Will the Samsung bootloader check for the indication from kernel when start ? Not the corresponding version of the don't give you start?
For example, CONFIG_SENSORS_SSP_SHTC1_VER= "GT-I9500" in kerne configuration file and the ro.product.model=SCH-I9500 in.build.prop
Samsumg uses Little Kernel + ABOOT as the OS bootloader. So, no.
It will only check the kernel image signature against the boot certificate chain when SecureBoot is on.
greenboxal said:
Samsumg uses Little Kernel + ABOOT as the OS bootloader. So, no.
It will only check the kernel image signature against the boot certificate chain when SecureBoot is on.
Click to expand...
Click to collapse
What's the kernel image signature against the boot certificate chain?Which part is in open source?
smallcsduck said:
What's the kernel image signature against the boot certificate chain?Which part is in open source?
Click to expand...
Click to collapse
With SecureBoot, all boot images, that's SBL1, SBL2, SBL3, ABOOT, and the kernel, are signed with Samsumg private RSA keys(see link 1). Before booting each image, the previous stage of the bootloader checks the next one with a public key that is embed on the current code.
For your question, the ABOOT image which is based on LK, loads the kernel on memory, and before executing it, checks the signature with the embedded public key that is on ABOOT. I don't really know where are the sources for Samsumg ABOOT, nor if they are public. They should be by LK's GPL license.
See link 2 for information on exploiting SGS4 secure boot and information about LK and ABOOT.
[1]: http://en.wikipedia.org/wiki/RSA_(algorithm)#Signing_messages
[2]: http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
Related
I've tried fastboot mode on xt720 and it actually worked. It can flash (without signature check) separate partitions system, userdata... But it seems that it checks signature on boot. It also can flash custom boot.img (kernel + ramdisk) but it can't boot because of sig checks. But the most interesting thing is that it can boot custom boot.img without flashing it. It is achieved with "fastboot boot boot.img" command. So we can run custom kernel without checking it. I've created custom boot.img with custom init.rc and it booted fine. Then I've changed one byte in the stock kernel and it also booted fine (many thanks to #milestone-modding devs). I've tried to build custom kernel but unfortunately I haven't figured out how to configure the build for xt720.
For booting to fastboot mode you should do this steps
1. Connect your phone to PC in debug mode
2. Run the following command
adb reboot bootloader
3. Download fastboot for windows from http://forum.xda-developers.com/showthread.php?t=463627
4. Then you can boot custom boot.img with command
fastboot boot boot.img
what revision of the boot is your phone? it might actually be a solution to booting custom roms, ie. 1st boot original kernel, then a hijack in mot_boot_mode to reboot using fastboot with custom boot.img, and wupti! you got your custom kernel loaded.
maybe the same boot loader works on milestone, as it has been tested upto 90.78 and did not work with fastboot, only developer phones has this enabled.
I had alreay do.. like a 2.6.32.9 kernel for milestone
but it doesn't work to my xt720(kor skt)
In my case I made a boot.img(kernel + ramdisk into original boot.img with hex edit)
it works and memory more available
but display 2.6.29-omap1
kernel & ramdisk from froyoModV1 boot.img
Dexter_nlb said:
what revision of the boot is your phone? it might actually be a solution to booting custom roms, ie. 1st boot original kernel, then a hijack in mot_boot_mode to reboot using fastboot with custom boot.img, and wupti! you got your custom kernel loaded.
maybe the same boot loader works on milestone, as it has been tested upto 90.78 and did not work with fastboot, only developer phones has this enabled.
Click to expand...
Click to collapse
The version of bootloader on xt720 is 80.89, there is a dump of mbm and mbmloader on and-developers, but there is no sbf file.
totoro1233 said:
I had alreay do.. like a 2.6.32.9 kernel for milestone
but it doesn't work to my xt720(kor skt)
In my case I made a boot.img(kernel + ramdisk into original boot.img with hex edit)
it works and memory more available
but display 2.6.29-omap1
kernel & ramdisk from froyoModV1 boot.img
Click to expand...
Click to collapse
There is mkbootimg tool which can make boot.img from kernel and ramdisk. Here is the guide http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
what do you mean by "memory more available" is it more then 256MB? how much is it exactly now?
korean motoroi(xt720) is available memory about 30MB
but lots of memory leak
(kr xt720 have 256MB RAM)
so I try to make a boot.img
prepare file list
original boot.img in xt720 2.6.29-omap1 dump file
boot.img in milestone 2.6.32.9 dump file
you have to split boot.img for milestone to kernel and ramdisk
now you have 2.6.29 boot.img and kernel, ramdisk
open the boot.img, kernel,ramdisk with hex edit program
boot.img : find 00 00 A0 E1 hex code (first item)
if you find, kernel all things copy and paste write to boot.img
boot.img : find 1F 8B 08 00 hex code (last item)
if you find, ramdisk all things copy and paste write to boot.img
and than save custom boot.img and boot possible
p.s
your custom boot.img file have to same MB with origin
I'm using HxD edit program
Thanks for sharing
I would like to try, but my milestone xt720 is bricked Hope that others will try...
totoro1233: you just booted with fastboot boot boot.img or you actually flashed boot.img with fastboot? If you have just booted then after restarting the phone stock kernel is booted.
resar said:
totoro1233: you just booted with fastboot boot boot.img or you actually flashed boot.img with fastboot? If you have just booted then after restarting the phone stock kernel is booted.
Click to expand...
Click to collapse
sorry ..
I had already flashed in GOT recovery(change the script to md5 checking remove)
So does it work??????
Dexter_nlb said:
what revision of the boot is your phone? it might actually be a solution to booting custom roms, ie. 1st boot original kernel, then a hijack in mot_boot_mode to reboot using fastboot with custom boot.img, and wupti! you got your custom kernel loaded.
maybe the same boot loader works on milestone, as it has been tested upto 90.78 and did not work with fastboot, only developer phones has this enabled.
Click to expand...
Click to collapse
Wow, subscribed to this thread, hopefully totoro1233 can provide more files and information as to how he got it to work.
totoro1233 said:
korean motoroi(xt720) is available memory about 30MB
but lots of memory leak
(kr xt720 have 256MB RAM)
so I try to make a boot.img
Click to expand...
Click to collapse
why make a custom boot.img?
- Milestone 2.6.32 kernel + ramdisk is the only parts in the boot.img
- a Custom boot.img with Milestone kernel + ramdisk xt720 is a NO-GO!!!
2.2 froyo require correct services loaded,and thats not gonna happen with a xt720 ramdisk.
- if you think a XT720 kernel + froyo ramdisk, im sure its not gonna free up any memory like that.
So purpose of splitting boot.img and remerging is less to 0 or lower than 0.
Dexter_nlb said:
why make a custom boot.img?
- Milestone 2.6.32 kernel + ramdisk is the only parts in the boot.img
- a Custom boot.img with Milestone kernel + ramdisk xt720 is a NO-GO!!!
2.2 froyo require correct services loaded,and thats not gonna happen with a xt720 ramdisk.
- if you think a XT720 kernel + froyo ramdisk, im sure its not gonna free up any memory like that.
So purpose of splitting boot.img and remerging is less to 0 or lower than 0.
Click to expand...
Click to collapse
Dexter can't we just boot milestone boot.img? If it can boot milestone kernel then maybe it can boot kernel + ramdisk. If not then we must find a way to configure xt720 build configuration.
Here's any idea: Grab any boot.img (the most inappropriate one, like one from some HTC phone), grab the fastboot tool, reboot into fastboot (not the one where you can flash RSDlite!), then:
Code:
fastboot boot boot.img
...if it crashes, then we know it at least tried to boot the file. [EDIT]This means you lucky people can boot custom kernels![/EDIT] Since we aren't doing the flash command (fastboot flash boot boot.img)....
It should be 20000% safe.
[EDIT]I just tried it on my Milestone - I took a boot.img from a Droid rom (bugless beast, to be exact) and unfortunately it didn't transfer at all. Seems like they locked this one down? According to Dexter, they sure did! It would be nice if someone can confirm my findings.
It seems that no one interested to try....
Can anyone try to boot Milestone boot.img?
If you wanna flash tune image, your phone have to stock firmware
If you not than you'll should brick the phone..
In my case also brick my phone
so I had flashed sbf image
In addition fastboot isn't recommanded, fastboot is force flashing not available
Interested to try but it seems that it can brick the phone... So i wait for you to find a way resar..... loool
And sorry but i don t know a thing about boot img so you ll have to explain more what to do....
B_e_n said:
Interested to try but it seems that it can brick the phone... So i wait for you to find a way resar..... loool
And sorry but i don t know a thing about boot img so you ll have to explain more what to do....
Click to expand...
Click to collapse
As Lollipop_Lawlipop said you can just boot custom boot.img(kernel + ramdisk). It won't brick your phone. If it won't boot you can just restart your phone and and it will boot fine. There is no risk in booting boot.img. If you flash boot image it can of course brick your phone, but we don't need to flash.
totoro1233 said:
If you wanna flash tune image, your phone have to stock firmware
If you not than you'll should brick the phone..
In my case also brick my phone
so I had flashed sbf image
In addition fastboot isn't recommanded, fastboot is force flashing not available
Click to expand...
Click to collapse
You can flash only signed images to your phone but fastboot can boot custom image. If the milestone image won't work, we'll have to build custom kernel for xt720, and I'm 90% sure that it'll work.
. .
is there any way to flash a bootloader for example the testpoint? would be funny to build it from source
. .
munjeni said:
There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!
I wanted to mmap 0x80110000 memory and see what I can see there... but seems we can not open them? Since:
Do you have idea how we can read them?
Click to expand...
Click to collapse
sorry i don't know much about that..
can't we build a lk bootloader modified for our device?
munjeni said:
There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!
Click to expand...
Click to collapse
I would be very surprised if there's no signature-check for the bootloader partition, even the original (first) iPhone had a signature-check for the user-modifiable bootloader.
Perhaps a BROWN device (in SonyEricsson terms) would not have a check, but a retail device sure will.
CoolDevelopment said:
sorry i don't know much about that..
can't we build a lk bootloader modified for our device?
Click to expand...
Click to collapse
I am not sure since our phone use aboot. Did you found here on xda that somebody had luck with lk and xperia device? I not searched but maybe somebody had luck?
. .
Will have a look at it later
The qualcomm boot chain verifies each part with a signature. I think what you modified is not part of the data which is used for calculating the signature.
There was a exploit in lk which allowed overwriting the signature check in lk with a modified ramdisk offset in the kernel (this allowed booting custom kernels with locked bootloader). But this exploit is patched now (you can see in lk, it checks ramdisk offset now) (see also http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html )
. .
. .
munjeni said:
We have runing ABOOT and not LK ! Every part of an binary is part of binary! In our way s1sbl is not signature checked! I think we are ready for cracking s1sbl!
Click to expand...
Click to collapse
ABOOT is a modified LK very close to source. Try modifing actual code of the bootloader binary first. I'm still pretty sure it's signature checked.
The boot files from the firmware are only flashed if the version is different. Each configuration is read and the phone checks the 'ATTRIBUTES VALUE'. If the attributes on the phone matches the attributes in the configuration, the files from the said configuration are flashed.
For example OTP_LOCK_STATUS you can find in service menu under Service tests => Security.
Bad thing I have no flash mode and no fastboot
. .
Try flashing different commercial files and see which one lets you use fastboot and flashmode
Another thing which could be possible with a modified bootloader is using the fotakernel partition as our recovery, that would be great
. .
this might be interesting: http://forum.xda-developers.com/showthread.php?t=2147997
and after reading through the lk bootloader source it seems aboot is included in lk
Flashed now 007B30E1 comercial version (have biger size) and its boot but no flashmode, seems we need to flash booth files provided in xml file for every configuration for getting fastboot and flashmode active.
Strange thing:
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/s1sbl
WTF not bricked? There is another partition similar with s1sbl with name alt_s1sbl (alternate partition), seems these partition is used if s1sbl partition is broken?
munjeni said:
On HTC phones you have right, but seems you are wrong for xperia! I have flashed it using DD command and its persistent!
Click to expand...
Click to collapse
Yes, of course.. I am talking about official firmware upgrade procedure.
I have compiled a kernel for the Ze550ml using ASUS released kernel sources and I got a kernel file. Usually when unpacking boot.img file, I usually see just two files.... the kernel and the ramdisk. With this original boot.img I found a third one which is "second bootloader" file. I included it in remaking the boot.img with my compiled kernel (but won't release it due to possible brick). Any ideas?
If anyone is very close to a ASUS repair shop and have no issues repairing or replacing their ze550ml... LMK if you want to try the boot.img to boot (not flash) and see how it goes.
Just got a hold of support and says that our bootloaders are LOCKED... so a modified boot.img will brick the device hopefully they release an unlock tool soon so we can start developing.
There are "Bootstub" strings in the 2nd bootloader. And from this link, the bootstub is "fixed content" in ZF5/6. Although ZF2's boot.img format is different from 5/6, the function of bootstub should be the same, so I think we can re-use the 2nd bl from official boot image to repack our homemade kernels. (That's only what I think, and thus no guarantee on this)
clemsyn said:
Just got a hold of support and says that our bootloaders are LOCKED... so a modified boot.img will brick the device hopefully they release an unlock tool soon so we can start developing.
Click to expand...
Click to collapse
Yep. Even just a simple ro.secure=0 ro.debuggable=1 in the ramdisk and reassembled to boot.img was diceless..
I should try bullying Asus into providing optional unlocked bootloaders. Unlocked everything dammit.. Last I checked, its my phone.
Hi clemsyn!
Blades said:
Yep. Even just a simple ro.secure=0 ro.debuggable=1 in the ramdisk and reassembled to boot.img was diceless..
I should try bullying Asus into providing optional unlocked bootloaders. Unlocked everything dammit.. Last I checked, its my phone.
Hi clemsyn!
Click to expand...
Click to collapse
BLADES!!!!!! Been awhile =)
http://forum.xda-developers.com/zenfone2/orig-development/tool-zenfone-2-boot-repack-t3146088
When you do get unlocked, recompile the boot.img with the second file added into it.
Just build it with the mkbootimg with
Code:
--kernel zImage --ramdisk initramfs.cpio.gz --second second.gz
And then whatever else you have after it, and of course the boot.img name you want.
That's what I had to do to make the insecure boot.img on the 551.
The way to get rid of the warning caused by unlocking the bootloader on other phones would be to flash the proper bootloader logo in fastboot using:
Code:
fastboot flash logo logo.bin
This is how I did it on my old LG Nexus 5X.
Does anyone have the correct logo for the V20? Has anyone tried this on the V20?
It's not a logo file. It's located in aboot and you can't change it.
androiddiego said:
It's not a logo file. It's located in aboot and you can't change it.
Click to expand...
Click to collapse
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Sizzlechest said:
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Click to expand...
Click to collapse
Here is the tool that might be useful to search for and dump the relevant partition, mount it and investigate the source of the picture and text warning:
Partitions Backup & Restore
https://play.google.com/store/apps/details?id=ma.wanam.partitions
In the best case scenario, even use reverse engineering to skip the warning and its delay altogether, anyone?
Or is aboot non-writable?
You modify aboot in any way / shape / or form, and you better open a ticket with LG. When you unlock your bootloader, that stops aboot from verifying the signature of boot, laf, and recovery. XBL still very much does verification of all the other pieces of firmware. One of the first things it checks is the signature of aboot. If aboot has been modified, or wasn't signed with the same RSA cert that matches the RSA key that is in your model's QFPROM, then the phone goes into 9008 mode. At this time, there is no fixing that -- except sending it back to LG (and there may never be now that LG uses UFS nand in their phones).
-- Brian
I've personally looked into this and looks like it can't be changed.
I'm pretty sure the images is in the *raw_resources* partition. Look here.
It must be very hard to modify though considering LG use it for (all?) many models, since I've only found a single development thread for it, and as you'll see that didn't go very far.
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
runningnak3d said:
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
Click to expand...
Click to collapse
so it is indeed possible to change the unlocked bootloader warning?
Security wise, there is no reason that you can't change them. It looks like LG is using RLE encoding, so finding the start and end of an image is going to be interesting. There are offsets in the index, but they don't seem to align.
Also, while I don't think having a corrupt raw_resources partition would give you a 9008 brick, you might want to have a backup ready to flash if you decide to modify it. But, (and there is always a but), since aboot loads this, if aboot pukes and doesn't load, that WILL give you a 9008 brick.
If I were you, I would buy a used V10 off of eBay, and test on that since you can recover from a 9008 with an SD card.
-- Brian
I have compiled kernel for sm-t725 device and flashed it from twrp. The bootloader is unlocked. After restarting the device it boots to twrp again. Then I choose boot to system and it does not boot.
I can't post photo, but it shows samsung label, yellow exclamation point with text "The tablet is not running Samsung official software..." and some other text at the top left corner of the screen that I don't understand:
Current Binary: Custom (0x30E)
FRP LOCK : OFF
OEM LOCK: ON (U)
KG STATUS: CHECKING
WARRANTY VOID : 0x1 (0x0)
RP SWREV : <some number>
QUALCOMM SECUREBOOT: ENABLE
SECURE DOWNLOAD : ENABLE
ENG MODE : DEV DEVICE
DID : <some number>
I wan't simple to build kernel (maybe rebuild stock) before try to change it.
Maybe I compiled it somehow wrong? I got sources from http://opensource.samsung.com/reception.do (search for sm-t725)
I packed kernel with mkbootimg, I also packed the original kernel to boot.img and it boots well, so there can't be mistake.
Maybe something is wrong with security, perhaps vbmeta, but I flashed vbmeta patition by instruction of installing Lineage OS for this device and think that all security mehanisms are disabled.
From recovery I can get /proc/last_kmsg but I don't know what to search for.
I can post it, and also can post kernel config file.
I solved it. I must use proper dts file. So, to get everything work you need to make dtb file
Code:
dtc -I dts -O dtb -f sdm670.dts -o sdm670.dtb
and then append it to kernel
Code:
cat Image.gz sdm670.dtb > zImage.gz-dtb
and after that make boot.img and flash it to boot partition.
Now my compiled kernel boots and works.