R&D: Lets get this bootloader unlocked.

gage0727

Senior Member
Dec 28, 2011
209
5
38
thatsupnow. i thanked you but am going to put my two cents worth in too. Yea sorry me posting this is trashing the thread and I am sorry about it but would of loved to see this thread stay true to how adam intended it. Is their any way to clean it up, or have adam or someone start a new thread and tell people if you post and it is noob, then your deleted.
 
J

jetlitheone

Guest
On topic, @AdamOutler are there any hardware alternatives that would 'unlock' our bootloader so to speak that are under 200$ ?

Such as a replacement of the daughterboard or motherboard (not sure where the bootloader resides ) or is it strictly a software issue
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
On topic, @AdamOutler are there any hardware alternatives that would 'unlock' our bootloader so to speak that are under 200$ ?

Such as a replacement of the daughterboard or motherboard (not sure where the bootloader resides ) or is it strictly a software issue
no. the problem is the hardware locks are expecting a software key. If this were a physical key, it would have 1000+ tumblers and we have no idea of the proper position for them. We can't do anything without the key, or a weakness in the locking mechanism.
 
J

jetlitheone

Guest
Thanks for the quick response. Also great analogy as well... Hate saying something is uncrackable but this device might be.

Sent from my GT-I9505 using Tapatalk 2
 

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
It's not even worth it to flash anything over to "test". Read back a few pages through all the mish-mash and you'll find where I talked about the security features. Each bootloader is signed per-device model per Qualcomm bootloader signing procedures. On top of that, the bootloaders are revisioned using the monotonic counters of the e-fuses.

In order to make something work, we would need one of the following

...

Personally I'm hoping for 2, 3 or 8.. I don't like these cat and mouse games.. They're rediculous.
When is the PIT partition loaded in the boot chain? Is there any way we can use a modified (and signed) pit partition to our advantage?
http://forum.xda-developers.com/showthread.php?t=2396133

Otherwise, is there any way this tool might be beneficial for obtaining the Samsung sigs?
 

RaptorMD

Senior Member
May 2, 2010
1,820
228
0
Adam, is there any chance the work you are doing on the AT&T side will translate to the Verizon side. I know they are different but I suspect there must be some similarities.
 

ashaton

Member
Aug 1, 2013
13
3
0
Boston
When is the PIT partition loaded in the boot chain? Is there any way we can use a modified (and signed) pit partition to our advantage?
http://forum.xda-developers.com/showthread.php?t=2396133

Otherwise, is there any way this tool might be beneficial for obtaining the Samsung sigs?
Now that I can post in dev threads, I should point out that the linked tool is a Korean UI for creating binary PIT files but doesn't do any actual signing. In fact, a quick Google revealed that it may have been around since 2010.
 
  • Like
Reactions: Aou

gage0727

Senior Member
Dec 28, 2011
209
5
38
question for adam

@Adam, hey I was wondering. I use to mess around with sat receivers years ago. Had to use a j-tag and software to get the receives keys so to speak. Also any script for channels and such for the card had to have those numbers on them. I figure maybe any program that will mess with the boot loader may have to have each phones personal key so to speak in it. Also, do you think that maybe a way in would be threw the sim card, or dose the boot loader not even look for sim, that is the software on the phone that loads up after boot loader deals with sim card? I figure the boot loader is not working along side of the software on the phone but maybe it communicates with it i am unsure. is their a way we can like copy our boot loader? I have seen you guys talk about j-tagging the phone and such but i have not seen any info on actually doing it. I use to make my own j-tags and would like to maybe try it with my phone to get a copy of my boot loader to see what i see.


google works wonders found a bunch of information about it. Now just need to figure out if their is a way to mod the back cover so i can hook a j-tag to the phone and mount it on the phone and keep it attached. I do not like soldering and DE-soldering cables off stuff.
 
Last edited:

MegaGalan

Senior Member
Sep 22, 2011
62
20
38
Guadalajara
@Adam, hey I was wondering. I use to mess around with sat receivers years ago. Had to use a j-tag and software to get the receives keys so to speak. Also any script for channels and such for the card had to have those numbers on them. I figure maybe any program that will mess with the boot loader may have to have each phones personal key so to speak in it. Also, do you think that maybe a way in would be threw the sim card, or dose the boot loader not even look for sim, that is the software on the phone that loads up after boot loader deals with sim card? I figure the boot loader is not working along side of the software on the phone but maybe it communicates with it i am unsure. is their a way we can like copy our boot loader? I have seen you guys talk about j-tagging the phone and such but i have not seen any info on actually doing it. I use to make my own j-tags and would like to maybe try it with my phone to get a copy of my boot loader to see what i see.


google works wonders found a bunch of information about it. Now just need to figure out if their is a way to mod the back cover so i can hook a j-tag to the phone and mount it on the phone and keep it attached. I do not like soldering and DE-soldering cables off stuff.
For soldering and desoldering not you can use these cables:
http://forum.gsmhosting.com/vbb/f63...g-without-soldering-pinouts-riff-box-1671630/

work great I use them, I recommend them.:good:
 

jeboo

Recognized Developer
Apr 2, 2010
815
4,059
98
@Adam, hey I was wondering. I use to mess around with sat receivers years ago. Had to use a j-tag and software to get the receives keys so to speak. Also any script for channels and such for the card had to have those numbers on them. I figure maybe any program that will mess with the boot loader may have to have each phones personal key so to speak in it. Also, do you think that maybe a way in would be threw the sim card, or dose the boot loader not even look for sim, that is the software on the phone that loads up after boot loader deals with sim card? I figure the boot loader is not working along side of the software on the phone but maybe it communicates with it i am unsure. is their a way we can like copy our boot loader? I have seen you guys talk about j-tagging the phone and such but i have not seen any info on actually doing it. I use to make my own j-tags and would like to maybe try it with my phone to get a copy of my boot loader to see what i see.


google works wonders found a bunch of information about it. Now just need to figure out if their is a way to mod the back cover so i can hook a j-tag to the phone and mount it on the phone and keep it attached. I do not like soldering and DE-soldering cables off stuff.
Ah the good ol' days of digging up group keys and whatnot ;)

As for this situation, the binaries are identical for all phones (by carrier). The uniqueness of each phone (SIM) is utilized post-aboot. The difficulty we have here is the chips are not accessible for manipulation/repair, and have been increasingly locked down. Since you brought up the old satellite days, imagine if the infamous Black Sunday zap occurred deep within the receiver's CPU..
 

brandonhatty

Senior Member
Dec 31, 2012
591
206
0
40
Adam, when I downloaded your note 2 casual package from goo I noticed a vzwgs4 section. Is this for the old mdk build or some experimental stuff for the new build?

Sent from my SCH-I545 using XDA Premium 4 mobile app
 

gage0727

Senior Member
Dec 28, 2011
209
5
38
yea i get what you mean but black sunday was what happen with a sat companion i never messed with. I always did the other companies. That one you needed keys off the receiver to put on the card to get it to work together. i would never get hit because i did not have a wide open card. I would have locals and such unlocked but not the ppv and stuff. when ever i would get hit i would flip a switch on my ird for a second which in turn corrupted the eeprom chip and flip it back making the chip update. pull card and re incert. The road i am going down just wondering about is the software and hard ware interface before the rest of the phone come into play, each person would have to jtag their phone pull the information needed to marry the boot loader software with their phone. to my understanding correct me if wrong but the boot loader off one phone will not work on another correct because its been keyed for that specific phone?
 

jball

Senior Member
Jan 7, 2012
1,537
305
0
41
Amber
No questions huh.i got one anyways.u guys still alive?I like to read in hear to c if anything is progressing and its been some time.no I'm not a dev but have all kinds of hope and faith in u devs in here.

Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
 

heartspeace

Senior Member
Mar 21, 2008
74
5
0
Exceptional
Put social pressure via social media on Samsung is taking away S4 capabilities

Anyone else have insight? If you can contribute to any of the goals here, please do. It will help the community.
Google and Samsung folded to pressure on allowing SDCards to be used for applications after 3 devices of not - some due to social pressure on the social communities. I would put social pressure every day on Samsung Social points about this issue - not being mean - but by asking them publicly to restore what for many has become jobs, etc. There are many arguments and pressure points to talk to Samsung on this. Of course they know of the issue - but if more of the public knows of the issue - they dont like this type of tweets to be in the news. Same thing happened on routers when they started to be restricted... Cisco/Linksys went back to supporting them more than before then when they reduced support.

Get the public awareness that Samsung is taking away capabilities of the phone. put social pressure by open messages/tweets/etc to Samsung

HP
 

cycad

Member
Aug 29, 2013
11
11
0
East Coast
I wrote an IDA loader plugin for the ROMs: https://github.com/cycad/mbn_loader/blob/master/mbn_loader.py

It lets you load the various ROMs into the same IDB. I'm a highly capable reverser but don't know anything about ARM, Android, or hardware -- as of about 3 weeks ago I started using this bootloader challenge as a way to expand my skills. I've been able to enumerate some of the qfuse implementation and map out interactions between ROM regions. My motivations for posting this plugin are to share what I created and more importantly meet people who find this loader script useful. I suspect breaking this will take a confluence of the right skills.

Who else is looking at this and what progress has been made? Or, what were the barriers? My email should be available through my profile and I'll also be following this thread.
 

jeboo

Recognized Developer
Apr 2, 2010
815
4,059
98
I wrote an IDA loader plugin for the ROMs: https://github.com/cycad/mbn_loader/blob/master/mbn_loader.py

It lets you load the various ROMs into the same IDB. I'm a highly capable reverser but don't know anything about ARM, Android, or hardware -- as of about 3 weeks ago I started using this bootloader challenge as a way to expand my skills. I've been able to enumerate some of the qfuse implementation and map out interactions between ROM regions. My motivations for posting this plugin are to share what I created and more importantly meet people who find this loader script useful. I suspect breaking this will take a confluence of the right skills.

Who else is looking at this and what progress has been made? Or, what were the barriers? My email should be available through my profile and I'll also be following this thread.
This is great work! We are trying to revitalize this project if anyone's interested :)

On that note, I have an MF3 phone and riffbox for testing. Does anyone have any tips for JTAG debugging? So far all I've found is this example based on the i9100/IDA: http://jtagbox.com/RIFF_JTAG_GDB_SERVER_IDA_DEBUG_SAMSUNG_I9100.swf

It's great for investigating PBL, but I'm more interested in analyzing (breakpoints/stack dumps) sbls/aboot. Any pointers would be great!