Related
My bootloader is still locked and I've never had root on this phone got it too late to unlock. I'd like to root and if I can get a custom recovery and flash a rom. Can anyone help?
Sent from my XT907 using Xparent Cyan Tapatalk 2
Gblake13 said:
My bootloader is still locked and I've never had root on this phone got it too late to unlock. I'd like to root and if I can get a custom recovery and flash a rom. Can anyone help?
Click to expand...
Click to collapse
Right now, there is no way to root or unlock the bootloader in your situation. It sucks, but it's where we are.
Don't hold your breath for an exploit, either. Motorola/Verizon closed all known holes for BL-unlocking in the penultimate Jellybean OTA, and the only root method that worked in the last JB no longer works here.
Enough with the KK unlock and root threads.
I'm going to start reporting people that make these threads without doing some homework first.
If you have a locked bootloader, you're pretty much up the creek without a paddle. End of discussion
If there is an exploit available, trust me, you'll know about it.
gtmaster303 said:
Enough with the KK unlock and root threads.
I'm going to start reporting people that make these threads without doing some homework first.
If you have a locked bootloader, you're pretty much up the creek without a paddle. End of discussion
If there is an exploit available, trust me, you'll know about it.
Click to expand...
Click to collapse
We can say this in every thread where they ask about root. We put warnings out prior to the OTA. Heck, we could probably put a sticky thread in this section about there being no root on KK, yet people will still ask. Why? Because they refuse to take 5 minutes to read through the other 37 KK related threads.
RikRong said:
We can say this in every thread where they ask about root. We put warnings out prior to the OTA. Heck, we could probably put a sticky thread in this section about there being no root on KK, yet people will still ask. Why? Because they refuse to take 5 minutes to read through the other 37 KK related threads.
Click to expand...
Click to collapse
I of course can't speak for anyone else, but I knew the risks well before taking the update, and updated anyway.
I knew it was the very un-XDA thing to do, but frustration with the short battery life and UI lag on my phone was nearing a breaking point.
I tried to make the most of it; hence the "list of changes" thread, which hopefully has scared away locked users who are still n JB.
Any luck with a rootkeeper/root survival of any kind?
pnwsr6 said:
Any luck with a rootkeeper/root survival of any kind?
Click to expand...
Click to collapse
Haven't seen it yet.
Strife89 said:
I of course can't speak for anyone else, but I knew the risks well before taking the update, and updated anyway.
Click to expand...
Click to collapse
My story is somewhat different. I tried to find a way to get rooted KK on my phone (trying to play junior hacker again), ended up soft-bricking my phone to where the only way to fix it was to flash stock KK using RSDLite (did try RSD'ing JB first, but my bootloader was having none of that).
So now I'm hopelessly stuck with a completely stock phone without root.
I feel like the only way to get past this is to attack it politically, like if every single Verizon XDA user banded together and flooded Verizon corporate inboxes with legitimate reasons why we need unlocked bootloaders.
Or maybe if someone is good friends with a politician who is more left of center and concerned about consumer rights over corporations. Maybe convince them that it's better for the environment because potentially millions of phones could be saved from going into landfills if we mandate companies must allow bootloader to be unlocked when certain conditions are fulfilled, like if a phone reaches 1-year of age.
Strife89 said:
I of course can't speak for anyone else, but I knew the risks well before taking the update, and updated anyway.
I knew it was the very un-XDA thing to do, but frustration with the short battery life and UI lag on my phone was nearing a breaking point.
I tried to make the most of it; hence the "list of changes" thread, which hopefully has scared away locked users who are still n JB.
Click to expand...
Click to collapse
I new I was losing root with it as well. I liked the features that KK brought with the update and still did it. The update finally got me using Smart Actions and I'm getting pretty decent battery life, nothing mind blowing, but pretty good. Buying a portable battery pack has pretty much solved the problem I had with nonroot. Now I can go about 2 days as long as I carry it around, lol. Luckily it's small.
if I have an unlocked BL, and the latest stock version on KK, how would I get root? Is it possible?
thanks.
Ahoalton said:
if I have an unlocked BL, and the latest stock version on KK, how would I get root? Is it possible?
thanks.
Click to expand...
Click to collapse
Flash a custom recovery via fastboot, and then flash SuperSU zip in recovery.
http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623 <-- this thread (not saying it works) is getting popular with Motorola devices. I attempted it myself and got errors just like some other people. Only difference is they still had root and I don't. I suggest following the thread and seeing if it does someday work for us or somebody could attempt it themselves. I'm currently on windows 8.1 so that could be a problem.
megaghostgamer said:
http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623 <-- this thread (not saying it works) is getting popular with Motorola devices. I attempted it myself and got errors just like some other people. Only difference is they still had root and I don't. I suggest following the thread and seeing if it does someday work for us or somebody could attempt it themselves. I'm currently on windows 8.1 so that could be a problem.
Click to expand...
Click to collapse
^^^He doesn't need an exploit since he has an unlocked BL. Also, this has been checked on the M and HD family of devices, it WILL NOT work because the the current KK updates have already patched the hole that this exploit is meant to take advantage of.
Ahoalton said:
if I have an unlocked BL, and the latest stock version on KK, how would I get root? Is it possible?
thanks.
Click to expand...
Click to collapse
Yes!.. Just use URL="http://androidhosting.org/Devs/Dhacker29/msm8960/CWM6049-RAZR-HD_M-KITKAT.img"]custom recovery[/URL] and flash Superuser zip
And what about aka test points? Many Motorola models had such special test points using which you could get unlock of BL. How about our XT907? Any ideas about test points or shortcircuit of contacts?
No need now! Towelroot will root stock KK, and what magic it does allows Motopocalypse to unlock BL again.
http://www.droid-life.com/2014/06/16/motorola-bootloader-unlock-razr-hd-towelroot/
Confirmed working!
Root and bootloader unlock!
Sent from my Droid RAZR M
GnatGoSplat said:
No need now! Towelroot will root stock KK, and what magic it does allows Motopocalypse to unlock BL again.
Click to expand...
Click to collapse
Towel Root only allows the root access that Motopocalypse needs. The old trust zone was accidentally (or purposely) put back into this OTA, that's what Motopocalyse exploits.
Sent from my HTC6525LVW using Tapatalk
RikRong said:
Towel Root only allows the root access that Motopocalypse needs. The old trust zone was accidentally (or purposely) put back into this OTA, that's what Motopocalyse exploits.
Click to expand...
Click to collapse
Ah, I see. Good to know. :good:
***This is not a bootloader unlock. This is only a discussion about a possible bootloader unlock***
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. any kind of feedback is appreciated.
Hello @madushan1000,
Here seemed an appropriate place to reply to your PM
Some points to consider:
- Safestrap doesn't use kexec, it uses 2nd init which hijacks the boot process to load a different ramdisk
- Therefore you won't be able to use anything from Safestrap including 2nd init to enable loading a new kernel
- Also note kexec is not enabled on stock kernel builds so at least the exec part is out the window.
- I checked the aboot of 3.5.x and 4.6.1 and noted that the exploit used on the Kindle HDX tabs to bypass/unlock the bootloader have been patched up.
- Other than that: It seems the bootloader is going to remain locked on our devices - Though I hope I am wrong.
More info on the trustzoon exploit can be found in the posts I linked above.
Anyway, I don't think we can use HDX bugs even if the aboot bug was present because there is no unlock partition found on the device and flashing to any kind of partition is absolutely prohibited.
We are going to do what described in this post (http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html) using the trustzoon exploit.
As per kexec, there is a kexec kernel module developed at Xperia forums, I can try to port it to fire phone. Probably wouldn't be too hard because it was built for msms8974 kernel too.
Anyway, Does anyone had gone back to 3.6.2 from 4.6.1 without bricking the device?
Wow, I just found out you can't load unsigned kernel modules too.
madushan1000 said:
***This is not a bootloader unlock. This is only a discussion about a possible bootloader unlock***
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. any kind of feedback is appreciated.
Click to expand...
Click to collapse
How do you know there's a bit in the QFPROM dedicated to unlocking the bootloader? Doesn't that seem kind of like an oversight since there's one you blow to lock it in the first place? Blowing a random fuse will just brick your phone and I'll tell you right now there's no bit to unlock it. The bug has been patched for quite a while and even if it did work, I'm doubtful you'd find what you're looking for.
Well, I don't know. That's why this is still work in progress. But still, As pointed out in the original post, the is one qfuse which is blown after first factory flash to mark the device as bootloader locked. Then there is another one (which is not blown in almost all the msm chipsets in case vendor change their mind and offer a unlock in the future) which mark the device as permanently unlockable. Even if this fuse is blown, by gaining arbitrary code execution in trustzoon we might be able to trick the bootloader in to thinking device is unlocked.
Don't worry, I'm not going to start blowing qfuses up blindly. First I'm going to identify if there is such a qfuse at all by looking at the aboot drassembly. Then try reading their values first to verify it is in fact not blown. Then I'm going to blow stuff up when I can afford a new phone
Even before that, I have to find a way to downgrade trustzoon and find a way to load unsigned kernel modules. I have no illusions, I'm very very far away from unlocking this thing.
And which bug you are referring to? The new trustzoon bug I mentioned or the previous trustzoon bug?
kaboom away
madushan1000 said:
Don't worry, I'm not going to start blowing qfuses up blindly. First I'm going to identify if there is such a qfuse at all by looking at the aboot drassembly. Then try reading their values first to verify it is in fact not blown. Then I'm going to blow stuff up when I can afford a new phone
Click to expand...
Click to collapse
With the current fire sale on these phones, you can probably afford to blow up as many as you want. I cannot believe the prices on these babies right now, that is, if you are into Prime, or don't mind reselling the Prime. I am almost ready to buy a third one.
LNRrgB said:
With the current fire sale on these phones, you can probably afford to blow up as many as you want. I cannot believe the prices on these babies right now, that is, if you are into Prime, or don't mind reselling the Prime. I am almost ready to buy a third one.
Click to expand...
Click to collapse
The sad thing is, Amazon prime is not available, let alone fire sales I would definitely love to get my hands on few more.
madushan1000 said:
The sad thing is, Amazon prime is not available, let alone fire sales I would definitely love to get my hands on few more.
Click to expand...
Click to collapse
it's $124.99 in ebay, brand new, prime and warranty.
Yup, ebay has the 32GB and the 64GB for sale right now, with Prime ! Seller is qualitycellz .
litan1106 said:
it's $124.99 in ebay, brand new, prime and warranty.
Click to expand...
Click to collapse
Now $119
Perhaps, after all stock containing Prime is depleted, we will get a bootloader unlock...
Wow, If I only had the money. Wish the stock will hold untill I graduate next month and get a job.
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot
while the g6 alone is a fantastic device we at&t users want to play to. as of now i know you cannot boot into fastboot on the variant as ive tried. I also know the chances are slim considering the g5 still is locked. but nothings impossible on xda. look at the H910 V20 model for at&t. its unlocked with dirty santa exploit.
this is a donate thread for bootloader unlock, root and twrp.
im not taking a tally so if someone wants to do that then feel free. only rules are you pay what you pledge upon project completion.
this thread is for discussion and pledges. :good:
updated :
i no longer have the device. i couldn't live without root, got a op3t. but feel free to keep this open for others.
Anyone want to get this BOUNTY up and going with me?
Count me in for $20
I'll give $50
I1l also give $80.
Unlock, Root, TWRP, and don't kill anything along the way... $100.
Root? Any progress? this device deserves some love. Bounty anyone?
I'd happily pitch in $50 for an unlock. Itching to try out some oreo roms
The G5 remaining locked doesn't make it seem all that likely though
Though I'd love to be proven wrong! (please, before I give in to the 5T announcement tomorrow)
Guys I dont wanna be that guy, But look back in history now with G4 G5 and now G6 More than likely bootloader unlock will never be achieved AS any device now on noug and above check system verity root is not possible without unlocked bootloader...
The biggest thing here is my self included If you want a rooted device Research before purchases...
Dont buy devices on hope that root and bl unlock will be achieved As LGs "newer" Bootloader signing is impenetrable as of now.
TheMadScientist said:
Guys I dont wanna be that guy, But look back in history now with G4 G5 and now G6 More than likely bootloader unlock will never be achieved AS any device now on noug and above check system verity root is not possible without unlocked bootloader...
The biggest thing here is my self included If you want a rooted device Research before purchases...
Dont buy devices on hope that root and bl unlock will be achieved As LGs "newer" Bootloader signing is impenetrable as of now.
Click to expand...
Click to collapse
I admit, I did NOT do my research. I got a good deal on it, so I picked it up. Coming from the last 2 devices having bootloader unlocked, I suppose I got used to it. It's not the worst thing in the world, but I love to tinker. Guess I'll pick up another device, if I feel like bricking it with some dude's crazy kernels or ROMs
hangtenboy said:
I admit, I did NOT do my research. I got a good deal on it, so I picked it up. Coming from the last 2 devices having bootloader unlocked, I suppose I got used to it. It's not the worst thing in the world, but I love to tinker. Guess I'll pick up another device, if I feel like bricking it with some dude's crazy kernels or ROMs
Click to expand...
Click to collapse
I studdied the encryption on the g4s bootloader quite a bit and there was no hope at that time. And still dont look good....
By the way I am a oldskool hoosier myself born and raised in gary and merrillville
i will kick in 50bux towards a bounty
Such a nice phone, so many bloatware :S
guys my lg g6 h870 is burned motherboard...so i buy from ebay a used motherboard at&t..work well also with my italian career, it is possible to install h870 firmware inside h871 smartphone? because without at&t sim i cannot update firmware it's always say that is updated but is no true..in at&t without sim card will not update...is the root the way to doit?
Just curious since I have heard about a unlocked bootloader and root being successful...is it true?
https://forum.xda-developers.com/lg-g6/how-to/fundraiser-to-unlock-bootloader-t3959036
interesting information here
if anyone can provide me with a US997 unlocked version imei number i might have something for yall
UPDATE : i need more time and research
Okay guys apparently I'm too much of the little guy to post this in the dev part. However, I did a search and came accross an eng bootloader or what claims to be for the galaxy s10+. I'm not sure as to the legitimacy of this file, but figured it was worth putting out there. I helped or tried to help when the S8 came out as well. Anyway once I get it uploaded somewhere, I will post the file.
Okay just an FYI this is said to be the eng bootloader from PakFirmware and said to be for G975U
Bootloader filehttps://drive.google.com/file/d/1c3gDQ6vi99NsRS3cZzVkR2C_vzNIPL-s/view?usp=drivesdk
Bootloader RAR filehttps://drive.google.com/file/d/1wG1d0eK6hBnL6-N1SimEIwvKiC2G8YcY/view?usp=drivesdk
If anyone is curious as to where the file came from it was from herehttps://www.google.com/amp/s/pakfirmware.com/2019/02/samsung-s10-sm-g975u-eng-boot-file/amp/
Here is the link to the combination from file with supposed eng bootloader included https://drive.google.com/file/d/1XeL8KfP255QJD0Txv5B79Edneb4SEaY-/view?usp=drivesdk
First of all, I bet you $20 right now it's not, it's just the same combination boot file that comes in every single combination rom.
Second of all, even if it is and I am wrong, it won't help as you won't be able to boot it. Samsung phones require special certificates to allow them to boot eng firmware, and those certificates essentially oem unlock the device anyway. I know this because I have an s8+ that happens to possess one. But before you ask, the certificates are tied cryptographically to the imei and did numbers of the device they are issued for, so finding one for another device won't help you
As has been stated ad nauseum, the USA Samsung devices aren't rootable anymore. People who want rooted Samsungs should purchase the exynos (SM-G975F/D), or international snapdragon (SM-G9750) models
While the above may be true, I was merely trying to help and by no means am I a developer. I, however do not believe that US variant SD Samsung phones are not rootable. There have been countless times before where people have made that statement and yet root has come to fruition, albeit may take a considerable amount of time and effort. Many US customers are unable to buy international variants and are stuck with what we can get. So with that being said, I hope that I am not being too pushy with regards to your statement, I just refuse to be pessimistic when it comes to development and root efforts. The galaxy s8 had root even though it took some time, yet it was suppose to be unrootable. I just like to think that regardless of people saying it "can't " is a motivator to challenge development and experiment.
You two should work with @elliwigy and his root project! He could use some assistance & expertise & team! Cheers
ait1071 said:
While the above may be true, I was merely trying to help and by no means am I a developer. I, however do not believe that US variant SD Samsung phones are not rootable. There have been countless times before where people have made that statement and yet root has come to fruition, albeit may take a considerable amount of time and effort. Many US customers are unable to buy international variants and are stuck with what we can get. So with that being said, I hope that I am not being too pushy with regards to your statement, I just refuse to be pessimistic when it comes to development and root efforts. The galaxy s8 had root even though it took some time, yet it was suppose to be unrootable. I just like to think that regardless of people saying it "can't " is a motivator to challenge development and experiment.
Click to expand...
Click to collapse
S10 COMBINATION file Restrictions flash
Unless get token
steady.bin flash!
Game over!
ait1071 said:
While the above may be true, I was merely trying to help and by no means am I a developer. I, however do not believe that US variant SD Samsung phones are not rootable. There have been countless times before where people have made that statement and yet root has come to fruition, albeit may take a considerable amount of time and effort. Many US customers are unable to buy international variants and are stuck with what we can get. So with that being said, I hope that I am not being too pushy with regards to your statement, I just refuse to be pessimistic when it comes to development and root efforts. The galaxy s8 had root even though it took some time, yet it was suppose to be unrootable. I just like to think that regardless of people saying it "can't " is a motivator to challenge development and experiment.
Click to expand...
Click to collapse
I am aware, as I was the last person to root one. Changes came with the s9 family that closed the last remaining doors. As you can see by looking the s9 or s9+ were never rooted. The s10 won't be either
Found something
Ok so i found something that might be of some use it says its an eng boot file but idk if its legit or not so if someone can check it out it would be very much appreciated heres the link: https://support.halabtech.com/index.php?a=downloads&b=folder&id=42678
Chibisuke1219 said:
Ok so i found something that might be of some use it says its an eng boot file but idk if its legit or not so if someone can check it out it would be very much appreciated heres the link: https://support.halabtech.com/index.php?a=downloads&b=folder&id=42678
Click to expand...
Click to collapse
It's not. In 100 out of 100 times you find these online they are just the combination bootloader repackaged with this incorrect name, because they can be used to bypass frp in some cases.
I don't know why you are looking for the eng bootloader anyway. Even in the incredibly unlikely scenario you found the real one, it won't help you because devices past the s7 won't boot them anyway without a special certificate that your phone doesn't have (because it effectively unlocks your bootloader anyway)
GSM CHEN said:
S10 COMBINATION file Restrictions flash
Unless get token
steady.bin flash!
Game over!
Click to expand...
Click to collapse
Man, if only we were able to find and use the ENG firmware! Even if anyone is able to find ENG firmware, they will not be able to use it as @partcyborg already pointed out.. You would need some sort of ENG Token to convert your device into an ENG device which as he also stated would in itself be like unlocking the bootloader.. If you know anyone or any company that is able to convert devices to eng devices (I highly doubt it) then please let us know.
Last I heard if you could even find anyone that is able to sell you an ENG cert/token that they are very expensive...
partcyborg said:
It's not. In 100 out of 100 times you find these online they are just the combination bootloader repackaged with this incorrect name, because they can be used to bypass frp in some cases.
I don't know why you are looking for the eng bootloader anyway. Even in the incredibly unlikely scenario you found the real one, it won't help you because devices past the s7 won't boot them anyway without a special certificate that your phone doesn't have (because it effectively unlocks your bootloader anyway)
Click to expand...
Click to collapse
haha yes, that irritates the CRAP out of me... its like the entire internet doesn't know the difference between "ENG" and "FACTORY" sometimes..
to add, factory firmware will not allow you to root your device. It is only typically "debuggable" (no it isn't a userdebug and if you don't know what this means then it probably won't help you either), permissive and verity disabled.
ENG firmware typically will have "eng" in its name and 5th letter from right to left will typically be an E (for ENG.)
To top it off, most of the world can't even flash factory firmware onto g975u.... I think people should focus on figuring that out before anything.. if not, the world is doooooomed
On a side note: The S8/S8+ SamPWND root did use some ENG firmware (this was of course released after the S7).. Mainly we used the ENG system which has SU binaries by default.. but I can 100% tell you even if we did come across ENG firmware, we can no longer flash the system without ENG token/cert...
elliwigy said:
Man, if only we were able to find and use the ENG firmware! Even if anyone is able to find ENG firmware, they will not be able to use it as @partcyborg already pointed out.. You would need some sort of ENG Token to convert your device into an ENG device which as he also stated would in itself be like unlocking the bootloader.. If you know anyone or any company that is able to convert devices to eng devices (I highly doubt it) then please let us know.
Last I heard if you could even find anyone that is able to sell you an ENG cert/token that they are very expensive...
Click to expand...
Click to collapse
$600 USD per device for the s8/s8+. That is after the company plops down $25k up front just to set everything up.
It's likely priced this way specifically to make it virtually impossible to do things like give them out on XDA
I think elliwigy has rooted the S9. S10 will be very very hard to do if not impossible.
kalexander7 said:
*cough* Just figured I'd leak some protected Samsung AT commands here for you guys to crack that 'cryptography'
AT+ENGMODES=0,
AT+ENGMODES=1,
AT+ENGMODES=2,2,
AT+ENGMODES=8,0,0
AT+ENGMODES=8,0,1
AT+ENGMODES=8,0,2
AT+ENGMODES=8,0,3
AT+DEVROOTK=
AT+DEVROOTK=1,0,0
AT+DEVROOTK=1,1,0
AT+DEVROOTK=2,0,
AT+DEVROOTK=2,1,
AT+DEVROOTK=2,2,
AT+DEVROOTK=2,3,
AT+DEVROOTK=2,4,
AT+DEVROOTK=2,5,
AT+DEVROOTK=2,6,
AT+DEVROOTK=2,7,
Both of these commands have something to do with the eng bootloader being switched.
AT+REACTIVE may also be part of it
Click to expand...
Click to collapse
these arent secret or helpful
Seems at this rate we would need a Samsung phone tech to get root.