Related
Hi,
I was just wondering if it is absolutely REQUIRED to unlock the bootloader to flash a rom on the nexus s and why? Can I use Clockwork recovery image without unlocking the bootloader?
Thanks!
http://forum.xda-developers.com/showthread.php?t=1060974
Thanks,
but what are the advantages of unlocking the bootloader instead of using some other exploit like this?
Thanks!
Unlocking the bootloader deletes all user data on your device and resets it to factory defaults.
Hi,
But what is the advantage of losing that data and unlocking the bootloader than using the exploits?
Sent from my Nexus S using XDA App
None that I can tell. If you stay on stock rom, I would consider it an advantage NOT to lose all data and settings.
If you want a different rom like cyanogenmod, then you will likely have to wipe your device anyway to avoid random problems. Then you can unlock the bootloader, too, while you are at it, because you have to backup everything (you don't want to lose) anyway.
Unlocking the bootloader allows you to flash stuff directly on the phone from your computer, things like a custom recovery, radio image, fully stock roms and so on.
This in turn allows you to root of flash another rom.
Otherwise, rooting without unlocking probably entails exploiting a security flaw of your device, something I'm not too uncomfortable with.
Before 2.3.2 though you could boot a custom recovery from a file on your computer without unlocking. This was fixed as it was a big privacy and security issue...
Sent from my Nexus S using Tapatalk
So does that mean if I don't unlock the bootloader, I can't use Clockwork mod and flash a rom like cyanogenmod?
Not exactly. You can gain temporary root and install clockwork recovery by means of various exploits of security holes.
You can then use that to install any rom you like.
So pretty much unlocking the bootloader is the easy and safer route.
Sent from my Nexus S using XDA App
Exactly. Since you should backup your data anyway before you tinker with your rom, you might do it anyway.
You can lock the bootloader after you finish flash a new ROM
Yeah, but with clockwork mod you can run a nandroid with or without an unlocked bootloader, so what's the point?
Sent from my Nexus S using XDA App
patrixl said:
Before 2.3.2 though you could boot a custom recovery from a file on your computer without unlocking. This was fixed as it was a big privacy and security issue...
Click to expand...
Click to collapse
Everybody with an USB cable has full root access to any Nexus S running CM7 (using CWMs ADB capability) and nobody seems to care?
1st: You don't need CWM for CM7, AFAIK.
2nd: The same is true for any NexusS with unlocked bootloader.
3rd: The attacker could also use the gingerbreak exploit or similar to gain root access and neither a locked bootloader nor stock recovery will protect you.
It is the same as with your computer. Someone who has physical access to the machine usually can do anything he wants.
The solution is quite simple too: don't give anyone unsupervised access to your phone. That includes of course not losing it...
So its safer to unlock it?
Sent from my Nexus S using XDA App
Yes and no. It depends on what kind of security you mean, too. The unlockable bootloader is a feature. Using it is the standard way to go.
An exploit could install keyloggers or spyware or whatever without you knowing.
However, an custom rom from somewhere could have keyloggers or spyware preinstalled, too.
Basically you have to decide yourself, how much risk you are willing to take.
I still can't get the advantages of unlocking it.
Sent from my Nexus S using XDA App
I mean, can you flash clockwork mod with a locked bootloader?
Sent from my Nexus S using XDA App
Only with certain versions of the bootloader, not all. It was a security hole like others have mentioned. It was later fixed.
since we know that (locked bootloader on AT2) that doesn't allow us to flash custom kernels,but we know also that we can unpack/repack boot images to boot.img-kernel and boot.img-ramdisk,and we can flash radio.img,and we can flash non-signed system images (via CWM).
i can not figure the problem with bootloader!
we can flash repacked boot (ramdisk and kernel) and radio images,so we have an unlocked bootloader.
or maybe the Efuse problems?
correct me if i'm wrong.
sad_but_cool1 said:
since we know that (locked bootloader on AT2) that doesn't allow us to flash custom kernels,but we know also that we can unpack/repack boot images to boot.img-kernel and boot.img-ramdisk,and we can flash radio.img,and we can flash non-signed system images (via CWM).
i can not figure the problem with bootloader!
we can flash repacked boot (ramdisk and kernel) and radio images,so we have an unlocked bootloader.
or maybe the Efuse problems?
correct me if i'm wrong.
Click to expand...
Click to collapse
You know there's a Q&A Section, right? Also, this has been covered, like a gazillion times both by Jim, and others who have had this device since day one -- and still do own it!
You can flash a custom kernel but it will not boot. The stock kernel is signed by moto and the bootloader checks for this signature everytime at boot. No signed kernel no boot. Ask Jim, he's replaced several A2's trying to circumvent that check.
mtnlion said:
You can flash a custom kernel but it will not boot. The stock kernel is signed by moto and the bootloader checks for this signature everytime at boot. No signed kernel no boot. Ask Jim, he's replaced several A2's trying to circumvent that check.
Click to expand...
Click to collapse
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !
sad_but_cool1 said:
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !
Click to expand...
Click to collapse
Instead of getting angry, i would suggest that you read and then read some more. Believe it or not, this phone has not been cracked. So read and learn......if not then have fun making a paper weight! Don't come back and cry when your phone wont boot.
Sent from my MB865 using xda premium
sad_but_cool1 said:
i'll try to flash repacked/modified boot image (booting from SDCARD),
anyway,this is not the bootloader locked ! it's Efuse related !
Click to expand...
Click to collapse
Humm... not sure where you got this info, but it is 100% incorrect. I would also suggest a little attitude adjustment on your part.
We have tried it all... if you are such an expert than let us know once you have this unlocked.
I have been working on a method to boot from the sdcard with a root kit to flash an unlocked boot loader that we have for this phone, for some time.
Now do some research, read, post in the right section next time. If you keep up being a pain, I will have the thread locked.
Knock It OFF
Keep the thread "civilized".
Any more bickering and you'll get some early Christmas presents
The forums are open to anyone, so if you don't like replies, then don't post. And if you "Do" post, keep it civil.
Also, you guys have a filter option in your control panel, so you don't have to see each other's posts. I highly suggest you start using it.
MD
jimbridgman said:
Humm... not sure where you got this info, but it is 100% incorrect. I would also suggest a little attitude adjustment on your part.
We have tried it all... if you are such an expert than let us know once you have this unlocked.
I have been working on a method to boot from the sdcard with a root kit to flash an unlocked boot loader that we have for this phone, for some time.
Now do some research, read, post in the right section next time. If you keep up being a pain, I will have the thread locked.
Click to expand...
Click to collapse
whats the difference between locked bootloader and efuse protection?
wha you know about locked bootloader?
sad_but_cool1 said:
whats the difference between locked bootloader and efuse protection?
wha you know about locked bootloader?
Click to expand...
Click to collapse
OK, so an efuse is a switch that can be thrown (it is a switch on the cpu , as well as in several other locations on the board), that when thrown can render the phone useless. All these bricks people have been getting lately are because an efuse is thrown.
http://en.m.wikipedia.org/wiki/EFUSE
There are also several efuses that allow the device to be seen as an NS (Non-Secure) device, and will allow you to use the NS bootloader (it is unlocked), and we/I have been working getting all 6 efuse codes for a year now.
The bootloader in our case has three parts and several links in the security chain. Each step and/link has a cert attached to it and you can not move to the next part until the correct cert is handed off to next binary/loader in the chain.
This makes it so that we can not repack boot images or flash unsigned kernels or even some custom ROMs that require a custom kernel.
You need to realize that moto makes their boot loaders un-crackable. The bionic and RAZR are still locked, and the atrix HD just got root last week or the week before, and they are locked worse than the a2.
I also look at it like this if people like mbm, kohlk, hascode, etc. have not been able to crack the other moto devices they work with, then we are pretty SOL.
Does this mean I give up, hell no! It just means I am looking for alternative ways around the issue.
P.S. we can flash system images because the cert is in the filesystem code, and that is why we NEVER use format in an updater script, only erase.
as http://www.sourceconference.com/publications/bos12pubs/android-modding-source.pdf
and
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess
and
http://www.droid-developers.org/wiki/Booting_chain
http://www.droid-developers.org/wiki/File:Boot_chrain_flow.png
where is the problem in our case , and how bootstrap (hijack) works?
sad_but_cool1 said:
as http://www.sourceconference.com/publications/bos12pubs/android-modding-source.pdf
and
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess
and
http://www.droid-developers.org/wiki/Booting_chain
http://www.droid-developers.org/wiki/File:Boot_chrain_flow.png
where is the problem in our case , and how bootstrap (hijack) works?
Click to expand...
Click to collapse
Ok, so first I need to know a little background from you. Are you a developer? Are you an android dev? Have you done any android dev work at all?
What did you not understand in my last post, lets start with that, since I did explain it in good detail. Can you tell me the parts of our bootloader, before we go into any more detail?
The boot hijack allows us to hijack the boot process by using the logcat binary which has setUID privs, so it is prime to steal for perms and it has no FALCs or MACLs on it. What it does is it points (via a linux link), to another file that will allow us to boot to some form of cwm, but you still traverse through all the bootloaders before that binary file is executed, and the system image must be verified first, that is why if you bork your system image bad enough you can not get into cwm/bootstrap/bootmenu, etc.
Again, please ask me specific questions that you have about the bootloader. And understand that I am not a 5th grader, and that I do these things for a very, very, good living, so stop posting documents that explain the whole boot chain and cryptography to me.
Now I will say this one last time, I and others have posted a ton of information on the bootloader and processes over the last year, and please stop reading things like what you posted, those are outdated and or just plain incorrect, since motorola is whole different beast.
So one last time, please ask specific questions, and if this starts getting into how to unlock the bootloader, I will stop answering questions, as I have said a billion times in here that motorola does read this board, and they have thwarted my efforts with patches in the past.
Look, I am a little sorry for being frustrated, or terse, but this has all been covered so many times, and it sounds like you really do not know what you are doing, and I really do not want to explain this all over again, unless you really do know what I am talking about. So far you have not struck me as somone who understands our phones boot process, so I ask that you do a little more research first tear the bootloader and it parts apart, and come back with specific questions. I will use your earlier use of the efuse as a perfect example of what I mean by this.
I will leave you with a few last links to look at to get more familiar with a bootloader and why they are locked, and more:
http://androidforums.com/4657640-post1.html
http://www.tested.com/news/feature/1879-know-your-android-bootloaderwhat-it-is-and-why-it-matters/
Yes everyone, and to the MODS, I am sorry that link was to another forum, but it is very valid to the the point of this discussion.
Thanks man,i know that.
I can say that your AT&T AT2 is different from my AT2.
Cause i flashed a (repacked=not signed) stock boot image 4.766 kb successfully.
Sent from my MB865 using xda app-developers app
sad_but_cool1 said:
Thanks man,i know that.
I can say that your AT&T AT2 is different from my AT2.
Cause i flashed a (repacked=not signed) stock boot image 4.766 kb successfully.
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Which phone and region are you in? We all know the at&t version is a whole lot more locked down, than any international versions, and hence why we treat the at&t phones so differently here, It might have been good to start off your thread with some information about that, so that we did not go down this whole path. Your OP was quite sparse, so just think about that next time. In fact there are 5 different Atrix2 phones, even though there are only 2 model numbers, there are more differences between the regions the phones were released in, so those are also considered different versions even to motorola, and us devs in here.
Ok.
The topic was/is a question,not sparse.
I have MB865 with originally MEARET radio/firm,in middle east (jordan)
Sent from my MB865 using xda app-developers app
sad_but_cool1 said:
Ok.
The topic was/is a question,not sparse.
I have MB865 with originally MEARET radio/firm,in middle east (jordan)
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
But that info was/is very relevant to your question. It has been know for sometime now that the MEARET/SEARET version have a whole different bootloader and boot process than any of the other versions of the A2. The MEARET and SEARET can still fxz back, where the ME865 and the US versions can not.
Now you say you modified YOUR boot image right off your phone, or you took one from say the fxz and modified it, then flashed it, because those are two different situations, both still have the signatures, if they are extracted right. I was able to do this, as long as the kernel file/zimage was not touched, once I touched or played with that, it was all over on the US AT&T phones. The funny thing, is that the only reason to mess with the boot image on the A2 is for a different kernel and possibly to OC, but again I am pretty sure once you change the kernel in the boot image even on the MEARET/SEARET phones, to say an aosp kernel, you will not boot. It might be worth a shot, but keep in mind you have a huge chance of bricking by doing this.
And if you really want an unsigned kernel, why not just use kexec, and be done with it? It has less potential of bricking you, even if you are not completely locked.
jimbridgman said:
both still have the signatures, if they are extracted right.
Click to expand...
Click to collapse
this is the key-point
but i'm not flashing a repacked bootloader (needs RSA private keys from motorola),my work was in boot image.
sad_but_cool1 said:
this is the key-point
Click to expand...
Click to collapse
But only the image itself, not anything modified in the image, if you do mod it.... so if you stick and unsigned aosp kernel in place of the stock zimage, I am betting it will not boot, and might even brick the device. Just a theory, since I can not test with an MEARET phone, but when I have done it with my own compiled kernels with our kernel code, it does not pass the kernel signature check from the mbmloader and mbm.bin, and the device is bricked, on the AT&T phones.
---------- Post added at 12:02 PM ---------- Previous post was at 11:38 AM ----------
sad_but_cool1 said:
this is the key-point
but i'm not flashing a repacked bootloader (needs RSA private keys from motorola),my work was in boot image.
Click to expand...
Click to collapse
I never mentioned the bootloader, just the boot.img
what i want to say is:
boot.img = signing (compiled boot.img-kernel + compressed boot.img-ramdisk.gz )
the boot.img-kernel is signed , but the ramdisk is not,the repacking process doesn't contains signing routines/functions
so the repacked output will be unsigned!
i'll contact wkpark (http://forum.xda-developers.com/member.php?u=4414973) for more info
thanks all, MOD's you can delete this topic
sad_but_cool1 said:
what i want to say is:
boot.img = signing (compiled boot.img-kernel + compressed boot.img-ramdisk.gz )
the boot.img-kernel is signed , but the ramdisk is not,the repacking process doesn't contains signing routines/functions
so the repacked output will be unsigned!
Click to expand...
Click to collapse
The boot image is signed. The kernel is signed and the ramdisk/zimage is signed, on the ATT us version.
So, again the MEARET may be different. Be careful about blanket statements people may get all excited by that.
The thing is that the us version and the HK/TW and the ME versions are all setup the same with signatures at every step.
In the tests with unsigned ramdisk images on the ATT us version it has hard bricked every time.
Just got an upgrade from my carrier (a small local carrier) and I chose the s3. Came from some Motorola peice of fail. I'm looking to root and flash an insecure bootloader but I have encountered a confusing conflict. Having a Verizon model phone with a us cellular build of android loaded. And yes I'm certain it is a Verizon model phone (google schi535mbb if you don't believe me) with us cellular stock rom loaded (with some tweeks like 4g disabled). Rom and software model say the following R530 & d2usc. Bootloader is I535VRALE6 baseband I535VRLF2. This as far as I can tell was acomplished by a company called ultimobile. Which customizes devices to function on small mobile carriers. If anybody has any ideas or suggestions on what I might try, please let me know. I just don't want to screw something up and have a brick, just coming from a device that was all but brickable.
Sent from my SCH-I535 using xda premium
Lrs121 said:
Just got an upgrade from my carrier (a small local carrier) and I chose the s3. Came from some Motorola peice of fail. I'm looking to root and flash an insecure bootloader but I have encountered a confusing conflict. Having a Verizon model phone with a us cellular build of android loaded. And yes I'm certain it is a Verizon model phone (google schi535mbb if you don't believe me) with us cellular stock rom loaded (with some tweeks like 4g disabled). Rom and software model say the following R530 & d2usc. Bootloader is I535VRALE6 baseband I535VRLF2. This as far as I can tell was acomplished by a company called ultimobile. Which customizes devices to function on small mobile carriers. If anybody has any ideas or suggestions on what I might try, please let me know. I just don't want to screw something up and have a brick, just coming from a device that was all but brickable.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
Interesting. From the sound of it it may just be software blocked. Verizon root and unlock should work. The trick is gonna be finding software that will work with that carrier. If it is using straight UC Cellular may be able to run what those guys are running. If it is that small carrier that controls access then that would be the problem. Without a backup of the stock rom don't know how you would get it running again. According to the numbers it is a Verizon S3 running Us Cellular. Good luck.
prdog1 said:
Interesting. From the sound of it it may just be software blocked. Verizon root and unlock should work. The trick is gonna be finding software that will work with that carrier. If it is using straight UC Cellular may be able to run what those guys are running. If it is that small carrier that controls access then that would be the problem. Without a backup of the stock rom don't know how you would get it running again. According to the numbers it is a Verizon S3 running Us Cellular. Good luck.
Click to expand...
Click to collapse
The recovery that's on it right now has built in options for nvbackup. From what I've read that is the radio, imei, and other files used to connect to the network. I was gonna make several backups of everything as soon as I gained root control. The real problem comes down to when I go to throw cm on here. Figuring out which vzw or usc will cooperate with the carrier files.
Sent from my SCH-I535 using xda premium
Lrs121 said:
The recovery that's on it right now has built in options for nvbackup. From what I've read that is the radio, imei, and other files used to connect to the network. I was gonna make several backups of everything as soon as I gained root control. The real problem comes down to when I go to throw cm on here. Figuring out which vzw or usc will cooperate with the carrier files.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
Make a nandroid backup and maybe post to see what your running as?
Sent from my SCH-I535 using Tapatalk 2
Addiso said:
Make a nandroid backup and maybe post to see what your running as?
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
Was definitely gonna make a nandroid, but as for 'post to see what I'm running as' what do you mean?
Sent from my SCH-I535 using xda premium
Lrs121 said:
Was definitely gonna make a nandroid, but as for 'post to see what I'm running as' what do you mean?
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
Maybe the build.prop?
Edit: Attach it via Pastebin!
SlimSnoopOS said:
Maybe the build.prop?
Edit: Attach it via Pastebin!
Click to expand...
Click to collapse
Here ya go. Have fun http://pastebin.com/eUj5z2VT
Sent from my SCH-I535 using xda premium
Lrs121 said:
Here ya go. Have fun http://pastebin.com/eUj5z2VT
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
Looks like us cellular under the ultimobile ID?
Sent from my SCH-I535 using Tapatalk 2
Addiso said:
Looks like us cellular under the ultimobile ID?
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
It's weird though right? I'm not sure how to go about suggesting how to flash roms. I have to side with prdog1 and say it's a VZW GSIII running USC. I really can't suggest a good way to proceed since it's hard to tell what you would use to revert back to stock in case of emergences.
Anyone familiar with Team US Cellular? Any input from there?
Addiso said:
Looks like us cellular under the ultimobile ID?
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
thats what i saw too. the difficult thing to figure out is if to use the verizon unlock and root or the us cellular model. it is most definately a verizon model of phone just loaded up with us cell software. ive flashed verizon a based rom over a locked down motorola peice of fail, but that couldnt touch the kernel, base band, or anything but the system with out it requiring a complete reflash to stock. i dont exactly have that option if every thing screws up in the process of gaining root. id have to take it into the store and wait till they can reflash it there.
Lrs121 said:
thats what i saw too. the difficult thing to figure out is if to use the verizon unlock and root or the us cellular model. it is most definately a verizon model of phone just loaded up with us cell software. ive flashed verizon a based rom over a locked down motorola peice of fail, but that couldnt touch the kernel, base band, or anything but the system with out it requiring a complete reflash to stock. i dont exactly have that option if every thing screws up in the process of gaining root. id have to take it into the store and wait till they can reflash it there.
Click to expand...
Click to collapse
I'm fairly certain you should use the unified toolkit to root and maybe unroot. In your build.prop, I noticed it reads on the fifth line:
ro.build.version.incremental=R530UVXALK5
Click to expand...
Click to collapse
and the toolkit supports LK5 build for the d2usc. I think they're both locked down the same but on Team US Cellular's website that's what I'm seeing some people have used too. Idk about your specific case using another carrier but a d2usc GSIII but I'm thinking that's a start. Idk about returning to stock though.
Edit: Gonna add this, this means there is an Odin flashable of LK5 available somewhere.
Edit x2: POW!
SlimSnoopOS said:
I'm fairly certain you should use the unified toolkit to root and maybe unroot. In your build.prop, I noticed it reads on the fifth line:
and the toolkit supports LK5 build for the d2usc. I think they're both locked down the same but on Team US Cellular's website that's what I'm seeing some people have used too. Idk about your specific case using another carrier but a d2usc GSIII but I'm thinking that's a start. Idk about returning to stock though.
Edit: Gonna add this, this means there is an Odin flashable of LK5 available somewhere.
Edit x2: POW!
Click to expand...
Click to collapse
really i need to gain fastboot access to the phone. there are some files i need to check and i need to pull the special recovery that came with the phone. if i can do that i should be able to pull what i need from the phone to be able to return to stock. im also gonna perform an nvback up, a qpst backup and the synergy back up. but first things first i need fastboot access to the phone. i know how to get into recovery and download mode but for the life of me i cant figure out how to get to a fastboot compliant mode. from there i can figure how im gonna proceed to root.
edit: what i see in download mode
odin mode
Product name: sch--i535
custom binary download: yes (1 counts)
current binary: custom
system status: custom
Qualcom secureboot: enable
Lrs121 said:
really i need to gain fastboot access to the phone. there are some files i need to check and i need to pull the special recovery that came with the phone. if i can do that i should be able to pull what i need from the phone to be able to return to stock. im also gonna perform an nvback up, a qpst backup and the synergy back up. but first things first i need fastboot access to the phone. i know how to get into recovery and download mode but for the life of me i cant figure out how to get to a fastboot compliant mode. from there i can figure how im gonna proceed to root.
edit: what i see in download mode
odin mode
Product name: sch--i535
custom binary download: yes (1 counts)
current binary: custom
system status: custom
Qualcom secureboot: enable
Click to expand...
Click to collapse
Here's a left field suggestion, could you call this UltiMobile company and ask about what they used?
SlimSnoopOS said:
Here's a left field suggestion, could you call this UltiMobile company and ask about what they used?
Click to expand...
Click to collapse
havent done that yet. its on a list of things to do the problem is that everywhere they put information out they say to contact the carrier not them for everything. i may just have to wait till the phone isnt so new at my carrier and let the IT department play around with it for a while. i can then get information from them.
Lrs121 said:
havent done that yet. its on a list of things to do the problem is that everywhere they put information out they say to contact the carrier not them for everything. i may just have to wait till the phone isnt so new at my carrier and let the IT department play around with it for a while. i can then get information from them.
Click to expand...
Click to collapse
That's real tricky but sounds like your best option. At least you're rooted and unlocked with the VRALE6 bootloader and can debloat. Out of curiosity, what recovery are you using that has all these options?
As an aside, this table tells you where the recovery partition is. I've heard of people using dd commands to pull whatever partition they want to their sdcard but idk how viable an option this is in terms of pushing a recovery to that partition. I'm not recommending you try it either.
SlimSnoopOS said:
That's real tricky but sounds like your best option. At least you're rooted and unlocked with the VRALE6 bootloader and can debloat. Out of curiosity, what recovery are you using that has all these options?
As an aside, this table tells you where the recovery partition is. I've heard of people using dd commands to pull whatever partition they want to their sdcard but idk how viable an option this is in terms of pushing a recovery to that partition. I'm not recommending you try it either.
Click to expand...
Click to collapse
The vrale6 is unlocked? If so then why does it say that the qualcom secure boot is enabled. And I haven't rooted just yet but am working on it. Its a recovery built by ultimobile.
Sent from my Nexus 7 using XDA Premium HD app
Lrs121 said:
The vrale6 is unlocked? If so then why does it say that the qualcom secure boot is enabled. And I haven't rooted just yet but am working on it. Its a recovery built by ultimobile.
Sent from my Nexus 7 using XDA Premium HD app
Click to expand...
Click to collapse
Yes indeed. VRALE6 is the prerelease bootloader that was leaked which EVERY d2vzw (d2usc I suppose too) uses in order to allow flashing of roms/kernels. It's a little weird to explain but basically everyone's Download Mode reads almost the same. Mine reads "custom binary: Samsung Official" though and I'm rooted/unlocked. Idk the technical or even the proper way to explain it but the unlocked VRALE6 bootloader has no bearing on what Download mode says. Although your custom binary should be at 0 if/when you do warranty exchanges.
SlimSnoopOS said:
Yes indeed. VRALE6 is the prerelease bootloader that was leaked which EVERY d2vzw (d2usc I suppose too) uses in order to allow flashing of roms/kernels. It's a little weird to explain but basically everyone's Download Mode reads almost the same. Mine reads "custom binary: Samsung Official" though and I'm rooted/unlocked. Idk the technical or even the proper way to explain it but the unlocked VRALE6 bootloader has no bearing on what Download mode says. Although your custom binary should be at 0 if/when you do warranty exchanges.
Click to expand...
Click to collapse
Ah makes sense now it just doesn't do a hash/encryption check. I've dealt with a lot of bootloader stuff with my old phone. the phone came like that with the count at 1. Was like that before I tried anything. Probably was triggered when the d2usc stock was flashed onto it. Which probably means I should stick with d2usc builds to ensure compatibility with connecting with my carrier.
Sent from my Nexus 7 using XDA Premium HD app
I should start by saying I am by no means experienced with unlocking bootloaders or hacking firmware, so if this is a completely noob idea then forgive me but I thought I might as well see if I could help. Anyways, on to my idea; as we all know, the 4.3 bootloader is locked for good. So what if one was to corrupt the bootloader, like brick it on purpose to a point where the bootloader doesn't recognize any update being pushed, and then unbrick the phone with an older unlockable bootloader. Am I losing my mind due to having the locked 4.3 or is this plausible?
And while I have a thread open, could someone explain a few questions I have about knox? If knox is what is causing the bootloader to be locked and there's ways to disable knox, then wouldn't disabling knox make the bootloader unlockable?
ericcue said:
I should start by saying I am by no means experienced with unlocking bootloaders or hacking firmware, so if this is a completely noob idea then forgive me but I thought I might as well see if I could help. Anyways, on to my idea; as we all know, the 4.3 bootloader is locked for good. So what if one was to corrupt the bootloader, like brick it on purpose to a point where the bootloader doesn't recognize any update being pushed, and then unbrick the phone with an older unlockable bootloader. Am I losing my mind due to having the locked 4.3 or is this plausible?
And while I have a thread open, could someone explain a few questions I have about knox? If knox is what is causing the bootloader to be locked and there's ways to disable knox, then wouldn't disabling knox make the bootloader unlockable?
Click to expand...
Click to collapse
This won't work.
The new update changes the keys on the entire bootloader, it's impossible to corrupt the bootloader to a point of failure because the entire thing is hard coded into the board itself. The processor is specifically able recognize the vrucml1 bootchain, and it won't boot without it, unless someone finds a way to bypass that entire mechanism (which I would consider nearly impossible.
Knox is not causing the bootloader to be locked. Verizon patched our work around for unlocking the bootloader and pushed it. Knox is simply a non reversible flash counter for rooting your device. It's coded in the bootloader and system apps to detect this.
Sent from my SCH-I535 using Tapatalk 2
Ah I see. I guess I had trouble understanding that an OTA could completely and irreversibly lock a bootloader. There's got to be some kind of exploit for this at some point right? I'm not sure I can handle this 4.3 nonsense anymore!
And thanks for the knox explanation, I used to hate sprint for the things they did (like booting me for roaming) and now verizon is starting to tick me off.
ericcue said:
Ah I see. I guess I had trouble understanding that an OTA could completely and irreversibly lock a bootloader. There's got to be some kind of exploit for this at some point right? I'm not sure I can handle this 4.3 nonsense anymore!
And thanks for the knox explanation, I used to hate sprint for the things they did (like booting me for roaming) and now verizon is starting to tick me off.
Click to expand...
Click to collapse
There is probably no chance for an exploit to completely unlock a bootloader.
Hardware hacking is almost impossible because of the type of encryption it takes to make the processor and bootchain recognize each other. It's sensitive, and you need to match the numbers specifically to perform a boot. Everyone is familiar with an md5 code, this is a fairly simple algorithm, and we all know that the slightest change in a bad download will generate a completely different md5 sum. In this case, the algorithm is much more complex, and pretty much impossible to match and trick the phone into booting an incorrect bootloader. This is why straight up hacking a bootloader an impossible feat, so we mostly make work arounds.
All our unlocked bootloader was is a very early aboot block. The bootchain trusts the aboot file, and the aboot file trusts anything you put in the recovery and system partitions. Since the new bootchain requires a signed aboot file for ML1, it makes this exploit insignificant and the aboot file doesn't trust anything else you stick in the recovery or system partition.
Loki was another exploit that was patched. Kexec is an example of a work around, and so is safestrap, but these types of workarounds won't unlock the bootloader and allow aosp Rom flashing.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
There is probably no chance for an exploit to completely unlock a bootloader.
Hardware hacking is almost impossible because of the type of encryption it takes to make the processor and bootchain recognize each other. It's sensitive, and you need to match the numbers specifically to perform a boot. Everyone is familiar with an md5 code, this is a fairly simple algorithm, and we all know that the slightest change in a bad download will generate a completely different md5 sum. In this case, the algorithm is much more complex, and pretty much impossible to match and trick the phone into booting an incorrect bootloader. This is why straight up hacking a bootloader an impossible feat, so we mostly make work arounds.
All our unlocked bootloader was is a very early aboot block. The bootchain trusts the aboot file, and the aboot file trusts anything you put in the recovery and system partitions. Since the new bootchain requires a signed aboot file for ML1, it makes this exploit insignificant and the aboot file doesn't trust anything else you stick in the recovery or system partition.
Loki was another exploit that was patched. Kexec is an example of a work around, and so is safestrap, but these types of workarounds won't unlock the bootloader and allow aosp Rom flashing.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
You are a bundle of endless info. Thank you for breaking it down like this!
Edit: I have been curious for awhile about the technical aspect of everything you detailed.
That was amazing lol thanks for clearing all that up. Now I guess the race is on to find safestrap compatible roms. I'm running wicked sensations right now through safestrap and it seems pretty good but I was looking for a rom that could force 4g
SlimSnoopOS said:
You are a bundle of endless info. Thank you for breaking it down like this!
Edit: I have been curious for awhile about the technical aspect of everything you detailed.
Click to expand...
Click to collapse
I wish I knew more coding details, like what this stuff specifically looks like, but it's interesting researching all this material.
These are the kinds of questions I like, they really make you think about what's happening. I wish more users posted questions like these. One day someone might post something that might actually work. It's good creative thinking.
Sent from my SCH-I535 using Tapatalk 2
Kexec will allow flashing of aosp roms in addition to safe strap.
Sent from my SCH-I535 using Tapatalk
Dadud said:
Kexec will allow flashing of aosp roms in addition to safe strap.
Sent from my SCH-I535 using Tapatalk
Click to expand...
Click to collapse
Kexec might be able to, but it depends of that exploit has been patched or not, that kernel mechanism can also be shut down to disallow booting of a 2nd kernel. If the modules are written a certain way you're stuck with that initial boot.
Safestrap can't, it relies on a stock kernel to run, so unless someone makes an aosp rom to run with a 4.3 touchwiz kernel it won't work.
Sent from my SCH-I535 using Tapatalk 2
How did hashcode get cm 10.2 on the droid 3 using kexec and safe strap?
Sent from my SCH-I535 using Tapatalk
I love this thread so much. Thanks BadUsername and everyone else! So why exactly can't we use Kexec?
YevOmega said:
I love this thread so much. Thanks BadUsername and everyone else! So why exactly can't we use Kexec?
Click to expand...
Click to collapse
Getting kexec functionality isn't the easiest process. The holes that allowed kexec on 4.0.4 may have been patched due to the new Linux 3.0 kernel updated in newer versions.
Some developer would have to work on finding that loophole and enabling a second kernel to run.
Hashcode was able to do this on Motorola devices by rewriting the kernel modules to run differently. The way he did it wouldn't work for us anyway because they used OMAP devices. We have a qualcom processor, the loophole he used to enable kexec is completely different then what we would need to enable.
Additionally, it may not even be possible to enable kexec. The whole idea of a locked bootloader is to prevent this from happening. Loopholes constantly get patched, making enabling these types of workarounds increasingly more difficult.
Eventually the loophole that allows safestrap to even run will likely get patched. It's just the nature of making phones increasingly more difficult to root and unlock.
I hope someone has the time and passion to work on kexec, but I wouldn't necessarily count on it. There's likely a reason why it was never implemented on the s4.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
Getting kexec functionality isn't the easiest process. The holes that allowed kexec on 4.0.4 may have been patched due to the new Linux 3.0 kernel updated in newer versions.
Some developer would have to work on finding that loophole and enabling a second kernel to run.
Hashcode was able to do this on Motorola devices by rewriting the kernel modules to run differently. The way he did it wouldn't work for us anyway because they used OMAP devices. We have a qualcom processor, the loophole he used to enable kexec is completely different then what we would need to enable.
Additionally, it may not even be possible to enable kexec. The whole idea of a locked bootloader is to prevent this from happening. Loopholes constantly get patched, making enabling these types of workarounds increasingly more difficult.
Eventually the loophole that allows safestrap to even run will likely get patched. It's just the nature of making phones increasingly more difficult to root and unlock.
I hope someone has the time and passion to work on kexec, but I wouldn't necessarily count on it. There's likely a reason why it was never implemented on the s4.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
*Sigh*
YevOmega said:
*Sigh*
Click to expand...
Click to collapse
It's not the worst thing. In my opinion this phone runs really well on touchwiz roms anyway. Give some time for more roms to come out. Tkrom, cleanrom and jellybeans will all be spectacular when they come out.
Sent from my SCH-I535 using Tapatalk 2
BadUsername said:
It's not the worst thing. In my opinion this phone runs really well on touchwiz roms anyway. Give some time for more roms to come out. Tkrom, cleanrom and jellybeans will all be spectacular when they come out.
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
I totally agree with you. With root and a different launcher, I'm doing fine right now. Really wanted that new quick settings on Paranoid though.
Sent from my SCH-I535 using Tapatalk
Anyone else think that the information that BadUsername posted should be made a sticky?
Should have just rooted when you first got the phone haha
Sent from my SCH-I535 using xda app-developers app
XdrummerXboy said:
Should have just rooted when you first got the phone haha
Click to expand...
Click to collapse
You can gain root access on 4.3, but still can't unlock the bootloader.
The 4.3 OTA has truly downgraded the performance of my phone, so I'm not holding out much hope that 4.3 safestrapped ROMs will do much else - Samsung has rather let me down with this update (even outside of working with Verizon to lock the darn thing down much more tightly).
I used to say that custom ROMs were not needed, because the stock OS ran so well. Since the 4.3 OTA, it feels slower than when it first came with 4.0.4 (?) and has some of the old WiFi and Bluetooth issues back, again. On both of our Galaxy S III phones, btw. Not quite so fun, anymore.
- ooofest
ooofest said:
You can gain root access on 4.3, but still can't unlock the bootloader.
The 4.3 OTA has truly downgraded the performance of my phone, so I'm not holding out much hope that 4.3 safestrapped ROMs will do much else - Samsung has rather let me down with this update (even outside of working with Verizon to lock the darn thing down much more tightly).
I used to say that custom ROMs were not needed, because the stock OS ran so well. Since the 4.3 OTA, it feels slower than when it first came with 4.0.4 (?) and has some of the old WiFi and Bluetooth issues back, again. On both of our Galaxy S III phones, btw. Not quite so fun, anymore.
- ooofest
Click to expand...
Click to collapse
Oh, I didn't catch that. Thanks for the info. And ooofest, were you over at overclockers.uk? I thought I recognized that name from there, maybe it was only here though.
I've honestly lost track of the rooting requirements for this phone after I rooted. Best decision I've made with this phone! But I was nervous to do so...
I agree, it wasn't too terrible when it had 4.0.4, but compared to Cyanogenmod there's no comparison on which is smoother!
Sent from my SCH-I535 using xda app-developers app
XdrummerXboy said:
Oh, I didn't catch that. Thanks for the info. And ooofest, were you over at overclockers.uk?
Click to expand...
Click to collapse
Not that I recall, sorry. I used to be more active here and about, but then decided to go back into stock for 2013 and ramp up the rooting, unlocking, optimization, etc. in 2014.
It would always be ready to re-root and unlock, yes?
Well, never say "always."
XdrummerXboy said:
I agree, it wasn't too terrible when it had 4.0.4, but compared to Cyanogenmod there's no comparison on which is smoother!
Click to expand...
Click to collapse
Indeed.
- ooofest
Just curious if we would be able to switch between 2 different OS's? If it would be the same exact hardware (which im assuming it should be..can't see htc changing anything; spending more money).
Most likely just wait and see would probably be a common response, but is it even possible to delete an OS completely on this phone and load another? or would it be more of an "emulation of the Windows OS" if it all be possible ?
Article...http://www.wpcentral.com/verizon-htc-one-w8-windows-phone-august-21
importunerdj said:
Just curious if we would be able to switch between 2 different OS's? If it would be the same exact hardware (which im assuming it should be..can't see htc changing anything; spending more money).
Most likely just wait and see would probably be a common response, but is it even possible to delete an OS completely on this phone and load another? or would it be more of an "emulation of the Windows OS" if it all be possible ?
Article...http://www.wpcentral.com/verizon-htc-one-w8-windows-phone-august-21
Click to expand...
Click to collapse
Not a bad idea, but I don't think so. Reason being the partition layout will be different.
For instance, Windows won't have recovery or fastboot modes. Any existence of anything Android won't be there. So the entire coding all the way down to the simplest functions such as booting the the phone would be different. I don't think it would be as simple as simply flashing a Windows based rom.
However, I bet you could use jtag to reprogram the entire thing and switch bootloaders. Who knows though, maybe a pit file would be released to simply flash and go back and forth.
Sent from my HTC6525LVW using Tapatalk
BadUsername said:
Not a bad idea, but I don't think so. Reason being the partition layout will be different.
For instance, Windows won't have recovery or fastboot modes. Any existence of anything Android won't be there. So the entire coding all the way down to the simplest functions such as booting the the phone would be different. I don't think it would be as simple as simply flashing a Windows based rom.
However, I bet you could use jtag to reprogram the entire thing and switch bootloaders. Who knows though, maybe a pit file would be released to simply flash and go back and forth.
Sent from my HTC6525LVW using Tapatalk
Click to expand...
Click to collapse
What if you could set up a virtual partition or ROM slot like boot menu manager?
Sent from my nexus 10 using Tapatalk