd card (beaups exploitable)
2. Change CID of SD card to developer CID
3. Flash CM 13 or similar onto CID 11 phone, insert SD card into CID 11 phone, chain boot phone from SD

Limitations:
SD card used for bypass must be inserted during startup, (however ROM runs from phone as usual)

Questions:

• Regarding point 1, can a debrick image function as a full android ROM from SD card? or is there any known way to boot a ROM from SD card with S5?

• Regarding point 3, any ideas on implementation? how can we instruct the unlocked bootloader on the SD card to boot a custom ROM on phone? a specially designed boot.img to act as a "flash me" (secondary) bootloader perhaps?

I have neither a Verizon developer s5, nor an exploitable SD card to test.

Thank you for any pointers, advice and assistance testing.

Relevant links:
http://richard.burtons.org/2016/07/01/changing-the-cid-on-an-sd-card/
http://forum.xda-developers.com/showpost.php?p=70014237&postcount=496

 

[AptLogic]

There is a train of thought that suggests the following may allow us to bypass the locked bootloader on Verizon S5 CID 11 (Toshiba) phones to allow custom ROMs and recoveries etc.

Think of a windows XP floppy boot disk containing NTLDR and boot.ini etc.

The idea is this,
1. Create bootable ROM SD/ debrick image from a verizon developer edition s5 to a samsung evo plus sd card (beaups exploitable)
2. Change CID of SD card to developer CID
3. Flash CM 13 or similar onto CID 11 phone, insert SD card into CID 11 phone, chain boot phone from SD

Limitations:
SD card used for bypass must be inserted during startup, (however ROM runs from phone as usual)

Questions:

• Regarding point 1, can a debrick image function as a full android ROM from SD card? or is there any known way to boot a ROM from SD card with S5?

• Regarding point 3, any ideas on implementation? how can we instruct the unlocked bootloader on the SD card to boot a custom ROM on phone? a specially designed boot.img to act as a "flash me" (secondary) bootloader perhaps?

I have neither a Verizon developer s5, nor an exploitable SD card to test.

Thank you for any pointers, advice and assistance testing.

Relevant links:
http://richard.burtons.org/2016/07/01/changing-the-cid-on-an-sd-card/
http://forum.xda-developers.com/showpost.php?p=70014237&postcount=496

Refer to http://forum.xda-developers.com/att...t/tool-multirom-recovery-replacement-t3101220

 

[Hariiiii]

There is a train of thought that suggests the following may allow us to bypass the locked bootloader on Verizon S5 CID 11 (Toshiba) phones to allow custom ROMs and recoveries etc...

This seems reasonably possible. It mostly depends on how the bootloader checks the CID. The debrick.img includes the first 200MB of mmcblk0, which includes basically all of the firmware on the phone plus a little bit of the ROM tacked on the end. The question is: how much of this is run on the SD card, and when does it transition to the phone's emmc? If it uses the kernel from the debrick.img, it will be a bit of a pain because the desired kernel will need to be flashed as a part of the img to the sd card every time. I have modified the unbrick creator zip to create an image that does not include the kernel (it is attached, use with caution please). Give it a try if you like, it should tell us a thing to two about how this works. The next step would be to dd an image of your entire phone and flash that to your sdcard and see if that can run from the sdcard. A good way to test that is to create the image and then change your wallpaper, then brick and try booting from SD. If your wallpaper is back to the original, then you are running from the SD.