Which files are checked by "locked" bootloaders? Want to root locked phone. - General Questions and Answers

Which files are checked by "locked" bootloaders? Want to root locked phone.
//Skip to the last paragraph if you don't care about the context of the question
Hi, I'm looking to get a few applications requiring root onto a device with a locked bootloader. I'm a programmer, but not an android programmer, and my linux skills are only mediocre. Until recently I had an S5 active (also locked) using TWRP and a custom ROM, but the "waterproof" feature didn't work when I fell in a river with it. I've long since forgotten how I managed to get it working, it involved reading threads here for about 2 days until I figured out enough to get it working.
The only specific items I want to install that require root are a whitelist-style firewall and xprivacy. My plan of attack, unless I find anything more promising, is don't immediately allow the new phone (CAT S60) to get updates, get temporary root with dirtycow, then attempt to modify something that is both A) running in root context and B) the bootloader won't complain about. The problem is that I have no idea which things the bootloader is checking.
What I can't figure out is which files are actually "verified" by the bootloader on Android? Just the initramfs? The entire root partition (i.e. everything outside userspace) as well? Is it a short enough checksum that it could be defeated by padding the image until it reaches the same checksum?

yeah let us know if you can get it to root , lot of people are banging their head over this on this forum

aff3p said:
//Skip to the last paragraph if you don't care about the context of the question
Hi, I'm looking to get a few applications requiring root onto a device with a locked bootloader. I'm a programmer, but not an android programmer, and my linux skills are only mediocre. Until recently I had an S5 active (also locked) using TWRP and a custom ROM, but the "waterproof" feature didn't work when I fell in a river with it. I've long since forgotten how I managed to get it working, it involved reading threads here for about 2 days until I figured out enough to get it working.
The only specific items I want to install that require root are a whitelist-style firewall and xprivacy. My plan of attack, unless I find anything more promising, is don't immediately allow the new phone (CAT S60) to get updates, get temporary root with dirtycow, then attempt to modify something that is both A) running in root context and B) the bootloader won't complain about. The problem is that I have no idea which things the bootloader is checking.
What I can't figure out is which files are actually "verified" by the bootloader on Android? Just the initramfs? The entire root partition (i.e. everything outside userspace) as well? Is it a short enough checksum that it could be defeated by padding the image until it reaches the same checksum?
Click to expand...
Click to collapse
I believe it checks the entire /system partition during boot just before/as the kernel loads it to verify whether /system has been modified.
I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE

Related

Root Droid Mini 4.4

Hi Everyone,
I have a Droid Mini running on Android 4.4. Running on Straight Talk service.
Is it possible to root my device? I am not sure how to determine if my bootloader is unlocked.
I mainly would like to root my device to use TitaniumBackUp to back up and restore my device. I am not sure of another app that will allow me to backup and restore my apps, app data and settings, without my device being rooted.
Any and all help is appreciated.
HAPPY HOLIDAYS EVERYONE!!!
TolaSkamp said:
Hi Everyone,
I have a Droid Mini running on Android 4.4. Running on Straight Talk service.
Is it possible to root my device? I am not sure how to determine if my bootloader is unlocked.
I mainly would like to root my device to use TitaniumBackUp to back up and restore my device. I am not sure of another app that will allow me to backup and restore my apps, app data and settings, without my device being rooted.
Any and all help is appreciated.
HAPPY HOLIDAYS EVERYONE!!!
Click to expand...
Click to collapse
Other than the fact this is not the right section to be posting a question, I'll try and answer it anyways.
No BL unlock, not unless you can get the bootloader unlocked via a tool, verizons website, or the china guys service for ~25$USD which can all be found by a simple google.
You can try the Sunshine Bootloader unlock apk, however at 4.4.4 I am unable to use it (Droid Ultra)
The 4.4 Bounty thread is HERE which appears to have minimal attention at the moment
And HERE is the latest news on the China mans service, which appears to have gone and passed by now.
To root directly, you can give all the tools a try, and all the downloadable apks and give them a run, one by one, until you get to the realization you are stuck with what you have - unless you can downgrade and then root/bl unlock. Which by my knowledge, you can't - but I may be mistaken. Only reason I say you cant though, is if you could so could others, and there would already be more posts about it.
The last and final suggestion, buy a new mobo/chipset that had your OS of your preferred version installed prior so you can have immediate access. This is a tricky one however, due to this requiring you to tear apart your phone which isn't something most people feel comfortable doing. You also are at the mercy of whoever or wherever you buy the mobo/chipset from - as it could have water damage, or other faults negating the idea of having root to begin with (if your phone crashes every 10 minutes or so due to a short).
---
TL;DR
You're screwed, for the time being.

Questions on the state of d2vzw devices running NE1

I'm not sure if these questions have been answered before, but I can't find any information on them, so here I am.
1. How exactly is the bootloader "locked"? Is the kernel the only thing that can't be changed?
2. Is kexec possible on NE1?
I know that bootloaders were bypassed on some Motorola Droid devices via kexec. There was even an in-the-works kexec project for our device on an older firmware (that was abandoned only because someone figured out how to unlock the bootloader, or something along those lines). I also realize this is a biggish project, and most people still using the d2vzw didn't ever take the NE1 OTA and are able to flash custom kernels/ROMs. Knowing this, it could be possible that no one really wants to try, either because of time, apathy, etc. But I digress.
Sent from my SCH-I535 using Tapatalk
AluminumTank said:
I'm not sure if these questions have been answered before, but I can't find any information on them, so here I am.
1. How exactly is the bootloader "locked"? Is the kernel the only thing that can't be changed?
2. Is kexec possible on NE1?
I know that bootloaders were bypassed on some Motorola Droid devices via kexec. There was even an in-the-works kexec project for our device on an older firmware (that was abandoned only because someone figured out how to unlock the bootloader, or something along those lines). I also realize this is a biggish project, and most people still using the d2vzw didn't ever take the NE1 OTA and are able to flash custom kernels/ROMs. Knowing this, it could be possible that no one really wants to try, either because of time, apathy, etc. But I digress.
Sent from my SCH-I535 using Tapatalk
Click to expand...
Click to collapse
These questions have been beat into the ground, but I'll be happy to answer them again because they are interesting questions. Good ideas and discussion points anyway.
1) So the bootloader is locked by a series of signed boot sequences. These things can be easily researched on the internet in detail, but a general understanding of how the phone boots is helpful to understanding how this process works. Also every phone is unique, and every carrier has different implementations.
Samsung is especially a hugsePITA when it comes to these things. They allow no easy way to gain root access on your phone in any way. In comparison to HTC for instance, they allow nothing in terms of granting administrator access to anyone. HTC at least as an option for S-off, which allows full administrative usage for the device and turns off all boot checking features. This can't be patched in an easy way, and for an update to change this feature it would have to change the devices system information on an unreasonable level. All Samsung has to do is simply patch whatever vulnerability we find, because there is no way to turn S-off on a samsung phone, so all we do is look for bootchain exploits. If that makes any sense? Basically, samsung sucks, and that's the main reason I will never buy their phones ever again.
2) Any part of the boot sequence can be changed, but the signature affecting these things aren't really easy to trick. Kexec was a very easy exploit to use when it first came out, but the modules for it has thus been changed to disallow the command for kexec to load an insecure kernel. It simply can't work the same anymore since samsung released changes to their boot chain. This method won't be used on any future devices. Most recently we had the original root method and loki for the S4, which both affect the aboot sequence, and safestrap which is basically a modified recovery that uses the stock kernel to run a custom rom. Here's an example:
boot => sbl1 => sbl2 => sbl3 => whatever is here ==> maybe something else here ==> aboot => recovery mode or download mode or kernel => system rom
aboot = African canadian sock monkey exploit (basically an unlocked aboot file) and Loki exploits
recovery mode = safestrap exploit (tricks the kernel to boot a modified rom, but it has to work with the kernel)
As you can see in the chain, break any one of those sequences and it doesn't matter what follows, the phone is unlocked, problem is we've broken the chain about 2-3 times. Every time we find a vulnerability, the it gets patched and it makes it that much harder to find another exploit. Samsung does so much work patching the unlocking mechanism that it simply isn't even worth the effort to unlock it in the first place. We actually didn't even unlock the S3 in the first place. The aboot file was given to us by a Samsung employee and distributed quickly. This aboot file allowed us to change the kernel and recovery at will, without worrying about signature verifcation since the aboot file never asked for it. It was a full unlock for the phone. Once an update happened, it erased the modified boot image and disabled the unlocked bootloader.
This problem is unique to samsung btw, other phones aren't nearly as difficult to figure out and test.
BadUsername said:
These questions have been beat into the ground, but I'll be happy to answer them again because they are interesting questions. Good ideas and discussion points anyway.
1) So the bootloader is locked by a series of signed boot sequences. These things can be easily researched on the internet in detail, but a general understanding of how the phone boots is helpful to understanding how this process works. Also every phone is unique, and every carrier has different implementations.
Samsung is especially a hugsePITA when it comes to these things. They allow no easy way to gain root access on your phone in any way. In comparison to HTC for instance, they allow nothing in terms of granting administrator access to anyone. HTC at least as an option for S-off, which allows full administrative usage for the device and turns off all boot checking features. This can't be patched in an easy way, and for an update to change this feature it would have to change the devices system information on an unreasonable level. All Samsung has to do is simply patch whatever vulnerability we find, because there is no way to turn S-off on a samsung phone, so all we do is look for bootchain exploits. If that makes any sense? Basically, samsung sucks, and that's the main reason I will never buy their phones ever again.
2) Any part of the boot sequence can be changed, but the signature affecting these things aren't really easy to trick. Kexec was a very easy exploit to use when it first came out, but the modules for it has thus been changed to disallow the command for kexec to load an insecure kernel. It simply can't work the same anymore since samsung released changes to their boot chain. This method won't be used on any future devices. Most recently we had the original root method and loki for the S4, which both affect the aboot sequence, and safestrap which is basically a modified recovery that uses the stock kernel to run a custom rom. Here's an example:
boot => sbl1 => sbl2 => sbl3 => whatever is here ==> maybe something else here ==> aboot => recovery mode or download mode or kernel => system rom
aboot = African canadian sock monkey exploit (basically an unlocked aboot file) and Loki exploits
recovery mode = safestrap exploit (tricks the kernel to boot a modified rom, but it has to work with the kernel)
As you can see in the chain, break any one of those sequences and it doesn't matter what follows, the phone is unlocked, problem is we've broken the chain about 2-3 times. Every time we find a vulnerability, the it gets patched and it makes it that much harder to find another exploit. Samsung does so much work patching the unlocking mechanism that it simply isn't even worth the effort to unlock it in the first place. We actually didn't even unlock the S3 in the first place. The aboot file was given to us by a Samsung employee and distributed quickly. This aboot file allowed us to change the kernel and recovery at will, without worrying about signature verifcation since the aboot file never asked for it. It was a full unlock for the phone. Once an update happened, it erased the modified boot image and disabled the unlocked bootloader.
This problem is unique to samsung btw, other phones aren't nearly as difficult to figure out and test.
Click to expand...
Click to collapse
Thanks for the info. This is very informative. I had already in my own mind decided that Samsung sucked, but hearing someone else say it is refreshing!
Sent from my SCH-I535 using Tapatalk

Bounty for unlocking bootloader for vs990 (progress has been made)

Good afternoon people of XDA,
Today is the dawn of a new day. A day where we begin the road to unlocking the bootloader to something that many believe is unlockable. Me and a few other users are starting a bounty to bring the incentive to life for all active developers. You can find my previous thread here. Now, when I say progress has been made, I mean that we have gotten into fastboot, we have donation incentives and we already have root so our tools are there we just have to find the exploit. Every day people are finding new exploits furthering our cause into reaching our goal. Now to the developers who want to pursue this, I've very much so tried to get active commands in fastboot but basically its just a dead fastboot for right now. The board on this phone and technologies behind it are so similar to its predecessors that somethings got to give. If you are interested in this cause, i.e. donating or deving on it, please contact me here, or email me at [email protected]
This is in our grasps friends. Spread the word, grab your fellow developers and lets get this thing to be a free wad of cash for whoever can bust it. Lets do this.
Attached is the spreadsheet for the current donations.
this kind of things never work...i mean, you make a donation and the people or the persons behind the scenes when getting high values like 400-500$ then buy a new phone and move on letting the desired phone to get development in the trash!!
Noooo, people should see, if a year old phone never came to life in development in the first 6-8 months then the development for it is dead and if you like to custumize the phone and flash things you need to move to a more flashable-friend device!
I have to agree with this. The Tmobile version has unlocked bootloader yet barely no development. What would make me that unlocking VS990 bootloader would all of a sudden spur development.
beavis5706 said:
I have to agree with this. The Tmobile version has unlocked bootloader yet barely no development. What would make me that unlocking VS990 bootloader would all of a sudden spur development.
Click to expand...
Click to collapse
I personally (and I think many other users) don't really need cooked roms. With gravity box, xposed and some other apps, I can "cook" my own rom (and believe me, it won't be that hard). All we need is a method for rooting. Using an android without rooting is even worse than an iphone without jailbreaking since iphones are undoubtedly smoother
presariohg said:
I personally (and I think many other users) don't really need cooked roms. With gravity box, xposed and some other apps, I can "cook" my own rom (and believe me, it won't be that hard). All we need is a method for rooting. Using an android without rooting is even worse than an iphone without jailbreaking since iphones are undoubtedly smoother
Click to expand...
Click to collapse
Indeed, a rooting method for version above MM is the most importing thing for us rather than flashing custom rom. However, system-less root is need to root MM or above and this is required modifying boot.img, therefore, bootloader unlocking is need. Unless, we have found a way to sign the modified boot.img to deceive the offical bootloader.
ivangundampc said:
Indeed, a rooting method for version above MM is the most importing thing for us rather than flashing custom rom. However, system-less root is need to root MM or above and this is required modifying boot.img, therefore, bootloader unlocking is need. Unless, we have found a way to sign the modified boot.img to deceive the offical bootloader.
Click to expand...
Click to collapse
What did you mean by "unless"? Have you found an evidence that MM bootloader is unlockable or not?..
presariohg said:
What did you mean by "unless"? Have you found an evidence that MM bootloader is unlockable or not?..
Click to expand...
Click to collapse
I mean even if the bootloader is not unlockable, somethings can be done to let us perform the same things just like bootloader is unlocked.
For example, some dev in G2 and G3 have released a tool called "Bump!" before that can sign any third party image and let it able to be run on offical locked LG bootloader.
source: http://forum.xda-developers.com/lg-g3/orig-development/bump-sign-unlock-boot-images-lg-phones-t2935275
But of course, since LG have fixed the bug, we can no longer do the same tricks now.
In China, there is name ???he has lg tool, this tool can unpack repack kdz tot, add root in tot.
This is weibo id http://m.weibo.cn/u/1684239753
Need help
andy_zhang said:
In China, there is name ???he has lg tool, this tool can unpack repack kdz tot, add root in tot.
This is weibo id
Click to expand...
Click to collapse
Hey, So I've been working to be able to get root, so far I have added root to the system.img and that's all done, I need this tool to be able to repack. Can anyone, or you, contact him and get this tool? This would be so helpful for me to get root and release it!!!!
abine45 said:
Hey, So I've been working to be able to get root, so far I have added root to the system.img and that's all done, I need this tool to be able to repack. Can anyone, or you, contact him and get this tool? This would be so helpful for me to get root and release it!!!!
Click to expand...
Click to collapse
What version of Android you are going to add root? I wonder that you cannot simply add root in /system after Android 6.0.
ivangundampc said:
What version of Android you are going to add root? I wonder that you cannot simply add root in /system after Android 6.0.
Click to expand...
Click to collapse
I'm trying different things but still i need to figure out how to repack a tot to find out what's going to work!! Does anybody know how to get that application?
abine45 said:
I'm trying different things but still i need to figure out how to repack a tot to find out what's going to work!! Does anybody know how to get that application?
Click to expand...
Click to collapse
For MM, unless you've found a way to get the SELinux context needed, repacking the system image will not work.
anyone having any luck with rooting MM?
I think at this point what we really need is a small set of testers who have a good insurance policy on their phones and are willing to risk bricking their phones. We've got the outline of a method which looks viable, but the details haven't been worked out and is hence likely to produce a few bricks before we get it working.
Sorry for dropping of the face of the planet for the past two months. In testing with my device it ended up being FUBAR after wiping my aboot completely and with that the phone would not boot to anything but a black screen. I sent it into LG and after some time they finally just replaced my motherboard. But the absolute sad part is that they have me upgraded to 6.0 which absolutely is crushing my world. SO until further notice I will not be testing the unlocking of the bootloader anymore but I will make efforts here in a few weeks to start work on rooting the device. @alvislee[email protected]

Mandatory unlocked bootloader for rooting?

Hi everyone.
I'm thinking in buying a phone from CAT (CAT S42) and I'm not sure if I can unlock its bootloader. But I've seen on another forum that the CAT S31 has root available for it through Magisk, and I didn't see anyone mentioning having unlocked the bootloader. S42 has a MediaTek chipset and S31 has a Qualcomm chipset, if that helps.
So my question is: is unlocking bootloader MANDATORY to root a device? Can I just run a custom recovery, root the phone with that, and then the recovery gets overwritten on system boot? Or can I root through USB debugging without even needing custom recovery?
The CAT S31 I mentioned was rooted with Magisk, and as I said, I didn't see anyone talking about unlocked bootloader. But I also read Magisk changes the boot partition and the bootloader checks if it was modified. So I'm a bit confused with this too. It's also written that MiracleBox was used and I'm not sure that's the reason that I'm getting confused or not (I had never heard of this tool until now).
A set of software for obtaining ROOT privileges.
Driver_Qualcom_m.7z (9.27 MB) [link]
Enter HS QDSLoad 9008 mode from Vol + and Vol- off state and connect without releasing to USB
MiracleBox [link]
The Boot image is processed on the phone by the Magisk manager, then uploaded to the phone using Miracle again from the computer.
MagiskManager-v7.3.2.apk (2.71 MB) [link]
Just in case,
Backup firmware without / Data partition
Attached files
XposedInstaller_3.1.5-Magisk.apk (2.96 MB) [link]
Click to expand...
Click to collapse
How may they have done that?
I'm sorry, I don't understand a lot of the root requirements part, since I was lucky and my 1st phone had the bootloader unlocked alreaedy for some reason and the second was as easy as writting a single command. But about this phone there's almost nothing and I'd like to know the general about this. If it's really necessary to have the bootloader unlocked, for example. And if it's not, then what methods can I use with it still locked?
Thanks in advance for any help!
Hello DADi590,
Unfortunately I can't answer all of your questions about S42. I have one of them and I am also looking for and confused with root procedures. But I can tell you that unlock boot loader was just a matter of get developer options on (tapping version # 10 times), and inside you can toogle lock/unlock bootloader...
How to root it safely is what I do not know yet.
good luck!
@DADi590
Rooting the Android OS of a device in practice is nothing more than adding the su cmdlet known from Linux OS to the Android OS. To root Android OS in no case requires device's bootloader must get unlocked to do so.
FYI: The bootloader of an Android device is comparable to the BIOS of a Windows computer.
Actually, after some time I decided to leave CAT alone and buy a Blackview one. If I'd break the phone, at least it wouldn't be as expensive as the CAT S42 (I bought a BV9500 - not Pro or Plus, the normal one).
Since then (with help of adventures with a tablet of mine) I've learned some more things. One of them I was suspecting and was now confirmed (thank you @jwoegerbauer) which is to root the device, just a binary file is needed to be on the correct place: su. I didn't know it was on other Linux OSes though. Interesting!
So the idea is that just a recovery must be installed to root a device. That's it and nothing else, I believe. To install the recovery is the part where one might need to unlock the bootloader - or not, if the chipset manufacturer left a tool to write partitions directly, like MediaTek or Rockchip. On these 2 it's possible to write partitions directly with a locked bootloader (this means the bootloader on my 1st phone was and still is probably locked - like my BV9500 one is, and I flashed various partitions on it already, one of them, a TWRP recovery).
This explanation is for anyone else like me who would have this question. Bootloader is just to flash partitions and I think run modified ROMs too, but not too sure about that (I never use custom ROMs). [Btw, if I said something wrong, I'm happy to be corrected!]
armandrix said:
Hello DADi590,
Unfortunately I can't answer all of your questions about S42. I have one of them and I am also looking for and confused with root procedures. But I can tell you that unlock boot loader was just a matter of get developer options on (tapping version # 10 times), and inside you can toogle lock/unlock bootloader...
How to root it safely is what I do not know yet.
good luck!
Click to expand...
Click to collapse
I believe I asked this because I prefer that it's not required to unlock a bootloader to do stuff. If you screw the phone somehow with the bootloader locked and there's no tool to flash partitions on it and you must be on fastboot with an unlocked bootloader or whatever, you just bricked the phone. And I'd prefer that not to happen. That's why I chose to buy phones that don't need me to unlock the bootloader to do anything on them. That might mean I can't ever brick them (at least I never bricked my 1st phone with the various things I did on it which I later found out not being recommended at all XD).
I've unlocked the bootloader on my Cat S42. Can be done.

ROOT and/or TWRP without bootloader unlock?

Has anyone been able to successfully root or flash TWRP using QPST/QFIL without unlocking the bootloader on lmi?
jason88fr said:
Has anyone been able to successfully root or flash TWRP using QPST/QFIL without unlocking the bootloader on lmi?
Click to expand...
Click to collapse
I'd be surprised.
What is the problem?
hey @NOSS8
I'd be surprised too lol.
No problem really, I came across some info and went down a little rabbit hole and arrived at the conclusion that it seems to be possible to have root on an locked bootloader but the key is apparently some "firehose" programmer files that I can't seem to find anywhere, which when used in conjuction with QPST and a device in EDL mode would in effect allow modification of the boot.img for the sake of rooting the device.
I'm still trying to find out more because I read some time ago on how android verified boot works, so I am sceptical especially when the people that seem to be doing it on youtube are those that unlock devices for a living or are just enthusiasts, both parties seem to glean toward it being possible without any specialised equipment /box/dongle with a success rate depending on flashing order.
So I started searching for the possibility of it being done on lmi.
jason88fr said:
hey @NOSS8
I'd be surprised too lol.
No problem really, I came across some info and went down a little rabbit hole and arrived at the conclusion that it seems to be possible to have root on an unlocked bootloader but the key is apparently some "firehose" programmer files that I can't seem to find anywhere, which when used in conjuction with QPST and a device in EDL mode would in effect allow modification of the boot.img for the sake of rooting the device.
I'm still trying to find out more because I read some time ago on how android verified boot works, so I am sceptical especially when the people that seem to be doing it on youtube are those that unlock devices for a living or are just enthusiasts, both parties seem to glean toward it being possible without any specialised equipment /box/dongle with a success rate depending on flashing order.
So I started searching for the possibility of it being done on lmi.
Click to expand...
Click to collapse
You say "with a locked bootloader" and then the opposite, typos?
Possible with a MediaTek soc device, not Qualcomm.
Finally to flash in EDL mode you must have a special authorization that only repair centers have.
A few years ago it was easy to access and modify the system, then there were the dynamic partitions, then the A/B partitions and the limitations imposed by GOOGLE with A12 A13.
On You Tube you can find everything and anything unlike XDA.
An example here, of useless persistence.
https://forum.xda-developers.com/t/flashing-edl-problem.4534297/
NOSS8 said:
You say "with a locked bootloader" and then the opposite, typos?
Possible with a MediaTek soc device, not Qualcomm.
Finally to flash in EDL mode you must have a special authorization that only repair centers have.
A few years ago it was easy to access and modify the system, then there were the dynamic partitions, then the A/B partitions and the limitations imposed by GOOGLE with A12 A13.
On You Tube you can find everything and anything unlike XDA.
An example here, of useless persistence.
https://forum.xda-developers.com/t/flashing-edl-problem.4534297/
Click to expand...
Click to collapse
yep it was indeed a typo.
I did see a lot of MTK stuff.
Fair enough.
Also, "useless persistence" I believe is the main cause of so many bricks in forums I've seen in the last couple days chasing the same dream.

Categories

Resources