http://security.samsungmobile.com/smrupdate.html
On the samsung security blog, one of the listed patches for the march update mentions a buffer overflow vulnerability in the bootloader. This is documented proof of a vulnerability that could potentially be used to unlock the bootloader for CID11 S5's. Now, it is possible for people to just dig around in the bootloader (if anyone with the expertise is interested), or, alternatively, it is possible that the person responsible for reporting the bug might release the information. The Samsung blog lists his name as Frédéric Basse, and his blog is here: http://www.fredericb.info/ Historically, he tends to publicly release information after the vulnerability has been patched.
EDIT:
Based on the timing of some commits to the Heimdall source code, it seems very likely that the exploit involves T-Flash mode (also available in ODIN), which permits flashing firmware to an SD-card instead of the internal storage. This is corroborated by the fact that the samsung blog mentions the removal of source code that leads to the exploit. I highly suspect the next released bootloader update will not have T-Flash included. It seems likely that the bootloader does a poor job of checking the size of data (or allocates memory poorly?) before it is loaded into a memory buffer before being written to the SD-card. See below the link to the commits made by Frédéric Basse.
https://github.com/Benjamin-Dobell/Heimdall/pull/389
SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader
Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.
On the samsung security blog, one of the listed patches for the march update mentions a buffer overflow vulnerability in the bootloader. This is documented proof of a vulnerability that could potentially be used to unlock the bootloader for CID11 S5's. Now, it is possible for people to just dig around in the bootloader (if anyone with the expertise is interested), or, alternatively, it is possible that the person responsible for reporting the bug might release the information. The Samsung blog lists his name as Frédéric Basse, and his blog is here: http://www.fredericb.info/ Historically, he tends to publicly release information after the vulnerability has been patched.
EDIT:
Based on the timing of some commits to the Heimdall source code, it seems very likely that the exploit involves T-Flash mode (also available in ODIN), which permits flashing firmware to an SD-card instead of the internal storage. This is corroborated by the fact that the samsung blog mentions the removal of source code that leads to the exploit. I highly suspect the next released bootloader update will not have T-Flash included. It seems likely that the bootloader does a poor job of checking the size of data (or allocates memory poorly?) before it is loaded into a memory buffer before being written to the SD-card. See below the link to the commits made by Frédéric Basse.
https://github.com/Benjamin-Dobell/Heimdall/pull/389
Last edited: