FORUMS
Remove All Ads from XDA

[GUIDE] Unlocking the Galaxys S5 Bootloader using DEV Bootloader [KK-MM]

1,694 posts
Thanks Meter: 963
 
By GeTex, Senior Member on 16th March 2016, 02:06 PM
Post Reply Email Thread
The S5 Bootloader Unlock is here! Huge thanks to @beaups for the research and sourcecode and tool, @ryanbg for researching this method in the firstplace, @autonomousperson For compiling the source to a app for us all, @haggertk for his CID and aboot! @jrkruse for innovating methods, one click apps, and MM methods @magic_man185 for recompiling the binary to disable SD requirements for MM, and everyone else for being patient with my inability to understand! Also thank you all for being a great supportive community!



I Have Updated the OP Hoping this is less messy and hopefully neater to deal with

DO NOT ASK ABOUT ROMS, KERNELS, OR OTHER THINGS. THIS IS ONLY FOR UNLOCKING THE BOOTLOADER. WE WILL LAUGH AT YOU IF YOU ASK ANYWAYS!!!


Warnings
READ THE ENTIRE OP AND THE POST BELOW BY @jrkruse BEFORE DOING ANYTHING AT ALL!!!!!!!!!!
THIS IS ONLY FOR THE VERIZON S5. DOES NOT WORK FOR AT&T!!!!!
This is for users with 15' Sasmung eMMC's not users with 11 Toshiba eMMC's. You can check this by reading the file
/sys/block/mmcblk0/device/cid
Just the first 2 15xxxxxxxxxxxxxxxxxxxxxx or 11xxxxxxxxxxxxxxxxxxxxxxx(my number of x's are random, just read the first 2)
We still are unsure if changing the CID causes app store, verification, activation, provision, or other issues, everything you do is at your own risk!(Pretty sure it's safe)
REACTIVATION LOCK MUST BE TURNED OFF. YOU'VE BEEN WARNED



Starting notes

*REQUIRES ROOT*
If you don't have root, please goto @jrkruse thread here
https://forum.xda-developers.com/ver...#post71202995/

For Method 4
You must make sure first of all you have authorized your computer in developer options and that USB debugging is on, you could also using adb tools use adb wireless if your device is configured for this!

You also on screen must grant ADB root access, please make sure of this!


Make sure you have a blank sd card, EVERYTHING on it WILL BE WIPED as a backup for the bootloader!

*If you have no root access OR SAFESTRAP you must proceed to the rooting thread, nothing below works without root*


Methods


Method 1: Primary Method (Easiest! thanks @jrkruse) For PB1, PD1, PF4, PG2, PJ2, PL1, QA1 (MARSHMALLOW)*REQUIRES SAFESTRAP
Download these files
Bootloader_Unlock_Safestrap.apk
VZW_BPB1_ODEX_DEODEX_V9.zip
G900V_Firmware_PB1.tar.md5
S5_KLTE_USA_VZW.pit
Download and install VZW_BPB1_ODEX_DEODEX_V9.zip
Reboot to Download Mode
In Odin Under AP slot load G900V_Firmware_PB1.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
After Phone reboots pull battery reboot to download mode (pwr+voldwn+home) and make sure current binary status is official If not In Odin Under AP slot load G900V_Firmware_PB1.tar.md5 and Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
If current binary is official reboot phone and enter Rom Setup. There is no need to setup any accounts unless you plan on running this rom
Download and install Bootloader_Unlock_Safestrap.apk
Open Safestrap app and install the safestrap recovery to the system
Open safetrap app and click Reboot To Recovery Button
Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
Phone will Power Off.
Pull Battery enter TWRP Recovery (volup+pwr+home) Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom



Method 2: Unlocker via Safestrap (Easy! thanks @jrkruse) For OE1, OK3, PB1 (LOLLIPOP)
1. Flash this Samsung_Bootloader_Unlocker.zip in safestrap or flashfire
2. Reboot phone click on SamsungUnlocker app
3. Wait and make sure to grant SuperSu access. This may take a few seconds to come up
4. type yes in the terminal screen when it ask you (Yes/No) Hit enter on the keyboard
5. wait for phone to power off
6. reboot to bootloader and verify it says MODE: Developer
7. Flash Twrp recovery using Odin
8. Your done!



Method 3: ADB For 4.4-5.0 (OLD, OUTDATED)
This Method is old and outdated, Do not use unless the new method isn't working!!!

1. Download https://github.com/beaups/SamsungCID...samsung_unlock
2. Download adb.7z
3. Extract adb to /adb
4. Extract samsung_unlock
5. Put samsung_unlock inside the adb folder
6. Launch adb tools
7. Select push file
8. Source is samsung_unlock
9. Destination is /data/local/tmp/
10. Select the option for Pull
11. Source is /sys/block/mmcblk0/device/cid
12. Destination is cid.txt
13. Select the option for adb shell
14. Continue after the warning
15. type the following
Code:
su
cd /data/local/tmp/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock
Device will shut down, manually reboot
16. once it reboots, in adb tools connect to the shell again
17. Enter the following commands
Code:
su
cd /data/local/tmp/
./samsung_unlock
18. once this is done, you can type exit twice to return to the menu of adb tools
19. Select reboot
20. Reboot to bootloader
21. Verify you now have a dev edition


Method 4: On Device For 4.4-5.0 (OLD, OUTDATED)
This Method is old and outdated, Do not use unless the new method isn't working!!!

1. On your device download https://github.com/beaups/SamsungCID...samsung_unlock
2. Move to your root directory of your internal storage(if you can't figure out where that is, you shouldn't be doing this)
3. Using a root file explorer goto /sys/block/mmcblk0/device
4. Copy the file cid to your internal storage(this is a backup of your old cid, if it fails to copy, just open it as text and copy paste the text)
5. open a terminal emulator app
6. type the following
Code:
su
cd /storage/emulated/0/
chown root.root samsung_unlock
chmod 777 samsung_unlock
./samsung_unlock
7. Device will poweroff, focefully power on
8. Enter the terminal again and enter the following commands
Code:
su
cd /storage/emulated/0/
./samsung_unlock
9. Once completed reboot to bootloader using your favorite way
10. Verify you are a Developer edition phone now


Photo of what your Bootloader should say
Click image for larger version

Name:	IMG_20160408_085419.jpg
Views:	20924
Size:	243.4 KB
ID:	3712293

Working TWRP and International Rom Patch


TWRP 3.0.0 Flashable recovery zip. Can be flashed in safestrap or flashfire if you have not installed it yet
TWRP_3.0.0-0-klte-klte.zip

International Rom Patch For Data And MMS. Flash right after you flash the rom.
VZW_5.0_International_Rom_Patch_No_Boot.zip
VZW_5.0_International_Rom_Patch_VZW_BOOT.zip


Directions To Update Or Downgrade Bootloaders

If you have already Unlocked your bootloader and are running TouchWiz Rom(Stock kernel)


Download this files
PB1_Firmware_Only_NK2_Kernel.tar.md5
TWRP_Prepare.zip
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
S5_KLTE_USA_VZW.pit

In TWRP Flash TWRP_Prepare.zip
Reboot to Download Mode
In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit If you have a 32gb phone instead of 16gb phone skip this step
Click Start
When finished on reboot watch for Safestrap Splash Screen and enter Safestrap
Now goto Power Menu/Reboot Menu and reboot to Download Mode
Make sure in download mode the current binary is Official. If it is not reflash In Odin Under AP slot load PB1_Firmware_Only_NK2_Kernel.tar.md5
Now in Odin Under PIT load S5_KLTE_USA_VZW.pit
Click Start on reboot enter Safestrap reboot back to download mode and make sure binary status is Official
If Binary Status is Official Pull battery restart and enter SafeStrap
Flash: (Choose 1 Whatever One You Choose Is The Firmware And Bootloader Version You Will Be On)
SafeStrap_PB1_Bootloader_Unlock_AIO.zip
SafeStrap_PD1_Bootloader_Unlock_AIO.zip
SafeStrap_PF4_Bootloader_Unlock_AIO.zip
SafeStrap_PG2_Bootloader_Unlock_AIO.zip
SafeStrap_PJ2_Bootloader_Unlock_AIO.zip
SafeStrap_PL1_Bootloader_Unlock_AIO.zip
SafeStrap_QA1_Bootloader_Unlock_AIO.zip
Phone will Power Off.
Pull Battery enter TWRP recovery Wipe Data and System and Flash A Rom That matches Firmware For example PB1 would be a 5.0 rom PD1 Or PF4 would be 6.0.1 Rom



[FIX] MM Users. Wifi not working? Hardkeys not working???

Attachment 3772847

Unzip recover.zip place on internal storage flash in TWRP choose install image then choose recovery.img and flash to recovery
power off device
reboot to bootloader and reflash PD1_Firmware_Modem_HLOS_No_Aboot.tar.md5 in odin uncheck auto reboot when done pull battery reboot back to recovery wipe data and cache and system reinstall rom.





Notes:

If You Bricked Your Device somehow someway
1. Download the following image https://www.androidfilehost.com/?fid=24562946973631519
2. Download https://sourceforge.net/projects/win32diskimager/
3. Attach a micro sdcard(min 16GB class 10, others may work but unsure) to your PC via a reader
4. Backup all data on the micro sdcard, EVERYTHING WILL BE ERASED
5. Extract the image from the zip
6. Select write option, select the img file, select SDcard
7. Now write
8. Pop the Sdcard into the phone, and try and power it up
9. When you do open download mode
10. Goto odin and flash a FULL STOCK TAR
11. Start from scratch

To reuse the card it will need to be formatted using fdisk, diskpart, or android


If you have issues flashing modems, firmware, or anything


Quote:
Originally Posted by jrkruse

Ok here is the solution
The Stock Boot.img and Stock Recover.img that match your firmware must be flashed before any firmware can be updated on your phone. What I mean by firmware is the things other than images that are flashed in odin like the modem.bin. If your just wanting to flash a custom boot or recovery image then you can just flash them you and dont need to do any of this.
So after the Stock and Recovery images are flashed the phone needs to return to a power off state. Then a reboot to stock recovery and wipe the cache. Then reboot the phone and the goto bootloader mode from there.
After doing this the phone will allow firmwares to be flashed through odin.

Instructions
Flash the Kernel_Recovery Only either odin package or zip package in custom recovery
If using Odin uncheck reboot now then flash Kernel_Recovery package pull battery Reboot to recovery (Pwr+Hme+VolUp) wipe cache reboot phone then reboot back to bootloader and flash whatever your wanting to upgrade.
Reboot phone make sure your changes applied the you can flash your custom recovery again
If Flashing In recovery, flash the zip then reboot to recovery which will now be stock recovery and wipe cache and then power off Do not reboot, the phone must go to a poweroff state
Reboot phone then reboot to bootloader and use odin to update what ever your needing to do
Reboot Phone make sure your changes took. Then reboot back to odin and flash custom recovery or use flashfire or safestrap to flash the custom recovery zip.
If for some reason the bootloader becomes locked again simply do the unlock procedure again

https://www.androidfilehost.com/?w=files&flid=53300

To make the SD card usable again, format using android!
Or keep it as a backup

IF YOU FLASH STOCK BACK TO THE PHONE, IT WILL RELOCK THE BOOTLOADER, Requiring your run the script ONCE and it will be unlocked again

Source Located @ https://github.com/beaups/SamsungCID


Quote:
Originally Posted by beaups

its done

If any bounties applicable, please donate to "make a wish foundation" or @ryanbg (he's getting married)

--beaups





eMMC 11 is non-exploitable

http://forum.xda-developers.com/veri...nlock-t3349346
The Following 97 Users Say Thank You to GeTex For This Useful Post: [ View ] Gift GeTex Ad-Free
 
 
16th March 2016, 04:01 PM |#2  
jrkruse's Avatar
Recognized Contributor
Thanks Meter: 6,422
 
More
Im going to try and clear some things up so her are some answers to some common questions.
1. TWRP is a replacement for the stock recovery it can do everything the stock recovery can do plus it can flash zips, recoveries and boot images. It can also back up and restore system and data. It can also be entered from about any state of the phone except it being bricked of course. There is no need to use safestrap or flashfire anymore. I recommend that you remove safestrap from the rom you are using as it will cause trouble, by removing I mean uninstall safestrap recovery from the system just dont simply delete the apk. Flashfire can be left if you want as it wont affect anything.

2. You can flash TW roms as well as CM and AOSP based roms. The roms dont have to state they are for DEV edition. You will want to avoid muniz_ri upgrade roms as they flash bootloaders. In most cases if trying to flash a rom with bootloaders they will not flash but as a safety precaution avoid roms that say they flash bootloaders with the rom. Other Variants Roms can be flashed on the Verizon S5 also known as the SM-G900V. The other variants will have different letters at the end like SM-G900F witch is an international variant or SM-G900T wich is the Tmobile variant. SM-G900A ATT variant: SM-G900M Canadian variant SM-G900P Sprint variant. There are many other there are some you cant flash like the SM-G900H as this variant has a different chipset there are a few chinese and korean ones as well but you dont come across them much and they usually have some weird numbers. Now most of the other variants roms will need a patch to get data and mms working I have a patch that will work on most. Many of these roms come with there own custom TW kernels or there stock TW kernel. You can either use their kernel or you can use the verizon TW kernel on their roms. Most CM and AOSP roms will come with a kernel. Now CM and AOSP roms need to have google apps flashed in addition to the rom. These are commonly referred to as GApps

3. You can flash custom kernel. also know as a boot.img. ASOP CM and Touchwiz All have different kernels and the proper kernel must be flashed for the type of rom. You can use other variants kernels on the Verizon S5. Most work fine but some do not. There are alot more custom kernels for CM and AOSP than Touchwiz. Just remember Touchwiz roms need Touchwiz kernels rather it be a stock TW kernel or a modded TW kernel. And Most AOSP and CM kernels are interchangeable but you cannot use a TW kernel on those two

4. With TWRP you can use and install roms that have aroma installers. These installers give you choices throughout the install of what you want.

5. There are a couple of Marshmallow Touchwiz Roms available for the internation S5 the SM-G900F. As of now these roms cannot be used on our phones because they require a Marshmallow bootloader and modem. You can not use other variants firmware on the Verizon S5. By firmware I mean Bootloaders, Modems Etc. There are Also 5.1.1 roms available from ATT and Tmobile. It is possible to flash these roms as they will still run on the 5.0 lollipop bootloader. You may have to use there stock 5.1.1 kernel or a modded TW 5.1.1 kernel to get them to work

6. Roms 5.1.1 and higher require a different root method. Stock kernels have checks in them to prevent root so the kernel has to be modded to allow root. The newer SuperSU zips have a check for this and if they detect the kernel has not been modded then they will install whats called systemless root and a modded kernel ram disk. I just wanted to make people are that certain apps dont work with systemless root. If the kernel is properly modded then the old root method can be flashed

7. If you flash a rom that is not rooted it is no big deal since you have a custom recovery simply reboot to recovery and flash A SuperSU root zip or install a different rom

8 I recommend everyone be on lollipop bootloaders and firmware. There is no need to stay on kitkat firmware since you can now unlock the bootloader. KitKat Roms will run on lollipop bootloaders but lollipop roms will not run on kitkat bootloaders.

9. Just because your bootloaders is unlocked does not mean you can not run a fully stock unrooted rom if you want to. A fully stock rom will run just fine with unlocked bootloader and custom recovery installed.

10. When running custom kernels and recoveries it is normal during boot to have message at the top of your phone telling you that your basically running a custom recovery. or boot.img


Here Is The Procedure If You Want To Go From Kitkat Bootloader To PB1 Bootloader
Download my stock PB1 rom located HERE no need to worry about the options.prop
Download the BPB1_Firmware_No_Bootloaders.zip also found on that page
Do full wipe then flash rom then flash firmware zip. Then Power off the device If the phone reboots to stock recovery wipe cache and pull the battery
Reboot to download mode and Uncheck auto reboot and flash G900V_Firmware_PB1.tar.md5 using odin
Reboot to stock recovery and wipe cache (if you already wiped cache earlier then you can skip this)
Reboot rom go through setup and the unlock bootloader process again
Flash Custom recovery and your back in business


Here is the Procedure For Updating Firmware If Already On Lollipop
The Stock Boot.img and Stock Recover.img that match your firmware must be flashed before any firmware can be updated on your phone. What I mean by firmware is the things other than images that are flashed in odin like the modem.bin. If your just wanting to flash a custom boot or recovery image then you can just flash them you and dont need to do any of this.
So after the Stock and Recovery images are flashed the phone needs to return to a power off state. Then a reboot to stock recovery and wipe the cache. Then reboot the phone and the goto bootloader mode from there.
After doing this the phone will allow firmwares to be flashed through odin.

Instructions
Flash the Kernel_Recovery Only either odin package or zip package in custom recovery
If using Odin uncheck reboot now then flash Kernel_Recovery package pull battery Reboot to recovery (Pwr+Hme+VolUp) wipe cache reboot phone then reboot back to bootloader and flash whatever your wanting to upgrade.
Reboot phone make sure your changes applied the you can flash your custom recovery again
If Flashing In recovery, flash the zip then reboot to recovery which will now be stock recovery and wipe cache and then power off Do not reboot, the phone must go to a poweroff state
Reboot phone then reboot to bootloader and use odin to update what ever your needing to do
Reboot Phone make sure your changes took. Then reboot back to odin and flash custom recovery or use flashfire or safestrap to flash the custom recovery zip.
If for some reason the bootloader becomes locked again simply do the unlock procedure again


Here A Folder Containing Some Useful Odin And Flashable Firmware Zips

5.0_Tw_International Rom Patch
The Following 41 Users Say Thank You to jrkruse For This Useful Post: [ View ] Gift jrkruse Ad-Free
16th March 2016, 05:37 PM |#3  
Member
Thanks Meter: 37
 
More
Quote:
Originally Posted by jrkruse

It doesn't work dev bootloaders are specific to the phone they don't work on other phones even other dev phones

I read in another forum somewhere about someone editing a hex value in a kernel to allow it to be loaded by odin (I think by changing some kind of version or product number). I expect if a VZW dev edition bootloader is specific to the phone, it incorporates some kind of IMEI or ESN check. Maybe it's possible to change that in the bootloader? Or perhaps it would work by spoofing the IMEI of the phone?
The Following User Says Thank You to Hariiiii For This Useful Post: [ View ] Gift Hariiiii Ad-Free
16th March 2016, 06:32 PM |#4  
Senior Member
Thanks Meter: 34
 
More
I think it's some kind of shared key encryption and that won't work
16th March 2016, 09:07 PM |#5  
GeTex's Avatar
OP Senior Member
Flag Bolingbrook
Thanks Meter: 963
 
Donate to Me
More
Going to take a peek then, I need a bootloader dump please? Anyone got a Dev Edition GS5?

Knowing verizon it's got a boot signature key probably with Secureboot. Damn

If thats the case, Another dead end?
21st March 2016, 04:57 PM |#6  
Bobcus Leper's Avatar
Senior Member
Thanks Meter: 1,205
 
More
Quote:
Originally Posted by GeTex

Going to take a peek then, I need a bootloader dump please? Anyone got a Dev Edition GS5?

Knowing verizon it's got a boot signature key probably with Secureboot. Damn

If thats the case, Another dead end?

Would this help?

https://docs.google.com/file/d/0B8a4...ZTUmMyeTg/edit

Sent from my Motorola XT912 using XDA Labs
23rd March 2016, 01:03 AM |#7  
Member
Thanks Meter: 37
 
More
Quote:
Originally Posted by Bobcus Leper

Would this help?

https://docs.google.com/file/d/0B8a4...ZTUmMyeTg/edit

Sent from my Motorola XT912 using XDA Labs

Unfortunately, no. That only includes the kernel and ROM itself. What we need is an img of a vzw dev edition aboot.mbn. This can be acquired using the dd command.

I was looking at some of the many long threads regarding attempts at unlocking the galaxy s4 as well as beaups' galaxy s5 developer edition hack, and I've come to think that what beaups did is to edit some unprotected small flag or string somewhere which is accessed by a developer ed. bootloader to check whether the phone matches the bootloader. He ran his program FIRST, then flashed what I suspect to be a signed dev edition bootloader which booted. If we can pick through the dev edition aboot.mbn with IDA pro and see where in memory the bootloader is checking to verify the phone, maybe we can copy his exploit.

If beaups had some kind of other exploit (to bypass security or other checks), there would be no reason for him to flash a new aboot.mbn, or even if so, he would have to edit some kind of string anyways to get the dev edition bl to work.

does anyone have any thoughts or feedback (or dev edition bootloaders)?
The Following User Says Thank You to Hariiiii For This Useful Post: [ View ] Gift Hariiiii Ad-Free
23rd March 2016, 01:48 AM |#8  
GeTex's Avatar
OP Senior Member
Flag Bolingbrook
Thanks Meter: 963
 
Donate to Me
More
I figure I can make this work but I need a bootloader dump.
The Following User Says Thank You to GeTex For This Useful Post: [ View ] Gift GeTex Ad-Free
23rd March 2016, 03:48 AM |#9  
Member
Thanks Meter: 3
 
More
There's a guy who just posted about selling his dev edition, maybe he'd supply you with the dump??
23rd March 2016, 03:52 AM |#10  
Surge1223's Avatar
Recognized Contributor
Flag Iowa
Thanks Meter: 6,854
 
Donate to Me
More
Quote:
Originally Posted by Hariiiii

Unfortunately, no. That only includes the kernel and ROM itself. What we need is an img of a vzw dev edition aboot.mbn. This can be acquired using the dd command.

I was looking at some of the many long threads regarding attempts at unlocking the galaxy s4 as well as beaups' galaxy s5 developer edition hack, and I've come to think that what beaups did is to edit some unprotected small flag or string somewhere which is accessed by a developer ed. bootloader to check whether the phone matches the bootloader. He ran his program FIRST, then flashed what I suspect to be a signed dev edition bootloader which booted. If we can pick through the dev edition aboot.mbn with IDA pro and see where in memory the bootloader is checking to verify the phone, maybe we can copy his exploit.

If beaups had some kind of other exploit (to bypass security or other checks), there would be no reason for him to flash a new aboot.mbn, or even if so, he would have to edit some kind of string anyways to get the dev edition bl to work.

does anyone have any thoughts or feedback (or dev edition bootloaders)?

When the mmc card is initialized in aboot, it loads /populates ddi_data and ddi_priv data. These contain info about the product generated from the Cid. It checks a value in qfprom and if a certain value makes it so sw_id or sw_revision isn't checked and/or is ignored. This also happens to correspond with a value of cc_type and determines if the device is a developer edition or not. I'm guessing @beaups has an exploit that writes over the mmc card Cid so the value returns from qfprom in such a way as to register as a developer edition device and this also allows the flashing of a dev edition boot chain. I'm guessing he had to flash the dev edition boot chain because the Cid hack probably wasn't going to remain permanently to whatver he wrote to it.

Maybe he'll chime in and tell me if I'm thinking on the right path/track. I'm not sure, I didn't study the function for very long, it was just something I noticed when I was going through the note 4 aboot.
The Following User Says Thank You to Surge1223 For This Useful Post: [ View ] Gift Surge1223 Ad-Free
23rd March 2016, 03:58 AM |#11  
Senior Recognized Developer
Flag Dublin, OH
Thanks Meter: 6,933
 
Donate to Me
More
Quote:
Originally Posted by Surge1223

When the mmc card is initialized in aboot, it loads /populates ddi_data and ddi_priv data. These contain info about the product generated from the Cid. It checks a value in qfprom and if a certain value makes it so sw_id or sw_revision isn't checked and/or is ignored. This also happens to correspond with a value of cc_type and determines if the device is a developer edition or not. I'm guessing @beaups has an exploit that writes over the mmc card Cid so the value returns from qfprom in such a way as to register as a developer edition device and this also allows the flashing of a dev edition boot chain. I'm guessing he had to flash the dev edition boot chain because the Cid hack probably wasn't going to remain permanently to whatver he wrote to it.

Maybe he'll chime in and tell me if I'm thinking on the right path/track. I'm not sure, I didn't study the function for very long, it was just something I noticed when I was going through the note 4 aboot.

I'll reply for a change. I didn't do any research on aboot or the lock mechanism, @ryanbg did. There may be other "features", but his research indicated the eMMC cid was hashed, signed, and stored in the dev edition aboot for the device it was targeted for. So in order to flash (and more importantly boot) someone's "borrowed" dev-edition aboot, you need a cid that matches the signed hash. So, yes, I just changed the CID to match that. Then the flash is easy.

--beaups
The Following 9 Users Say Thank You to beaups For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
bootloader, galaxy s5, swagger, unlock, verzion

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes