• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

R&D - Potential Stock Bootloader Unlocking Functionality

Search This thread

eschelon

Retired Recognized Developer
Jun 20, 2009
1,388
8,954
54jF2ut.png


Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://forum.xda-developers.com/showpost.php?p=37446000&postcount=16666. Do not kang or try to pass off our work as your own.

Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

But those who wish to give this a try on this device or others need to try the following:



Type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

Then enable the hidden menu on the device when it pops up.

Then type in a shell:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL



This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

TrevE has more details in the post below
 
Last edited:

TrevE

Retired Recognized Developer
Apr 27, 2007
2,031
3,659
androidsecuritytest.com
Few quick facts about what is known about this stock bootloader unlock mode-
  • APK that controls this is hiddenmenu.apk
  • uses libuck for something
  • SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
  • Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST
 
Last edited:

LLStarks

Senior Member
Jun 1, 2012
1,534
580
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.
 

nosympathy

Senior Member
Dec 19, 2010
2,769
1,257
Cincinnati
Do you think this is safe to do from within Synergy or any other TW rom paired with the VRALE6 bootloader? Or just stock roms.

I would imagine it should be no different regardless of the ROM running as long as the files required for this process are untouched if they are built into the ROM itself. If you are locked and looking to use this you would have to be running a stock kernel.

What could be the consequence of it not working correctly if one of the required files is broken? As in what exactly does this do? I assume it is just telling the boot loader to allow insecure kernels and nothing else? If that is the case your chance of anything going wrong should be very low?

Sent from my SCH-I535 using xda app-developers app
 

alquimista

Senior Member
Mar 20, 2008
218
118
Los Angeles
This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone. :eek:


Sent from my SCH-I535 using xda app-developers app
 

Attachments

  • uploadfromtaptalk1359702614408.jpg
    uploadfromtaptalk1359702614408.jpg
    58.3 KB · Views: 2,035

eschelon

Retired Recognized Developer
Jun 20, 2009
1,388
8,954
This is what I get when I follow the instructions in the op (see attached).

I haven't tried entering a key, cause I have the sock monkey's aboot.

It doesn't require root to run the commands.

Maybe I'll try it on my wife's pure stock s3? I dunno though, she may get a bit miffed if I bugger her phone. :eek:


Sent from my SCH-I535 using xda app-developers app

Awesome. We may be able to reverse engineer that...

Just for fun, try that sboot key:

oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo
 
Last edited:

LLStarks

Senior Member
Jun 1, 2012
1,534
580
I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

I think invisiblek still has the former.
 
Last edited:

atc3030

Senior Member
Feb 9, 2009
161
132
Will this affect in any way the way that we (kernel devs) need to compile or configure the kernel?

Sent from my SCH-I535 using Tapatalk 2
 

invisiblek

Recognized Developer
Feb 24, 2010
1,584
5,896
Minnesota
www.invisiblek.org
Will this affect in any way the way that we (kernel devs) need to compile or configure the kernel?

Sent from my SCH-I535 using Tapatalk 2

Nope

I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

I've got many of the stock roms up on my goo.im if anyone wants to look through them:
http://goo.im/devs/invisiblek/i535

You can also get them here:
http://samsung-updates.com/device/?id=SCH-I535


EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
=/

Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.
 
Last edited:

Div033

Senior Member
Aug 17, 2010
1,332
271
What advantage does this give us Verizon gs3 users who already have an unlocked bootloader?

Sent from my SCH-I535 using Tapatalk 2

For the most part, if you're already unlocked this doesn't mean much to you. It's in case Verizon re-locks the phone and commands Samsung to release a new bootloader with an OTA. If this happened, our current unlock method would no longer work and we'd be back at square one.

Verizon has already done this with the Note 2 but the clever Adam Outler and ralekdev (the people who were working on our unlock before we got the leaked bootloader) found another way around Verizon's BS to re-unlock the device.

What is going on here is preemptive dev work on unlocking the bootloader should Verizon strike again.

While this won't affect most of us who are already unlocked, I've seen several threads on the Note 2 forum of upset users who somehow ended up on the new OTA with no way to root.

I wonder though, is this hidden menu only in the d2vzw firmware? What about d2spr or d2att? Maybe Samsung is setting the ground work for a manufacturer unlock tool?

Sent from my SCH-I535 using Tapatalk 2
 

alquimista

Senior Member
Mar 20, 2008
218
118
Los Angeles
Interesting Warning

Just so its out there here is the most interesting bit from the "Secure Boot" Warning window:
Code:
4. You agree that your attempt to unauthorized kernel download from the default setting or without the authorization key will lead to blocking of the device, which may permanently disable the device. Samsung will not be responsible for [blah blah]. For downloading of custom kernel, you need to follow through a special installation process as set forth in the device manual.

QUESTIONS:
A. The whole thing reads like the writer wasn't quite fluent in English. So does that mean maybe this warning could appear in other SGS3 variants? Like the intl version?
B. "Blocking of the device", what does this mean? Did they mean bricking the device or will the device phone home and explode or something?
C. "Downloading" of custom kernel? Is this process supposed to download a kernel? From where?
D. "Device manual", What device manual? I have alot of different manuals but I don't remember any of them mentioning a custom kernel download process.
E. Since this intent comes from android.provider.Telephony, is it tied in with the RIL or the modem at all, maybe even the sim card?

I did a cursory search for libuck in /system/lib and didn't find an ".so" that even came close.

Oh, I'm running Vengeance V3 with LeanKernel (v1.8). I haven't tried entering any sboot keys and I probably won't anytime soon. I just don't have enough time to do this proper (flash back to stock, monitor logs via adb and or eclipse, etc etc). At least not right now.

Ta,
ALQI
 

BeansTown106

Inactive Recognized Developer
Dec 22, 2011
3,694
54,412
BeanTown USA
this is a nice find and very interesting for sure.. but with the device arleady unlocked and with imho no chance of them relocking it( if they could have they arleady would have, look at vzw note2) the only thing i see this doing is maybe helping future devices not needing exploits or leaked bootloaders. but then again the newer samsung devices have sboot's not aboot's and from what i know the security in those is definetly higher. take anything i just said with a grain of salt but i would like to see adam and/or ralekdevs opinions on this. i could be completely wrong but i dont think they would leave something this easy open.. if anyting this could have been what samsung originally wanted todo before vzw became nazi's and had them lock it up completely

---------- Post added 2nd February 2013 at 12:04 AM ---------- Previous post was 1st February 2013 at 11:53 PM ----------

Nope

I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

I've got many of the stock roms up on my goo.im if anyone wants to look through them:
http://goo.im/devs/invisiblek/i535

You can also get them here:
http://samsung-updates.com/device/?id=SCH-I535


EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
=/

Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.

this is why i think it was something that they were thinking about doing but verizon shot it down and just waned a plain old full lock
 
Last edited:
  • Like
Reactions: Droid2drummer

Top Liked Posts

  • There are no posts matching your filters.
  • 23
    54jF2ut.png


    Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

    First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://forum.xda-developers.com/showpost.php?p=37446000&postcount=16666. Do not kang or try to pass off our work as your own.

    Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

    But those who wish to give this a try on this device or others need to try the following:



    Type in a shell:

    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

    Then enable the hidden menu on the device when it pops up.

    Then type in a shell:

    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL



    This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

    This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

    TrevE has more details in the post below
    14
    Few quick facts about what is known about this stock bootloader unlock mode-
    • APK that controls this is hiddenmenu.apk
    • uses libuck for something
    • SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
    • Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

    Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST
    3
    when the app fc's...

    Code:
    E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null

    (this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)
    2
    I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

    I think invisiblek still has the former.

    Perhaps. We've actually got several ideas on how to exploit this.
    1
    this is a nice find and very interesting for sure.. but with the device arleady unlocked and with imho no chance of them relocking it( if they could have they arleady would have, look at vzw note2) the only thing i see this doing is maybe helping future devices not needing exploits or leaked bootloaders. but then again the newer samsung devices have sboot's not aboot's and from what i know the security in those is definetly higher. take anything i just said with a grain of salt but i would like to see adam and/or ralekdevs opinions on this. i could be completely wrong but i dont think they would leave something this easy open.. if anyting this could have been what samsung originally wanted todo before vzw became nazi's and had them lock it up completely

    ---------- Post added 2nd February 2013 at 12:04 AM ---------- Previous post was 1st February 2013 at 11:53 PM ----------

    Nope

    I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

    I've got many of the stock roms up on my goo.im if anyone wants to look through them:
    http://goo.im/devs/invisiblek/i535

    You can also get them here:
    http://samsung-updates.com/device/?id=SCH-I535


    EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
    =/

    Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.

    this is why i think it was something that they were thinking about doing but verizon shot it down and just waned a plain old full lock