R&D: Lets get this bootloader unlocked.

Mike

Senior Member
Jun 20, 2012
1,404
448
113
So ....... uncrackable ? Last time I heard that word some kid in Korea hacked H5 Direct TV card in about 30 minutes ..... But seriously i337 owners are screwed ? Any "official" word on this one ?






Sticking with my s3 running a Canadian to so I have tethering and integrated sip... att can bite me if they think I am buying one of there phones where they locked the boot loader.

Sent from my GT-N8013
Stop posting here. Notice how all the development talk and community strive for a complete unlock has ceased, at least in this thread, once all you guys came in with your unrelated comments. Keep it on topic of development. If you want to throw in random comments or your opinion on the bootloader being locked by your carrier/Samsung then take it somewhere else.


"The rules
Keep this thread clean. I'm asking for strict moderation. If your comment doesn't advance the thread, it will be reported and put in que to be deleted. The whole point of this thread is to maintain high information density. This isn't a support thread. If someone has a "user-level" question about something, take it to a new thread in the Q&A forums. The mission isn't to support everything.. We're focusing on just one thing and that's:

Lets get this bootloader unlocked"
Sent from my AT&T Galaxy S4 Running AOKP 4.2.2
 
Last edited:
J

jetlitheone

Guest
nope. As long as Samsung leaves Loki operational, we will be fine.
Don't you think it's a little suspicious that AT&T / Samsung has taken quite a while since the last update to push one out?

International variants have gotten about 3 since the loki exploit
 

alacrify

Senior Member
Jan 12, 2009
3,437
1,903
0
Don't you think it's a little suspicious that AT&T / Samsung has taken quite a while since the last update to push one out?

International variants have gotten about 3 since the loki exploit
I think you post a lot, and don't help as much as you should. Your point?
 
J

jetlitheone

Guest
I think you post a lot, and don't help as much as you should. Your point?
My point being is that they're obviously patching it and it has been patched on the Galaxy S4 Active which is almost identical. That's my point. And I help plenty enough. XDA isn't my entire left.

Anyways back to the topic of the matter carry on.

Sent from my GT-I9505G using Tapatalk 4 Beta
 
Last edited:

_Dennis_

Senior Member
Apr 25, 2010
2,379
874
193
35
My point being is that they're obviously patching it and it has been patched on the Galaxy S4 Active which is almost identical. That's my point. And I help plenty enough. XDA isn't my entire left.

Anyways back to the topic of the matter carry on.

Sent from my GT-I9505G using Tapatalk 4 Beta
Since when do US carriers push updates as fast as international? Honestly I'm not surprised when we go 5-10 updates behind international phones.

Sent from my SGH-I337 using Tapatalk 4 Beta
 

mg2195

Senior Member
Dec 5, 2011
2,983
2,572
0
25
RSM
Well it appears it may be time to look back into this...adam have you checked out the new update? The current root method has been confirmed not to work...and im assuning loki has been patched as well

Sent from my SAMSUNG-SGH-I337 using Tapatalk 2
 

scott14719

Senior Member
Dec 24, 2011
2,223
830
0
I propose cleaning this thread out and moving it to the "Developers only" discussion area to keep off-topic posts out of it. I think that will provide a better environment for this type of thread.

I think Adam would have to make the request...if he wants to.
 
  • Like
Reactions: garwynn

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
... I don't know if we can get away with flashing the entire bootchain.. But we need to determine what will happen if an invalid bootloader is flashed to a device I suppose, and I have access to free JTAG for my device. If you can see any reason that would invalidate this test, let me know.
I found out, sort of. As you probably saw in my other thread, I flashed sb2 and sbl3 (technically along with RPM) from the latest MF3 OTA update. The result was the phone resorting to emergency boot, showing up in QPST as being in Download Mode. Problem I have is, no signed .hex file. My Riffbox should be here later this week, along with a handy, no-solder PCB to keep my device in original condition. I'm counting on it being able to push something bootable to at least bring my Odin back. From there, I could survive of course (even if I was forced to update the rest to MF3, ...).

Enough chit-chat. I want to ask you some questions. I'm hoping you have a moment to address these properly.
  1. If an efuse is blown with an update (with MF3, seems to be the case - odin will refuse to load MDB or MDL - mentions something about the fused number being greater than the firmware number), can JTAG override this check? e.g. could MDL sbl2 and sbl3 be placed back on the device via JTAG or even DD, given they are signed and would be accepted by sbl1?
  2. Further, could a rooted MF3 user (who's taken the full update but managed to keep root) use recovery or DD to forcefully restore an MDL version of sbl2, sbl3, RPM, TZ and ABOOT? It appears sbl1 was left untouched, so what would prevent it loading sbl2 if it were somehow present? Obviously a modified aboot could prevent reflashing these, but I'm looking at DD and recovery specifically.
  3. Did you ever find the answer to, "what happens if we flash a whole new bootloader chain to the device?"? If I'm able to restore my device easily with JTAG, I would be interested in trying this as well, if its worth anything.
  4. Once I obtain JTAG, would you be interested in an additional guinea pig for a short period while I have my phone disassembled? If you have anything that might be worth a shot, but still recoverable via JTAG, I would gladly try it.

Thanks for your time, and your invaluable contributions. I can understand your frustration with this thread and the general community right now, and the overall lack of respect that's been shown to you in this thread alone. I'm hoping that we can pick this up again and perhaps look on it with new light, now that MF3 has released and brought forth chaos.


also, it would be cool to run some native linux on the S4, dontcha think? ;)
 
Last edited:

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
  • If an efuse is blown with an update (with MF3, seems to be the case - odin will refuse to load MDB or MDL - mentions something about the fused number being greater than the firmware number), can JTAG override this check? e.g. could MDL sbl2 and sbl3 be placed back on the device via JTAG or even DD, given they are signed and would be accepted by sbl1?
Answer: Flashing any part of the new MF3 bootloader will indeed blow the e-fuses - but not only to block Odin from flashing the older bootloader... but also to block the older bootloader from booting at all. Even JTAG cannot restore MDL to these devices at this time.
  • Further, could a rooted MF3 user (who's taken the full update but managed to keep root) use recovery or DD to forcefully restore an MDL version of sbl2, sbl3, RPM, TZ and ABOOT? It appears sbl1 was left untouched, so what would prevent it loading sbl2 if it were somehow present? Obviously a modified aboot could prevent reflashing these, but I'm looking at DD and recovery specifically.
First of all, I was a fool to think that an MF3-updated, rooted user (via rootkeeper, or whatnot) could have a custom recovery. Because of the patched ABOOT, the Loki exploit is gone - no custom recoveries or custom kernels.
Secondly, for the same reason as #1 above, if someone tries to restore an MDL bootloader onto a device that's fused for MF3, it will hard-brick.
  • Did you ever find the answer to, "what happens if we flash a whole new bootloader chain to the device?"? If I'm able to restore my device easily with JTAG, I would be interested in trying this as well, if its worth anything.
I would still like to find this out. I was not able to JTAG/restore my brick yet, and I'm thinking it's because I need the MF3 Kies package. Even still, with the device being fused for MF3+, I probably won't be able to test this unless the replacement bootloader chain is also fused the same (i.e. an unlocked, samsung-signed bootloader chain that also happened to blow the same e-fuses... unlikely to be found). Nonetheless, I'd be willing to try anything with the brick I have here.
  • Once I obtain JTAG, would you be interested in an additional guinea pig for a short period while I have my phone disassembled? If you have anything that might be worth a shot, but still recoverable via JTAG, I would gladly try it.
This offer stands. If/when I successfully JTAG this thing, I'd be willing to throw anything at it. Just send a link, and I'll flash it. ;)

At this time, it would appear that development for the unlocking of the I337's bootloaders have essentially come to a halt. After all, what Dev would want to risk the MF3 update on their phone to try to crack it (or even root it) when it means they would risk losing Loki/root/all? Every reasonable Dev out here is going to avoid MF3 like it's the plague.
 

upndwn4par

Inactive Recognized Developer
Jan 22, 2012
3,640
10,375
0
New Jersey
After all, what Dev would want to risk the MF3 update on their phone to try to crack it (or even root it) when it means they would risk losing Loki/root/all?
Hopefully Adam will. ERDs are given devices by xda, so maybe he can score an S4 strictly for research purposes. :)

I think the take home message here is that we all need to consider moving on to a more developer and customer friendly OEM (like HTC or Sony). This is sad because Samsung makes great devices.
 

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
Let me ask a very stupid question.
Why can not we flash the bootloader from i9505 on i337?
I was definitely going to try this if I got my device up and running again, but with all the e-fuses that didn't work out.

My guess as to why it wouldn't work anyway (even on a brand-new, MDB/MDL device): They've likely written the ibl to only accept firmware intended for the i337. Unless someone can confirm that the ibl on both devices are the same?
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
It's not even worth it to flash anything over to "test". Read back a few pages through all the mish-mash and you'll find where I talked about the security features. Each bootloader is signed per-device model per Qualcomm bootloader signing procedures. On top of that, the bootloaders are revisioned using the monotonic counters of the e-fuses.

In order to make something work, we would need one of the following
  1. Qualcomm's private signing tool(might be possible) --Samsungs private signing keys(never going to happen)
  2. A way to change the keys on the device (may be possible through Knox)
  3. A leaked "engineering bootloader" --Signed by Samsung with proper keys --For the i337 --For the second revision bootloader
  4. A vulnerability in SELinux (probly wont happen) which allows us to load a KExec module (i don't think this exists)
  5. A vulnerabilty in the way the bootloaders load kernels or firmware
  6. A vulnerability in the way the hardware loads the bootloaders
  7. A security vulnerability in the Qualcomm bootloaders, which is what everyone who can read Assembly language is looking for.
  8. A tool from Samsung.
Personally I'm hoping for 2, 3 or 8.. I don't like these cat and mouse games.. They're rediculous.
 

JRman

Senior Member
Feb 12, 2012
52
5
0
FYI: New S4 on 8/3 still has MDL

FYI: Just received my S4 (Amazon.com order) today (8/3) and was scared it might have MF3 already.

No worries, still MDL... :)
 

nrhpd527

Senior Member
Dec 21, 2007
123
28
0
FYI: Just received my S4 (Amazon.com order) today (8/3) and was scared it might have MF3 already.

No worries, still MDL... :)
I was scared to death the other night because a bad load of TWRP (through Goo Manager) bricked my S4 to the point of needing to use the emergency recovery feature of Kies. Thus, I naturally thought I would come out of that with MF3 firmware. Thankfully, Kies is still pulling down the MDL firmware and I was able to get rooted and get Infamous Alpha 4.5 loaded after I finally convinced Kies to work. It was a tense couple of hours though with a bricked phone.

Would have made for an uncomfortable anniversary...hey babe, I fubared my phone, dinner out is off since I have to go spend that money on a new phone....
 

aturbs

Senior Member
Jun 17, 2011
172
19
0
Alright guys, I wanna start this off with a nice healthy "I told you so". I said once Verizon was allowed to lock devices with Samsung, the rest of the carriers would follow suit. I was met with resistance on that statement, but the AT&T bootloader is now just as locked as Verizon. We need to unlock it. This forum will be pretty darn dead until we are able to do this.

The rules
Keep this thread clean. I'm asking for strict moderation. If your comment doesn't advance the thread, it will be reported and put in que to be deleted. The whole point of this thread is to maintain high information density. This isn't a support thread. If someone has a "user-level" question about something, take it to a new thread in the Q&A forums. The mission isn't to support everything.. We're focusing on just one thing and that's:

Lets get this bootloader unlocked

First up, lets make it perfectly clear. This device is bootloader locked.

Odin Mode



Partition Structures.. Here's the output from heimdall print-pit
Code:
Heimdall v1.4 RC2

Copyright (c) 2010-2012, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/

This software is provided free of charge. Copying and redistribution is
encouraged.

If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/

Initialising connection...
Detecting device...
      Manufacturer: "Sasmsung"
           Product: "MSM8960"

            length: 18
      device class: 2
               S/N: 0
           VID:PID: 04E8:685D
         bcdDevice: 0100
   iMan:iProd:iSer: 1:2:0
          nb confs: 1

interface[0].altsetting[0]: num endpoints = 1
   Class.SubClass.Protocol: 02.02.01
       endpoint[0].address: 82
           max packet size: 0010
          polling interval: 09

interface[1].altsetting[0]: num endpoints = 2
   Class.SubClass.Protocol: 0A.00.00
       endpoint[0].address: 81
           max packet size: 0200
          polling interval: 00
       endpoint[1].address: 01
           max packet size: 0200
          polling interval: 00
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...

Checking if protocol is initialised...
Protocol is not initialised.

Initialising protocol...
Protocol initialisation successful.

Beginning session...

This device may take up to 2 minutes to respond.
Please be patient!

Session begun.

Downloading device's PIT file...
PIT file download successful.

Entry Count: 33
Unknown 1: 1598902083
Unknown 2: 844251476
Unknown 3: 21325
Unknown 4: 14413
Unknown 5: 13881
Unknown 6: 48
Unknown 7: 0
Unknown 8: 0


--- Entry #0 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 1
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 8192
Partition Block Count: 25544
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: APNHLOS
Flash Filename: NON-HLOS.bin
FOTA Filename: 


--- Entry #1 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 2
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 33736
Partition Block Count: 105528
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: MDM
Flash Filename: modem.bin
FOTA Filename: 


--- Entry #2 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 3
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 139264
Partition Block Count: 256
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SBL1
Flash Filename: sbl1.mbn
FOTA Filename: 


--- Entry #3 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 4
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 139520
Partition Block Count: 512
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SBL2
Flash Filename: sbl2.mbn
FOTA Filename: 


--- Entry #4 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 5
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 140032
Partition Block Count: 1024
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SBL3
Flash Filename: sbl3.mbn
FOTA Filename: 


--- Entry #5 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 6
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 141056
Partition Block Count: 4096
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: ABOOT
Flash Filename: aboot.mbn
FOTA Filename: 


--- Entry #6 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 7
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 145152
Partition Block Count: 1024
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: RPM
Flash Filename: rpm.mbn
FOTA Filename: 


--- Entry #7 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 8
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 146176
Partition Block Count: 1024
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: TZ
Flash Filename: tz.mbn
FOTA Filename: 


--- Entry #8 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 9
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 147200
Partition Block Count: 33792
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PAD
Flash Filename: 
FOTA Filename: 


--- Entry #9 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 10
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 180992
Partition Block Count: 27904
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: EFS
Flash Filename: efs.img.ext4
FOTA Filename: 


--- Entry #10 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 11
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 208896
Partition Block Count: 6144
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: MODEMST1
Flash Filename: nvrebuild1.bin
FOTA Filename: 


--- Entry #11 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 12
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 215040
Partition Block Count: 6144
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: MODEMST2
Flash Filename: nvrebuild2.bin
FOTA Filename: 


--- Entry #12 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 13
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 221184
Partition Block Count: 1560
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: M9KEFS1
Flash Filename: m9kefs1.bin
FOTA Filename: 


--- Entry #13 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 14
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 222744
Partition Block Count: 1560
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: M9KEFS2
Flash Filename: m9kefs2.bin
FOTA Filename: 


--- Entry #14 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 15
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 224304
Partition Block Count: 1560
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: M9KEFS3
Flash Filename: m9kefs3.bin
FOTA Filename: 


--- Entry #15 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 16
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 225864
Partition Block Count: 5652480
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SYSTEM
Flash Filename: system.img.ext4
FOTA Filename: 


--- Entry #16 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 17
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 5878344
Partition Block Count: 16384
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PERSIST
Flash Filename: 
FOTA Filename: 


--- Entry #17 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 18
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 5894728
Partition Block Count: 4239360
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: CACHE
Flash Filename: cache.img.ext4
FOTA Filename: 


--- Entry #18 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 19
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10134088
Partition Block Count: 12288
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PARAM
Flash Filename: param.lfs
FOTA Filename: 


--- Entry #19 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 20
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10146376
Partition Block Count: 20480
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: BOOT
Flash Filename: boot.img
FOTA Filename: 


--- Entry #20 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 21
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10166856
Partition Block Count: 20480
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: RECOVERY
Flash Filename: recovery.img
FOTA Filename: 


--- Entry #21 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 22
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10187336
Partition Block Count: 20480
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: FOTA
Flash Filename: 
FOTA Filename: 


--- Entry #22 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 23
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10207816
Partition Block Count: 12288
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: BACKUP
Flash Filename: 
FOTA Filename: 


--- Entry #23 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 24
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10220104
Partition Block Count: 6144
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: FSG
Flash Filename: 
FOTA Filename: 


--- Entry #24 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 25
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 10226248
Partition Block Count: 16
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SSD
Flash Filename: 
FOTA Filename: 


--- Entry #25 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 26
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 10226264
Partition Block Count: 18432
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PERSDATA
Flash Filename: persdata.img.ext4
FOTA Filename: 


--- Entry #26 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 27
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 10244696
Partition Block Count: 40960
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: HIDDEN
Flash Filename: hidden.img.ext4
FOTA Filename: 


--- Entry #27 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 28
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 10285656
Partition Block Count: 40960
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: CARRIER
Flash Filename: carrier.img.ext4
FOTA Filename: 


--- Entry #28 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 29
Attributes: 5 (Read/Write)
Update Attributes: 5 (FOTA)
Partition Block Size/Offset: 10326616
Partition Block Count: 0
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: USERDATA
Flash Filename: userdata.img.ext4
FOTA Filename: remained


--- Entry #29 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 70
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 0
Partition Block Count: 34
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PGPT
Flash Filename: pgpt.img
FOTA Filename: 


--- Entry #30 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 71
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 34
Partition Block Count: 16
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PIT
Flash Filename: MSM8960.pit
FOTA Filename: 


--- Entry #31 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 72
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 50
Partition Block Count: 32
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: MD5
Flash Filename: md5.img
FOTA Filename: 


--- Entry #32 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 73
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 30777311
Partition Block Count: 33
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SGPT
Flash Filename: sgpt.img
FOTA Filename: 

Ending session...
Rebooting device...
Releasing device interface...
Re-attaching kernel driver...

Here's the partitions on the device from /dev/block/platform/msm_sdcc.1/by-name :
Code:
lrwxrwxrwx root     root              1970-01-02 02:12 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root     root              1970-01-02 02:12 apnhlos -> /dev/block/mmcblk0p1
lrwxrwxrwx root     root              1970-01-02 02:12 backup -> /dev/block/mmcblk0p23
lrwxrwxrwx root     root              1970-01-02 02:12 boot -> /dev/block/mmcblk0p20
lrwxrwxrwx root     root              1970-01-02 02:12 cache -> /dev/block/mmcblk0p18
lrwxrwxrwx root     root              1970-01-02 02:12 carrier -> /dev/block/mmcblk0p28
lrwxrwxrwx root     root              1970-01-02 02:12 efs -> /dev/block/mmcblk0p10
lrwxrwxrwx root     root              1970-01-02 02:12 fota -> /dev/block/mmcblk0p22
lrwxrwxrwx root     root              1970-01-02 02:12 fsg -> /dev/block/mmcblk0p24
lrwxrwxrwx root     root              1970-01-02 02:12 hidden -> /dev/block/mmcblk0p27
lrwxrwxrwx root     root              1970-01-02 02:12 m9kefs1 -> /dev/block/mmcblk0p13
lrwxrwxrwx root     root              1970-01-02 02:12 m9kefs2 -> /dev/block/mmcblk0p14
lrwxrwxrwx root     root              1970-01-02 02:12 m9kefs3 -> /dev/block/mmcblk0p15
lrwxrwxrwx root     root              1970-01-02 02:12 mdm -> /dev/block/mmcblk0p2
lrwxrwxrwx root     root              1970-01-02 02:12 modemst1 -> /dev/block/mmcblk0p11
lrwxrwxrwx root     root              1970-01-02 02:12 modemst2 -> /dev/block/mmcblk0p12
lrwxrwxrwx root     root              1970-01-02 02:12 pad -> /dev/block/mmcblk0p9
lrwxrwxrwx root     root              1970-01-02 02:12 param -> /dev/block/mmcblk0p19
lrwxrwxrwx root     root              1970-01-02 02:12 persdata -> /dev/block/mmcblk0p26
lrwxrwxrwx root     root              1970-01-02 02:12 persist -> /dev/block/mmcblk0p17
lrwxrwxrwx root     root              1970-01-02 02:12 recovery -> /dev/block/mmcblk0p21
lrwxrwxrwx root     root              1970-01-02 02:12 rpm -> /dev/block/mmcblk0p7
lrwxrwxrwx root     root              1970-01-02 02:12 sbl1 -> /dev/block/mmcblk0p3
lrwxrwxrwx root     root              1970-01-02 02:12 sbl2 -> /dev/block/mmcblk0p4
lrwxrwxrwx root     root              1970-01-02 02:12 sbl3 -> /dev/block/mmcblk0p5
lrwxrwxrwx root     root              1970-01-02 02:12 ssd -> /dev/block/mmcblk0p25
lrwxrwxrwx root     root              1970-01-02 02:12 system -> /dev/block/mmcblk0p16
lrwxrwxrwx root     root              1970-01-02 02:12 tz -> /dev/block/mmcblk0p8
lrwxrwxrwx root     root              1970-01-02 02:12 userdata -> /dev/block/mmcblk0p29


The following partitions do not have links to /dev/block.
Code:
--- Entry #29 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 70
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 0
Partition Block Count: 34
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PGPT
Flash Filename: pgpt.img
FOTA Filename:

--- Entry #30 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 71
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 34
Partition Block Count: 16
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: PIT
Flash Filename: MSM8960.pit
FOTA Filename: 
 
--- Entry #31 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 72
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 50
Partition Block Count: 32
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: MD5
Flash Filename: md5.img
FOTA Filename: 


--- Entry #32 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 73
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 30777311
Partition Block Count: 33
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SGPT
Flash Filename: sgpt.img
FOTA Filename:
Teardown
I did a teardown of the GS4 as soon as I received it. Here is some video footlage
If you're looking for information about individual chips, start here at 35 minutes in:

UART
UART output video analysis: http://www.youtube.com/watch?feature=player_detailpage&v=wK7Te0lWxDA#t=4514s
UART output text: http://pastebin.ubuntu.com/5609061/


System files
The files contained here come directly from my device. I will not guarantee that they will flash. In fact, the SYSTEM partition has been modified so it will likely not flash. However, this is a copy of ALL THE partitions on my device. Odin Flashable ROM: http://d-h.st/BHF

To my knowledge we don't have a version of Odin that will work properly with this device yet.

These are my device-specific files. I am posting them in hopes they will be helpful. I recommend NEVER flashing them to a live device otherwise you will end up with some funky stuff and probably under the same surveillance that I am under ;) . Basically, this will change your serial numbers and stuff and they will no longer be right. Don't flash them:http://d-h.st/8Hc


root
djrbliss has attained root here: http://forum.xda-developers.com/showthread.php?t=2252248

I've packaged a CASUAL method based 100% on @djrbliss method. I prefer CASUAL as the same file will work on all platforms and it's contained within a single executable. http://d-h.st/64i

Heimdall
heimdall is broken. Here is an output
Code:
[email protected]:~/Desktop/GS4CASUAL/partitions/new$ sudo heimdall flash --BOOT ./boot.img --verbose
Heimdall v1.4 RC2

Copyright (c) 2010-2012, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/

This software is provided free of charge. Copying and redistribution is
encouraged.

If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/

Initialising connection...
Detecting device...
      Manufacturer: "Sasmsung"
           Product: "MSM8960"

            length: 18
      device class: 2
               S/N: 0
           VID:PID: 04E8:685D
         bcdDevice: 0100
   iMan:iProd:iSer: 1:2:0
          nb confs: 1

interface[0].altsetting[0]: num endpoints = 1
   Class.SubClass.Protocol: 02.02.01
       endpoint[0].address: 82
           max packet size: 0010
          polling interval: 09

interface[1].altsetting[0]: num endpoints = 2
   Class.SubClass.Protocol: 0A.00.00
       endpoint[0].address: 81
           max packet size: 0200
          polling interval: 00
       endpoint[1].address: 01
           max packet size: 0200
          polling interval: 00
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...

Checking if protocol is initialised...
ERROR: libusb error -7 whilst receiving packet.
Protocol is not initialised.

Initialising protocol...
WARNING: Control transfer #1 failed. Result: -9
WARNING: Control transfer #2 failed. Result: -9
WARNING: Control transfer #3 failed. Result: -9
WARNING: Control transfer #4 failed. Result: -9
WARNING: Control transfer #5 failed. Result: -9
WARNING: Control transfer #6 failed. Result: -9
Protocol initialisation successful.

Beginning session...

This device may take up to 2 minutes to respond.
Please be patient!

Session begun.

Downloading device's PIT file...
PIT file download successful.

Uploading BOOT
0%File Part #0... Response: 0  0  0  0  0  0  0  0 

12%
File Part #1... Response: 0  0  0  0  1  0  0  0 

25%
File Part #2... Response: 0  0  0  0  2  0  0  0 

38%
File Part #3... Response: 0  0  0  0  3  0  0  0 

50%
File Part #4... Response: 0  0  0  0  4  0  0  0 

63%
File Part #5... Response: 0  0  0  0  5  0  0  0 

76%
File Part #6... Response: 0  0  0  0  6  0  0  0 

88%
File Part #7... Response: 0  0  0  0  7  0  0  0 

100%
ERROR: Failed to unpack received packet.

ERROR: Failed to confirm end of file transfer sequence!
ERROR: BOOT upload failed!

Ending session...
Rebooting device...
Releasing device interface...
Re-attaching kernel driver...

[email protected]:~/Desktop/GS4CASUAL/partitions/new$
Tasks/moving forward
[*]Obtain stock System.img WITHOUT A SINGLE MODIFICATION. We need to figure out a way to get @djrbliss's exploit to attain root permissions, then simply copy the /dev/block/platform/msm_sdcc.1/by-name/system partition off the device. Stock Firmware is here: http://forum.xda-developers.com/showthread.php?t=2261573

[*]Heimdall is having problems with this device so Heimdall will require an update. If someone would, please follow @Benjamin Dobell's tutorial here and submit a log of a simple package so we can get heimdall working. http://www.xda-developers.com/android/heimdall-and-usb-logging-tutorial-xda-developer-tv/

[*]This relies on two unknowns, but we need a bootloader set which does not have signature checks enabled. Possibly from a developer version. It may be possible to replace the SBL1,2,3 and aboot with an unsigned bootloader set which will break the chain of trust above the bootloader Will not work because of signatures

[*]Figure out how the PARAM partitioning works. I see that there is support for partition tables in the PARAM partition based on the Little Kernel bootloader output from above. This means it's possible we can boot from SD.

[*]Determine the possibility of loading custom firmware with Samsung Knox

[*]Once we have the items above done, we can move on to writing the exploits.
[/LIST]
This is an open-forum discusson. But, please, please... keep it professional and on-track. Strict moderation is in effect. Anyone else have insight? If you can contribute to any of the goals here, please do. It will help the community.
tl;dr