Thank you for offering to help.
Darn that u5 bootloaders.
Why won't the samfail method work on the U5.
Does the combination / service Rom allow a modified system image?
If you can use a modified system image we could try something.
One of 2 things would have to happen.
We would need root or use chrot or prot to write the safestrap script to the e2fsck in /system/bin.
Any shell script you name e2fsck and copy to /system/bin will run as root without su upon early boot.
Of course it better fix e2fsck so it runs as normal just like safestrap.
Otherwise still providing you can run modified system.
I could patch the recovery keys so we can flash a zip signed by our own keys.
Then you just pre-root the system image and flash it through recovery.
Normally to patch the recovery I would unpack the ramdisk and replace the /res/keys with my key but then recovery will fail signing.
However we can do the above and hexdump both recovery then get a diff of the files to locate the Keystring then open the recovery in hex editor and edit the Keystring in hex.
The only possible problem is that since the key is in the RAMDISK and the ramdisk is compressed hopefully the compression don't screw things up.
Yes the recovery is signed but the bytes we need to change are a Keystring always the same length. It is expected to be there. So hopefully it'll pass.
If the recovery is hashed byte for byte it could fail. For some reason I think it'll pass.
Far as your experience with the N950U.
I'm interested to know what your team tried to do with the edl bootloaders.
They seem much more stockish and less Samsung modified. So I wonder if the secure boot settings are more stockish and rely on Devinfo partition.
Thinking like putting together a combination Rom with that set of bootloaders. The GPT is quite different and would require some modification. But the GPT itself says much because the .pit partition table is not a part of it like the other rooms.
In the beginning of the /dev/block/sda there is a hidden partition between the end of the GPT table and the beginning of XBL. If you look you will find the .pit in there.
So normal and the combination rooms use the first 8 disk sectors were as the EDL uses only the First 6.
What are the best boxes. (Octoplus) (zx3) some other. I plan to buy one ir more. I have had tools in the past that come with access to firmware that's not publicly available. It's worth having the tools for that alone.
Here are my thoughts/questions on what I've read so far.
Has anyone successfully used EDL to flash that v2 bootloader? If so, do you know if the version field in the signed bootloader image header is being increased in order to revoke old images? If we had the GPT tables from the v5 bootloader could we potentially flash an older BL and therefore flash older security-patch versions? That would perhaps expose some exploits that may be helpful. Not entirely sure this is possible. Let me know if I'm missing something. EDL seems like it would be the best route to explore at this point, given you have those signed firehose files.
As far as the FOTA file, I cracked the one on the s8 myself before the password was made public using a tool I found on the web. We literally tried every thing we could with those files and in the end, they ended up being more of a distraction than anything. I almost shat myself when I cracked the file though, I thought I had discovered something big =/ EDIT: after reading a bit further it looks like perhaps you were able to make use of those files by modifying the recovery partition to accept your generated keypair? Am I reading that correctly? If so, what happened when you tried it? Would anything modified boot? Might be an avenue worth exploring. Could also prove to be another big time-suck too. IIRC we were leaked a set of QC Private keys and were unable to make use of those. I think we concluded that Sammy probably burned their own keys into the ROM. I saw that you were asking where to get the key that is burned into ROM to verify the boot.img I remember being able to pull it using EDL. We compared the hash of the burned key (Found through EDL) to the hash of the leaked QC keys and it was a mismatch so those keys that were leaked were worthless. Also - Sammy nerfed fastboot and it is unusable. I think I remember seeing some stuff about it while researching the s8 saying that it is still included, just disabled. Not sure about that one I'd have to poke around a bit. Even if it is there, no one has ever found a way to use it.
Elliwigy's idea about using non-volatile partitions might be worth exploring, apparently the bootloader is reading values from the misc. and other partitions. Engineer mode and crom/kiwibird are 2 other vectors he brought up that might be of use. He also mentioned T.flash or whatever it's called. That could possibly aid in filling up those empty partitions on the sdcard that you made. Just a thought.
I remember checking out the s8 aboot in IDA and I think there were some strings that were of interest.
Now, to *try and answer some of your questions, like I said I'm a bit rusty lol.
I don't think newer bl revisions will allow you to flash modified partitions. I think this is why samFail doesn't work anymore. I'm not positive, I don't know much about samFail. I like the idea of doing a hexdump & diff diff of the recovery files that would be a good learning experience even if nothing comes of it. As far as what I've done concerning EDL most of what I did I was getting a Sahara error. Can't remember exactly but I think it was due to the xml being modified incorrectly. Seems like you know what you are doing in that area so maybe we can make something happen on the note. As far as boxes go I really don't have any experience using one, just the good ole arch linux box =D I've heard the zx3 name being thrown around in some Chinese threads that were about similar chipsets, but like I said I have zero experience.
That being said, Sammy has gotten very good at securing these devices. No doubt about that, but I've always believed that no device is ever impenetrable. Where there is a will there's a way =)
You got any better way of communicating? Hangouts or I've got a discord server we could start a room on there I think it's got better logging than Hangouts. Either way let me know your thoughts and keep up the good work.