Hello!
I just picked up a SM-G975U to play with.
Before you get your hopes up, Root and BL Unlock is NOT POSSIBLE on USA variants at this time!
I created this discussion so those willing and able can brainstorm with me with hopes of achieving root or unlock.
Now I wouldnt be creating this thread if I didnt think it was possible or without some form of teasers.
Dont ask me how but flashing combo is possible. I cannot and will not share the method/files as they are not mine to do so.
I noticed on combo this time around if you toggle oem unlock there is a tag that says "OEM Unlocked" when you enter download mode. When you long press vol up it also takes you to the unlock screen. After pressing vol up to accept it reboots and wipes data.
I am not sure the steps after this but so far havent been successful in flashing modified firmware. It is possible this is just a visual but I feel this is closer than any past devices ive owned. Anyone with know how on where the flash lock bit is stored would be of great help.
I should be able to flash some partitions after modifying them such as vbmeta or dtbo etc. to hopefully unlock the BL if I only knew what to modify.
This is not a how-to or dev thread so dont expect me to share any files. It is merely to discuss how the BL is unlocked on SD S10 devices to hopefully lead to an unlock down the road.
To my understanding, toggling the oem unlock sets a bit that tells the system that oem unlocking is allowed as well as disables security such as frp. This persists across reboots and firmware flashes etc.
After that, in DL mode there is a tag that also says device is oem unlocked. At this point you need to actually hold vol up to actually oem unlock the device.
After this I am unclear. We should be able to flash custom firmware at which verified boot state will be orange and the flash lock bit is 0. In my case, verified state is still green and flash lock is still 1 and flashes fail unless officially signed.
I know the dtbo is related to verity and vbmeta to verified boot. Vaultkeeeper to rlc. Then you have metadata, a few "keys" related partitions etc etc.
What is everyones take on this? Any ideas/suggestions are greatly appreciated in advance!
some screens
Welcome aboard! Appreciate all your work from the Note9! Kudos
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*
krazy_smokezalot said:
Hey OP I know you from somewhere.... epic touch 4g forums?? I cant remember what device you had but anyways great to see you here. You think maybe chatting with the people that got root on enoxy may point you in the right direction. I know its enoxy and we got SD which is different but maybe a shot?*
Click to expand...
Click to collapse
haha I did own an epic 4g touch back in the day.. was more lurking way back then but who knows lol
for an update, no luck yet lol. been messin with combo on g975u but no easy way in yet. I have managed to change some stuff on efs and other partitions.
the binary checks sammy implemented starting in the s9 devices sucks.
I am still looking though.
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.
dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.
uid 1000 is a step in the right direction tho... beats shell 2000 uid
not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol
Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested
I am definitely interested in learning more and being a part of this convo fellas! I have been in the Bus for at least 8 years now and want to learn the next step which is how to navigate around the S10 S10+ Security Features. Anyone mind showing me a few ropes please?
elliwigy said:
not to mention the method for uid 1000 should be there on any sammy device with combo firmware lol
Click to expand...
Click to collapse
This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.
Chibisuke1219 said:
Hi is there anything i can do to help at all cause if so i am willing i have found some stuff online as well posted it in a different post but can share it here if u are interested
Click to expand...
Click to collapse
Any good reads is welcome!
Vell123 said:
This is similar to the techniques used to write imei on cpid phones. Can you share the scripts? You use for temp root.
Click to expand...
Click to collapse
There is no scripts lol. I can't share the method or files to get to combo.
An update however, I noticed with system prices you can access the efs folder.
I found a way to pass kernel cmdline to the bootloader to set ro props.
I am still messing with it and need an rma as I messed up my efs and can't get cell service now lol
Is S10+ Snapdragon will get root / magisk in anytime soon?
Sent from my MI 8 using Tapatalk
Vuska said:
Is S10+ Snapdragon will get root / magisk in anytime soon?
Click to expand...
Click to collapse
Who knows lol. Similar to N9 seems like I'm only one working on it lol
Currently stuck In a boot loop as i found a exploit for kernel cmdline injection and set ro.secure=0 which it didn't like. I didn't read the info sammy posted on new securities on s10 lineup around additional security around RKP and Knox Verified Boot. It is not the same as say pixel devices as they added onto it
I was told in the other thread that what i had found was more than likely BS but if u still what the link i can give it also am still willing to use my phone as some help if u need it
Edit: switching phone sry guys but keep workin hard i will keep looking for new s10 + finds even though i wont have it and ill keep u updated with whatever i find
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.
I'm rockin' the s10+ (am g975u)....
I want root!
I will make pwmage!
Stay tuned!
Ph3n0x said:
Try and flash G97500 I know on older devices it would boot if you used flash fire not sure if you can dd it or not Odin probably wont like it but worth a try just make a system tar and flash it but you would also need that combo firmware.
Click to expand...
Click to collapse
wont work.. secure check fail since signed with dif keys
elliwigy said:
i now have uid 1000 access.. with how selinux contexts and ownership is in pie tho i can only access stuff that is mounted rw and system user/group which so far is cache, carrier, efs, data, qdmdbg and various files spread throughout.
dev block wise i can access persistent, and steady partitions.. other than that i can write to the ones that are already mounted.
uid 1000 is a step in the right direction tho... beats shell 2000 uid
Click to expand...
Click to collapse
Since you have UID 1000 access, wouldn't you be able to dump the partitions off the phone?
If so, why not dump each of the writable partitions and then compare checksums/bits before and after doing the unlock?
I have the g975u and am willing to help however
Related
I know this is not the right place to ask. I need to know. Do we have developers working on root for this model?
Sent from my SAMSUNG-SM-N920A using Tapatalk
Yes and No...still having booloader issues!
And yes wrong place...this post belongs in Q&A!
We need firmware release so we can restore after. Tell then no one really wants to try because just messing with options in recovery disables the phone.
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=N920
Will firmware release happen for our model?
Sent from my SAMSUNG-SM-N920A using Tapatalk
amwbt said:
Will firmware release happen for our model?
Sent from my SAMSUNG-SM-N920A using Tapatalk
Click to expand...
Click to collapse
AT&T has to because it's open source. They however can keep it for like 6 months to a year or something. With the cracks down on root AT&T and Verizon it might be a long wait with the locked bootloader saidly and we need a custom kernel to get root and we can't flash kernels with locked bootloader. Just watch the website I linked and when we get our firmware then we can possibly expect root and someone to try and unlock the bootloader. I'm not sure if there is a "anti root" in the AT&T phone because I'm not going to lose my phone. I already had to return for warranty due to defective screen and spen. Look at how long it takes the new iPhone software to get jailbroken.
TechNyne66 said:
AT&T has to because it's open source. They however can keep it for like 6 months to a year or something. With the cracks down on root AT&T and Verizon it might be a long wait with the locked bootloader saidly and we need a custom kernel to get root and we can't flash kernels with locked bootloader. Just watch the website I linked and when we get our firmware then we can possibly expect root and someone to try and unlock the bootloader. I'm not sure if there is a "anti root" in the AT&T phone because I'm not going to lose my phone. I already had to return for warranty due to defective screen and spen. Look at how long it takes the new iPhone software to get jailbroken.
Click to expand...
Click to collapse
Needing a custom kernel for root is actually a false statement. A custom kernel is not needed to get root for this device. The AT&T S6 for example got root without the bootloader being unlocked or a custom kernel.
Which leads me to the bootloader being unlocked. There is probably a 100% chance that we don't get an unlocked bootloader for this device. It's extremely difficult and there hasn't been an AT&T device in a very long time that has had it unlocked.
And since we would need that for a custom kernel and aosp roms, those things will probably never happen unfortunately.
The very best we can hope for is root and a recovery like FlashFire like the S6 got. And even then we would be limited to only Touchwiz roms.
We will more then likely need custom kernel with permissive set. AT&T and Verizon are saying there's anti root and that would be in the kernel and would need to be killed. If we do obtain root with stock kernel the phone is said to not boot.
http://www.idigitaltimes.com/samsun...d-features-att-and-verizon-models-wont-468357
It is one of those things where they're will be zero development until some Uber-geek cracks the bootloader issue. Then there will be 20 devices or more that will be released from developer quarantine...
Sent from my SAMSUNG-SM-N920A using Tapatalk
AOSP will never happen without unlocked bootloader.
I do have hope for a root such as Ping Pong. Honestly, with how clean these phones ship nowadays, all I want root for is to replace emojis with iOS style throughout the system so I can grasp more context from my text messages lol. Also, LCD Density change would be nice too.
Is there anybody working on root for this phone?
Sent from my SAMSUNG-SM-N920A
Have no need for root either except for xposed. Only want root for like 4 xposed modules.. Otherwise this device is nearly perfect
I need to change muy dpis
Enviado desde mi GT-N7100 usando Tapatalk 2
Planning on getting this phone today..
I have rooted and installed ROMs on almost every phone I have owned and really hope that eventually a safe way of rooting is obtained.
jellybear456 said:
a safe way of rooting
Click to expand...
Click to collapse
heh. I know what you mean, but I'm grumpy this morning so I'm going to pick this apart anyway.
If root is found on a boot loader locked device, it's usually via an exploit... Basically, most rooting mechanisms are similar to computer viruses. Sure, most of them are controlled viruses, but they exploit and expose security holes that something malicious could use just as easily. Instead of copying a "su" binary, that same exploit could install something that uploads your private data somewhere, or monitors the android keypad entry when you type credit card numbers, etc.
Don't get me wrong... I don't think that most of the root exploits here on XDA are doing that... but any time you use one, you should seriously consider that it might be. It would only take a single mishap to completely destroy your life outside of XDA.
To that end, you should REALLY pay attention to the entire filesystem both before and after an exploit is applied. See what files, if any, are modified and/or added. If an exploit adds a "su" binary (which most of them do), try to replace that "su" binary with one from a trusted source BEFORE you put personal data on your phone. Never "root" a device that has any data on it.
Remember that no matter what precautions you might be taking, a rooted device has a lower level of security than one that isn't. Not only have you added a "simple" root mechanism, but you likely had to defeat the security mechanisms that are part of the security enhanced linux kernel. (There are exceptions to this, of course, but I've never seen the exceptions here on XDA or any other sites that aren't focused on security.)
If this message made you a bit more paranoid, that's a good thing. You should be paranoid about it. I'm not saying not to do it, and I'm certainly not saying that XDA is overflowing with malicious code...
garyd9 said:
heh. I know what you mean, but I'm grumpy this morning so I'm going to pick this apart anyway.
If root is found on a boot loader locked device, it's usually via an exploit... Basically, most rooting mechanisms are similar to computer viruses. Sure, most of them are controlled viruses, but they exploit and expose security holes that something malicious could use just as easily. Instead of copying a "su" binary, that same exploit could install something that uploads your private data somewhere, or monitors the android keypad entry when you type credit card numbers, etc.
Don't get me wrong... I don't think that most of the root exploits here on XDA are doing that... but any time you use one, you should seriously consider that it might be. It would only take a single mishap to completely destroy your life outside of XDA.
To that end, you should REALLY pay attention to the entire filesystem both before and after an exploit is applied. See what files, if any, are modified and/or added. If an exploit adds a "su" binary (which most of them do), try to replace that "su" binary with one from a trusted source BEFORE you put personal data on your phone. Never "root" a device that has any data on it.
Remember that no matter what precautions you might be taking, a rooted device has a lower level of security than one that isn't. Not only have you added a "simple" root mechanism, but you likely had to defeat the security mechanisms that are part of the security enhanced linux kernel. (There are exceptions to this, of course, but I've never seen the exceptions here on XDA or any other sites that aren't focused on security.)
If this message made you a bit more paranoid, that's a good thing. You should be paranoid about it. I'm not saying not to do it, and I'm certainly not saying that XDA is overflowing with malicious code...
Click to expand...
Click to collapse
Yes, I do realize that rooting a device often does take advantage of any security holes found, and I also realize that there is no, in the literal sense, "safe" way to root a phone considering it is exploiting security flaws. Personally, I have never had such an issue of having something malicious on my phone after rooting(at least not to my knowledge)
By "safe" I meant a way to root without having the phone locked down and unable to boot. I am not worried about AOSP ROMs as I am completely content with using an AOSP themed launcher. But I would love to be able to uninstall bloat, ad block, greenify/amplify etc.
But I do appreciate your input on the subject as I have never put much thought into the security of the phone before and after root, or replacing the su binary with one from a trusted source or checking if it is from a trusted source.
It is also great to see someone else on the forums from Pittsburgh:highfive:
I have n920a. Please share the path to rooting this phone.
Cuando se podra rootear el dispositivo Samsung Galaxy Note 5 N920A?
Possible way to root?
I don't know if this would work. But what about flashing one of those new root.tar eng kernal then manually pushing the survey binary and super apk into phone then reflash stock kernal. I'm just intermediate at all this stuff. So idk if it would work or if this is stupid.
vahalaru said:
I don't know if this would work. But what about flashing one of those new root.tar eng kernal then manually pushing the survey binary and super apk into phone then reflash stock kernal. I'm just intermediate at all this stuff. So idk if it would work or if this is stupid.
Click to expand...
Click to collapse
It's possible, after flashing the eng-boot do this:
adb shell mount -o rw,remount /system
Then manually push SuperSU to system, or install King/Kingo Root
Just be careful this is still a tethered root.
I have posted a teathered root process that Michael31 found from the AT&T s6 section. It works and you can get reboots with hoot booting. The locked bootloader causing issues with the kernel needed add commands on hard boot to change to permissive mode. Few of us have tried to fix this issue and haven't found anyway yet.
Do google know that we've unlocked the bootloader? (as Sony do as they ask for email adresses etc and confirm the ulock)
Wondering about warranty.
there is a notice about unlocking of bootloader may violate warranty . thing is it is stated in a somewhat vague manner, it is not like CAUTION YOU ARE ABOUT TO VIOLATE WARRANTY but rather worded like you may be in violation of warranty. anyway, i think it does violate and yes there is most likely a software switch that sets a value in hardware register which can be recovered to determine that the bootloader was unlocked. if you have the least bit of concern do not unlock.
dkryder said:
there is a notice about unlocking of bootloader may violate warranty . thing is it is stated in a somewhat vague manner, it is not like CAUTION YOU ARE ABOUT TO VIOLATE WARRANTY but rather worded like you may be in violation of warranty. anyway, i think it does violate and yes there is most likely a software switch that sets a value in hardware register which can be recovered to determine that the bootloader was unlocked. if you have the least bit of concern do not unlock.
Click to expand...
Click to collapse
Ok thanks.
One last google noob question; does rooting usually need an unlocked bootloader?
On xperia root is more difficult to achieve with a locked bootloader, but can be done, thanks to the devs.
I guess I will read the 6P thread to get a feel for the situation.
Cheers again.
i do not know if it is possible, in practice as far as i know it is necessary to unlock if any modification is wanted. recently it is popular to gain root without mod of /system partition. hopefully that is what is achieved with the pixel c.
edit: never done this but, fastboot boot recovery recovery.img then flash a superuser from temp recovery. however it seems you would still be restricted from mod of /system
in future.
dkryder said:
i do not know if it is possible, in practice as far as i know it is necessary to unlock if any modification is wanted. recently it is popular to gain root without mod of /system partition. hopefully that is what is achieved with the pixel c.
edit: never done this but, fastboot boot recovery recovery.img then flash a superuser from temp recovery. however it seems you would still be restricted from mod of /system
in future.
Click to expand...
Click to collapse
If you use fastboot boot then you do not need to specify a partition (only if using fasboot flash *partition* image.img).
The device is still very new but im sure a custom recovery will be released soon so an easy root can be achieved.
MArk.
mskip said:
If you use fastboot boot then you do not need to specify a partition (only if using fasboot flash *partition* image.img).
The device is still very new but im sure a custom recovery will be released soon so an easy root can be achieved.
MArk.
Click to expand...
Click to collapse
I sure hope so. That's one of the only things keeping me from buying it already. It's kind of worrisome that the development forums are almost completely dead (save for the one thread trying to get root without a custom recovery, of course). I guess I'm just spoiled by using only Nexus devices, so having very active development is usually the norm.
well, the thing was only a rumor about sales start up until a report in a german site on 12/5 or so that sales would start 12/8 and then on 12/8 a confirm that at 1pm eastern u.s.a. sales would begin. talk about giving people a decent notice about a device this pixel c was a new low for google. it's almost they decided to sell them as android tablet at last moment instead of tossing in trash as a complete failure as chrome os tablet so, yeah, it will take a while for anyone that has skill to develop this device to ante up the funds and take delivery. if bootloader remains locked and boot temp recovery to flash supersu does that restrict the root in any way? i am just curious about this as my bootloader is unlocked.
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot
Alright, let me preface this with a few things... I am FAR from new to android, rooting, linux, exploits, or almost anything embedded (UART, JTAG, SPI, I2C, etc...). I am by no means a guru though...
I am attempting to root this device; it is an unlocked LG G4 US Cellular branded, MM 6.0 lgus991 22a rollback 2, and I am so far at a total impasse... I'll explain my situation.
No fastboot.
Bootloader is locked, and I cannot unlock it. If I try and check "Enable oem unlock" it unchecks itself, and reading through the dmesg it references a file stating two errors; one for lack of permissions, and another for no file(same filename though; likely trying to create the file, being denied, then trying to edit a non-existing file). I forget the exact file name but I have the name of it saved somewhere(persis1234 or something like that, I just don't remember the exact path, I can post it later if it makes a difference).
I have had minor success with the dirtycow exploit, but mostly just replacing files and nothing getting anywhere, or the phone quickly reboots if I replace certain system files(ifconfig, toybox, toolbox, etc...) When it works,it says I have root, but it is VERY limited due to selinux, and the context. Also unable to get a root shell open.
Selinux is protected and I haven't been able to find a way to make it permissive as of yet. Past attempts of editing the recovery or init have resulted in "secure boot error 1003"; phone reboots, and then still stock...
If I grenade this thing, I will only slightly give a f**k. I am not above pulling this thing apart and trying to JTAG my way in if I need to, as it is not my only device. Which seems to me to be the only way at the moment aside from finding another kernel exploit like dirtycow or rowhammer... Unless someone else has another idea, but for now I am going to pursue the JTAG route.
Would something that I already own like a buspirate, RPI, or Arduino Mega, be enough or would I need something like a busblaster? I just don't want to spend more than I need to. I'd rather spend the money on a new phone than something like a medusa pro or something like that.
Any help is appreciated
Why not to flash TOT and then proceed with unlock through lg unlock tool? Maybe it fix the fastboot issue.
aanarchyy said:
Alright, let me preface this with a few things... I am FAR from new to android, rooting, linux, exploits, or almost anything embedded (UART, JTAG, SPI, I2C, etc...). I am by no means a guru though...
I am attempting to root this device; it is an unlocked LG G4 US Cellular branded, MM 6.0 lgus991 22a rollback 2, and I am so far at a total impasse... I'll explain my situation.
No fastboot.
Bootloader is locked, and I cannot unlock it. If I try and check "Enable oem unlock" it unchecks itself, and reading through the dmesg it references a file stating two errors; one for lack of permissions, and another for no file(same filename though; likely trying to create the file, being denied, then trying to edit a non-existing file). I forget the exact file name but I have the name of it saved somewhere(persis1234 or something like that, I just don't remember the exact path, I can post it later if it makes a difference).
I have had minor success with the dirtycow exploit, but mostly just replacing files and nothing getting anywhere, or the phone quickly reboots if I replace certain system files(ifconfig, toybox, toolbox, etc...) When it works,it says I have root, but it is VERY limited due to selinux, and the context. Also unable to get a root shell open.
Selinux is protected and I haven't been able to find a way to make it permissive as of yet. Past attempts of editing the recovery or init have resulted in "secure boot error 1003"; phone reboots, and then still stock...
If I grenade this thing, I will only slightly give a f**k. I am not above pulling this thing apart and trying to JTAG my way in if I need to, as it is not my only device. Which seems to me to be the only way at the moment aside from finding another kernel exploit like dirtycow or rowhammer... Unless someone else has another idea, but for now I am going to pursue the JTAG route.
Would something that I already own like a buspirate, RPI, or Arduino Mega, be enough or would I need something like a busblaster? I just don't want to spend more than I need to. I'd rather spend the money on a new phone than something like a medusa pro or something like that.
Any help is appreciated
Click to expand...
Click to collapse
I am new to LG devices so perhaps this is a bit different(had mostly Samsung or HTC). But from what I can find, that won't help unless it's pre-rooted or my bootloader is unlocked. And I am unable to find a pre-rooted TOT. Unless I am just completely missing something here...
I am not trying to go to stock, the device is already stock and functions mostly alright(aside from the inability to add a Verizon APN, so I'm stuck with 3g). But also attempting to have a bit of a failsafe if I wanton flash something I shouldn't have and still have a recovery option. Which is why I brought up the JTAG option, as I'm sure I would use it in more than just this device.
Not sure why you are attempting to reinvent the wheel with a device that has been out for 2 years....
LG devices are very different from Samsung and HTC. You should read up on the LGUP tool to flash .kdz and .tot file to put the device as close to stock as possible before any further attempts.
Could also look at entering hidden menu options via the dialer in order to select/modify apn settings.
TWRPinFish can be found here in the development section. Will likely be your only option if you cannot fully unlock the bootloader.
Since the Tmo and ATT/international versions allowed bootloader unlock, other variants didn't see as much support. Was easy for us... Sorry to say(for you).
Wish ya the best of luck though
Just a quick remark could jtag be used in such a way to make the boolloader thinks it is something else and maybe trick it in to doing something?????
ElfinJNoty said:
Not sure why you are attempting to reinvent the wheel with a device that has been out for 2 years....
LG devices are very different from Samsung and HTC. You should read up on the LGUP tool to flash .kdz and .tot file to put the device as close to stock as possible before any further attempts.
Could also look at entering hidden menu options via the dialer in order to select/modify apn settings.
TWRPinFish can be found here in the development section. Will likely be your only option if you cannot fully unlock the bootloader.
Since the Tmo and ATT/international versions allowed bootloader unlock, other variants didn't see as much support. Was easy for us... Sorry to say(for you).
Wish ya the best of luck though
Click to expand...
Click to collapse
I don't really see this as reinventing the wheel as right now there is no root for this device, I am looking for a way to do it though. Which is why I was asking about JTAG/eMMc programming as a viable option to do this, especially if I may have a few borked flash attempts, it would be a nice fail-safe.
Most dialer codes do not work, and the few that do, pop up a menu saying "This program does not work on your phone"; even though I can see some info behind the toast, I cannot scroll and as soon as I click ok, it closes.
TWRPinFIsH is a no-go, need to be rooted and be able to disable SELinux, neither of which I can do.
The name of the file that stores the "oem unlock" seems to be /dev/block/platform/soc.0/f9824900.sdhci/by-name/persis1234
Would someone that is able to oem unlock be able to tell me what the contents of that file are?
aanarchyy said:
The name of the file that stores the "oem unlock" seems to be /dev/block/platform/soc.0/f9824900.sdhci/by-name/persis1234
Would someone that is able to oem unlock be able to tell me what the contents of that file are?
Click to expand...
Click to collapse
I own a T-Mobile h811
Running ResurrectionRemix Nougat
.../persis1234 not present
I have an LG H812 and I have the same as previous post - the directory is there but no persis1234 file. The directory you are indicating contains a list of the partitions that are present on the phone's internal memory.
Hi
I'm new to the forum but have been doing a fair amount of research. I am stuck now though and would like a bit of help.
My situation is that I have a Xperia XA1 ultra (I know I should post in that device specific forum but not much seems to be happening there) I have a very specific problem that I have treated like a forensics problem.
The phone is locked by a pattern which has been guessed by another person so many times that the gatekeeper only allows one entry per day provided the phone is charged otherwise the timer resets.
It has not been rooted and ADB is disabled.
I have connected to it through fastboot and what I can gather is that it is running Android Oreo.
The system details are as follows:
Product: XA1 Ultra G3221
Build Number: 48.1.A.0.129
Chipset: Mediatek MT6757 Helio P20
Bootloader: Locked
My research has led me to the possibility of loading a recovery image into the RAM of the phone and accessing ADB that way. I tried this with a TWRP image but obviously it didn't work. There is a company called Cellebrite that claims to be able to load it's own boot/recovery image into the bootloader and gain entry that way, however the license is something like £10,000. I'm definitely not a commercial customer.
The final option for me would be to dump the memory via JTAG or chipoff, the contents would be encrypted but I found a blog where somebody had managed to find the location of the gesture.key file while the system was encrypted. I can't remember what the site was called though, it took me ages to find last time.
My main questions are does Sony sign the boot image with it's own keys or does it use the standard Android Verified Boot?
Does Sony reuse the same keys for signing across devices? Likely not but maybe
Is there a way to send specific instructions to the RAM via fastboot?
Does anybody know of an exploit that could be used?
Is there a way to extract the boot.img and recover the Sony keys?
If there any other docs, resources or ways to get the data that could help, I will gladly read and/or try them. I think this forum is probably the biggest resource one though but after a while the specific information needed gets harder to find.
The main thing is that I don't unlock the bootloader and flash anything. It's all got to be live and non data damaging.
I tried MTPwn on the off chance that it would work but nope, it was a no go.
If there was a way to utilise the mediatek exploit to gain entry from fastboot that would be excellent, or to use fastboot to dump the memory.
Thanks for reading, I hope someone can help.
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
XDHx86 said:
Your thread was quite confusing at first as I wasn't sure what to look for exactly :/
That being said, you have your phone locked and you want to unlock it. However you don't want to flash or reset your device, you don't have root permission, you don't have debugger mode on and you don't want to unlock the bootloader, correct?
Basically you're asking for the impossible...
All I can think of is FROST attack. See article for details and source code.
You can also send your device to your nearest Sony service center and they can probably fix it with no memory loss.
Other than that, you MUST hard reset your phone if you want it back.
However should you come to your mind and realize the reality of the situation where you shouldn't be picky about it then you can start with flashing custom recovery. Or using third-party programs like dr.fone.
Click to expand...
Click to collapse
Thanks for getting back to me, yes I realise it is asking for the impossible. I'll have a research around that article and see if I can find some information on how to write the program to dump the contents over USB. I tried Dr Fone but that only gave me the option of a hard reset.
My current line of attack is an exploit over USB called OATmeal, whereby a Raspberry Pi is used over OTG with a filesystem label of "../../data", it allows the filesystem of the phone to be mounted and data written off. It is a little complex and so I am struggling a bit with getting it to work. The team over at Project Zero have a good write-up of it so I'm following that and the POC at exploit-db to guide me through it.
I think I will be able to get the USB part to work but I'm not sure if I have to write a Java file to automatically run when /data is mounted, or if that's even possible.
Forenzo said:
My current line of attack is an exploit over USB called OATmeal
Click to expand...
Click to collapse
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
XDHx86 said:
Not to make you frustrated, but this is an old exploit and I highly doubt it'd work on your device, unless your device security patch is older than 9-2018.
And you can't rollback on your security patch.
You should really consider flashing TWRP or other custom recovery. You have no other option.
Click to expand...
Click to collapse
Fortunately the device hasn't been updated since around 2-2018 or 3-2018 so any exploit I can find from then onwards that I can use will be great. I really do get that the only realistic option is to unlock the bootloader and flash the recovery but the data needs to be recovered and I absolutely don't want to wipe it.
If I can't do it then it will gather dust until the end of time...
It seems that no matter what I say you won't realize the situation you are in.
I can only suggest to NEVER mess with the phone circuits or the motherboard. No matter which stupid yoututbe tutorial you saw. Those guys are douchebags who only know how to get views and don't care for whatever you/they do to your device.
Needless to say messing with the circuits or the motherboard require dexterity and experience which I'm positive you don't have.
As I said before if you send it to an authorized service center, then they can help you with it without memory loss.
Sending you device to a service center isn't an insult or an act of low self esteem. Service centers exist for a reason, and they're basically geeks who are too passionate about electronics and decided to make a living out of it.
Or maybe you can somehow use the EDL mode on the phone.
In Qualcomm devices the EDL mode is locked and can only be accessed by an authorized person who have the security code of your device. I don't know if it even exist in MTK devices.
Should you actually manage to boot into EDL mode - Assuming it exists and is unlocked - then BEWARE: EDL mode is very low level and any command can directly affect the kernel or compromise the system. Don't use commands you're not sure what do they do.
You can use EDL mode to recover the data from the phone then wipe it clean, then restore the data.
You cannot access memory with EDL mode, but you can access the current image on your device. And from which you can get the key file.
EDL mode is a very very powerful tool (Much more powerful than debugging, fastboot, or anything you may know of) as it doesn't need unlocked bootloader to use it and through which you can do anything to your device including flashing other ROMs.
Good luck on your impossible quest. Make sure to post updates should you find yourself stuck.