• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

R&D - Potential Stock Bootloader Unlocking Functionality

Search This thread

Top Liked Posts

  • There are no posts matching your filters.
  • 23
    54jF2ut.png


    Team Synergy, namely TrevE and myself, have discovered a potential stock bootloader unlocking mechanism that may be useful in unlocking the bootloader in the Verizon Galaxy S3, as well as numerous other devices, including but not limited to, the Note 2 and the Galaxy Stellar. This is currently an R&D thread, and its purpose is to investigate the potential of the mod.

    First and foremost, if this mod truly is successful in unlocking the bootloader on one or more devices, ALL credit MUST be directed to Team Synergy for the unlock, as it was first posted here by our team: http://forum.xda-developers.com/showpost.php?p=37446000&postcount=16666. Do not kang or try to pass off our work as your own.

    Be advised that we have not fully tested this mechanism and have no idea what repercussions may result. As such, Team Synergy will not be liable for any consequences whatsoever.

    But those who wish to give this a try on this device or others need to try the following:



    Type in a shell:

    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://HIDDENMENUENABLE

    Then enable the hidden menu on the device when it pops up.

    Then type in a shell:

    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://UNLOCKKERNEL



    This should throw up a popup like the image shown above. In theory, accepting this should run a hash check against your device keys, then continue to unlock the bootloader.

    This code does not exist on all carriers, but it is definitely present in Verizon stock ROMs. Those who are brave enough to try, please post your results in the thread

    TrevE has more details in the post below
    14
    Few quick facts about what is known about this stock bootloader unlock mode-
    • APK that controls this is hiddenmenu.apk
    • uses libuck for something
    • SBOOT_KEY = "oMEdqNRWh9CCSQb0JWI8FEbq//5jD61LPUAYB8V8ErpudvLLUXAFm+qPJZtPNeZo"
    • Key might hashed with deviceID and checked using Luhn (https://en.wikipedia.org/wiki/Luhn_algorithm)

    Other hidden menu commands we stumbled upon unrelated to unlock that might be useful
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://GlobalHmenu -- Global Hidden Menu
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://STEALTHMODE -- The fk? Some LTE test mode
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PORTMAP
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MEID -- MEID info
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TLAUNCHER - Tool Launcher Enable
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://MSL_Checker
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PROGRAM -- Sysscope status
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TESTMODE
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TTY
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://PUTIL
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://diag_msl
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setMTPADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTP
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setPTPADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDIS
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISADB
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRNDISDMMODEM
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://setRMNETDMMODEM
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://IOTHIDDENMENU
    am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://TEST
    3
    when the app fc's...

    Code:
    E/AndroidRuntime( 3095): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load uck: findLibrary returned null

    (this was 100% pure stock VRBLK3, no root, nothing other than a fresh wipe/flash of the stock tar)
    2
    I wonder if the oft-neglected full VRALEC tar has it. Same goes for the suspiciously unleaked VRALE6 tar.

    I think invisiblek still has the former.

    Perhaps. We've actually got several ideas on how to exploit this.
    1
    this is a nice find and very interesting for sure.. but with the device arleady unlocked and with imho no chance of them relocking it( if they could have they arleady would have, look at vzw note2) the only thing i see this doing is maybe helping future devices not needing exploits or leaked bootloaders. but then again the newer samsung devices have sboot's not aboot's and from what i know the security in those is definetly higher. take anything i just said with a grain of salt but i would like to see adam and/or ralekdevs opinions on this. i could be completely wrong but i dont think they would leave something this easy open.. if anyting this could have been what samsung originally wanted todo before vzw became nazi's and had them lock it up completely

    ---------- Post added 2nd February 2013 at 12:04 AM ---------- Previous post was 1st February 2013 at 11:53 PM ----------

    Nope

    I'm finding nothing related to uck in VRALEC. (although I didn't look at HiddenMenu yet from this rom)

    I've got many of the stock roms up on my goo.im if anyone wants to look through them:
    http://goo.im/devs/invisiblek/i535

    You can also get them here:
    http://samsung-updates.com/device/?id=SCH-I535


    EDIT: No SecureBootMenu in VRALEC's HiddenMenu...
    =/

    Odds are we won't find this lib in any of the roms, if it does happen to be in one, chances are it was left by mistake.

    this is why i think it was something that they were thinking about doing but verizon shot it down and just waned a plain old full lock