Hi guys!
I've been a bit busy in life for my first two months or so of owning the Galaxy Note 3 SM-900A. But finally I've run into a bit of a block of time, so I'm hoping to get some bootloader work done. I've already been studying it for a day or two, and am ready to begin some modifications in attempt to disable Knox/Signature verification/etc. But unfortunately I was broken into a few months back, and all my specialty hardware related to brick recovery is stolen (JTAG, etc.) - so I need some help from anyone who has a nice cozy return policy/warranty/replacement system available to them, who can risk rendering the device into a total brick (perhaps not bootable by any known method other than JTAG)
If you can help me out, please PM, I will get back to you soon regarding contact methods etc. - I am used to using an IRC channel on irc.freenode.net where #xda-devs lives, but perhaps we could use a more up-to-date collaboration method also.
Again, we will make every effort to do incremental testing that runs as much a minimal risk of brick as possible, but with such things there are no guarantees. Be ready and absolutely willing for a brick if you want to help. Thanks
Sent from my SAMSUNG-SM-N900A using Tapatalk
Da_G said:
Hi guys!
I've been a bit busy in life for my first two months or so of owning the Galaxy Note 3 SM-900A. But finally I've run into a bit of a block of time, so I'm hoping to get some bootloader work done. I've already been studying it for a day or two, and am ready to begin some modifications in attempt to disable Knox/Signature verification/etc. But unfortunately I was broken into a few months back, and all my specialty hardware related to brick recovery is stolen (JTAG, etc.) - so I need some help from anyone who has a nice cozy return policy/warranty/replacement system available to them, who can risk rendering the device into a total brick (perhaps not bootable by any known method other than JTAG)
If you can help me out, please PM, I will get back to you soon regarding contact methods etc. - I am used to using an IRC channel on irc.freenode.net where #xda-devs lives, but perhaps we could use a more up-to-date collaboration method also.
Again, we will make every effort to do incremental testing that runs as much a minimal risk of brick as possible, but with such things there are no guarantees. Be ready and absolutely willing for a brick if you want to help. Thanks
Sent from my SAMSUNG-SM-N900A using Tapatalk
Click to expand...
Click to collapse
Done and done. I'm ready to crack this thing :thumbup: let's do this.
Sent from my SM-N900A
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Has anyone attempted patching of the SBL? Simple one-byte patches of code there or to the Kernel? Does the signature verification catch these, obviously full image verification is only done at flash-time on the various open partitions as they are modifiable freely without tripping Knox/etc. Hard to find any public-facing info on if anyone has done work on it yet, trying to get a feel before I start so I don't duplicate work.
Also, in poking around, Carrier IQ seems active on the AT&T Build. Surprised more people aren't up in arms over this given it's previous reception
I think you should talk to @ryanbg and @Surge1223 They have done lots of research regarding this Knox/BL and have made some pretty good progress.
I personally think that doing that will make sig check fail and the Knox flag would trip 0x0 and it won't boot.
P.S. No matter what you do don't flash over RPM because that will definitely hard brick your device. (No SD Odin mode either).
http://forum.xda-developers.com/showthread.php?t=2476353
Also please keep this thread clean because most of this kinda threads get closed down before because of flame wars.
DA_G is pretty reliable with good reputation. He can play dirty and get away with it just a little more.
Sent from my SM-N9005 using Tapatalk
Da_G said:
Has anyone attempted patching of the SBL? Simple one-byte patches of code there or to the Kernel? Does the signature verification catch these, obviously full image verification is only done at flash-time on the various open partitions as they are modifiable freely without tripping Knox/etc. Hard to find any public-facing info on if anyone has done work on it yet, trying to get a feel before I start so I don't duplicate work.
Also, in poking around, Carrier IQ seems active on the AT&T Build. Surprised more people aren't up in arms over this given it's previous reception
Click to expand...
Click to collapse
Message me
ryanbg said:
Message me, I'm taking a look at the SBL right now. I also found the source for it...
Click to expand...
Click to collapse
Hi Ryan, I surely am interested in looking at the SBL source also. Is it a generic platform source or specific to the AT&T variant?
PM sent.
Hey Da_G! Just got the AT&T Note III myself, dropped my G-Note and broke it, but don't have any of the hardware needed to do what you are doing. Will be following this thread though and great hearing from you again.
I don't have any of the hardare needed anymore either. Flying blind
And I just missed a byte flashing to aboot, bam, hard brick. Lets see if i can recover
SD Card restore worked wonderfully. http://forum.xda-developers.com/showthread.php?t=2476353
Had made a 500mb image beforehand, wrote it to SD, booted from it, then flashed previously-dumped aboot back, fixed right up.
Da_G said:
SD Card restore worked wonderfully. http://forum.xda-developers.com/showthread.php?t=2476353
Had made a 500mb image beforehand, wrote it to SD, booted from it, then flashed previously-dumped aboot back, fixed right up.
Click to expand...
Click to collapse
Nice, I managed to hard brick testing N900w8 bootloader on my N9005, Reason I was playing around is the N900w8 has the capability of downgrading from 4.4.2 NA2 to 4.3 and rooting via CF-Autoroot without tripping KNOX and upgrading/downgrading again with zero issues. - I flatlined straight out
Da_G said:
SD Card restore worked wonderfully. http://forum.xda-developers.com/showthread.php?t=2476353
Had made a 500mb image beforehand, wrote it to SD, booted from it, then flashed previously-dumped aboot back, fixed right up.
Click to expand...
Click to collapse
For the research involved here it might be interesting to test IF the boot restrictions applied when booting from internal flash are still applied when booting from the external microSD - so for instance if you are on MJ7 bootloader now and you brick it you might want to first test is you can unbrick with a recovery image made from the older MI7 bootloader! (those are versions on N9005 but you should get the idea since most Note3 versions have gone through at least 2 bootloaders so far).
A few other things that I would like to contribute:
- the check on the very, very first bootloader is apparently weaker than any other security check after that - as far as I remember that one might be "fooled" by updating a 32-bit hash, which could be brute-force attacked in a decent time; everything after that initial step is on the same level as a brute-force attack on RSA (128 or 256, I do not remember);
- it might be interesting to also take a look at the trusted zone code (everything secure is pretty much done from there) and eventually find a way to dump the content of the qfuses (that might be needed in order to brute-force things later)
- it might be interesting to also look at the bootloader differences in the N9005W8 version - we already know that some of the keys involved in that case are controlled by somebody else than Samsung (Telcel)
- regarding debricking by booting from external SD - I now see that some/most Qualcomm models seem to NOT need any extra hardware signal, but Exynos models almost certainly do - search after 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf and you will see the official internal Samsung document on that (there is a similar one on the i9300)
- another interesting interesting document that might be worth reading in the context of knox and all SWREVs is called (13-74) Galaxy Note3 Unlocking for Reactivation Lock Guide Rev 5 0.pdf - but IMHO this is of less interest right now.
Thread cleaned
Reminder this is a Developers Only Discussion section
Take questions to your device Q&A section
KNOX WARRANTY VOID: 0x0
Referencing ODIN files here: http://forum.xda-developers.com/note-3-att/general/n900aucucnc2-odin-files-t2838117
In BL_N900AUCUCNC2
aboot.mbn (mmcblk0p6)
Address 0005F6E4 = "KNOX WARRANTY VOID: 0x%x"
So my question is: What if I just change that string to "KNOX WARRANTY VOID: 0x0"?
I know it's probably not going to work, but why not?
I would just go ahead and try it but I'm not ready to brick my device just yet.
....
Ok so I tried that and see that the auth failed in Odin 3.09 because the altered aboot.mdn within the BL tar causes a different md5 / different SHA1 hash, which is encrypted with RSA using the a public key which I believe is in the boot image, and I guess whatever is validating this has the private key so it can decrypt the encrypted md5 and compare it to the real md5. So if I want to edit aboot, I need to then encrypt the new md5 using the same public key... but then what would I do with that. I'm missing something. I'll get it. More reading...
On a good note, this did not flip the knox flag, nor did it brick my phone, so all is ok for now.
I think the files are signed with Samsung's private key (which we obviously don't have) and verified with their public key (likely in boot.img). So, no, you can't sign the modified boot image since you don't have the private key.
From what I know about rsa, the public key can only encrypt, and the private key can encrypt and decrypt. I don't know if that is the case here, but I'm guessing it is for now. Either way, "can't" is too strong a word for me. All encryption is crackable. I'm reversing the boot image and will figure it out eventually. The only two things that could possibly stop me are death, and someone else beating me to it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Cobaltikus said:
From what I know about rsa, the public key can only encrypt, and the private key can encrypt and decrypt. I don't know if that is the case here, but I'm guessing it is for now. Either way, "can't" is too strong a word for me. All encryption is crackable. I'm reversing the boot image and will figure it out eventually. The only two things that could possibly stop me are death, and someone else beating me to it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Click to expand...
Click to collapse
It's not encryption (well, sort of), but a signature. It's a 256 byte chunk of an 'encrypted' PKCS#1.5 padding and the SHA256 of the image (like aboot, or boot.img.) The private key does this 'encryption' and signing of the image hash, and the public key can simply verify/decrypt this signature to compare it with what it derives. If it matches, it returns 0 and continues to flash/boot/etc... If return =1 it will fail and boot/flash will be denied (like your Auth: fail in Odin.)
ryanbg said:
It's not encryption (well, sort of), but a signature. It's a 256 byte chunk of an 'encrypted' PKCS#1.5 padding and the SHA256 of the image (like aboot, or boot.img.) The private key does this 'encryption' and signing of the image hash, and the public key can simply verify/decrypt this signature to compare it with what it derives. If it matches, it returns 0 and continues to flash/boot/etc... If return =1 it will fail and boot/flash will be denied (like your Auth: fail in Odin.)
Click to expand...
Click to collapse
Thank you ryanbg! This information is truly helpful!
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Does anyone know the address of the function which validates the signature? I've been looking at the NC2 binaries, but a more recent version would be just as helpful.
Consider the following assembly in aboot.mbn
If you were to run the aboot.mbn file, executing each instruction, following each branch, you would end up here
Code:
0x0F810A5C 00 50 93 E5 LDR R5, [R3] (Loading value 0x0 from memory at 0xFC4CF808)
0x0F810A60 00 00 55 E3 CMP R5, #0x0 (0x0)
0x0F810A64 FC FF FF 0A BEQ loc_F810A5C
This is an infinite loop, continually loading 4 bytes from the address 0xFC4CF808, and looping for as long as these bytes are all zeros.
What is it waiting for?
Once the value is not zero, it checks to see if it is 1. If it is not 1, it references the string "SPMI write command failure: cmd_id = %u, error = %u"
So what is SPMI? Apparently it is something that writes a 1 to the address FC4CF808 upon success.
Digging deeper. Feel free to help if you can if you want.
Ah ha! https://android.googlesource.com/kernel/lk/+/qcom-dima-8x74-fixes/platform/msm_shared/spmi.c
Related
Hi everybody,
I recently upgraded my GT-N7000 to stock 4.0.4 firmware. I had unlocked it before in a dirty way (apparently, with 2.3.6, it was enough to put null bytes in the nv_data.bin file at the correct offset), which happens to not work anymore, since now the MD5 file isn't recomputed when it's incorrect, but instead restored from the backup (.nv_core.bak).
So, I tried the most popular solution, GalaxSimUnlock (com.spocky.galaxsimunlock on the playstore), which is not free any more (the app itself is free, but at the time you click on unlock, a payment of 2€ is required to proceed).
I wanted to try another solution, Galaxy_S Unlock, but if I read the comments correctly, it's not permanent, and has to be run at every reboot.
As a personal challenge, I began reverse engineering the nv_data.bin file format and the way the MD5 file is computed (it's NOT standard MD5, of course). Well, I managed to permanently unlock my phone by zeroing the simlock bytes, computing the new MD5, and putting the result in /efs/.
So, I was wondering if the method is already known and public and I just missed it, or if people would be interested to hear about it? I could also make a free (for real) app, which would be my first android app (another little challenge for me).
Anyway, if someone can tell me more about the state of the art of sim unlocking, that'd be great, so I know if I'm wasting my time or not.
Also, I'm pretty sure the method will work on any modern samsung phone.
Thanks in advance!
Still waiting for answers, but I decided to start anyway to develop the application.
Any information will be greatly appreciated
fhoguin said:
Hi everybody,
I recently upgraded my GT-N7000 to stock 4.0.4 firmware. I had unlocked it before in a dirty way (apparently, with 2.3.6, it was enough to put null bytes in the nv_data.bin file at the correct offset), which happens to not work anymore, since now the MD5 file isn't recomputed when it's incorrect, but instead restored from the backup (.nv_core.bak).
So, I tried the most popular solution, GalaxSimUnlock (com.spocky.galaxsimunlock on the playstore), which is not free any more (the app itself is free, but at the time you click on unlock, a payment of 2€ is required to proceed).
I wanted to try another solution, Galaxy_S Unlock, but if I read the comments correctly, it's not permanent, and has to be run at every reboot.
As a personal challenge, I began reverse engineering the nv_data.bin file format and the way the MD5 file is computed (it's NOT standard MD5, of course). Well, I managed to permanently unlock my phone by zeroing the simlock bytes, computing the new MD5, and putting the result in /efs/.
So, I was wondering if the method is already known and public and I just missed it, or if people would be interested to hear about it? I could also make a free (for real) app, which would be my first android app (another little challenge for me).
Anyway, if someone can tell me more about the state of the art of sim unlocking, that'd be great, so I know if I'm wasting my time or not.
Also, I'm pretty sure the method will work on any modern samsung phone.
Thanks in advance!
Click to expand...
Click to collapse
I would love to hear about the zeroing the bytes!
fhoguin said:
Hi everybody,
I recently upgraded my GT-N7000 to stock 4.0.4 firmware. I had unlocked it before in a dirty way (apparently, with 2.3.6, it was enough to put null bytes in the nv_data.bin file at the correct offset), which happens to not work anymore, since now the MD5 file isn't recomputed when it's incorrect, but instead restored from the backup (.nv_core.bak).
So, I tried the most popular solution, GalaxSimUnlock (com.spocky.galaxsimunlock on the playstore), which is not free any more (the app itself is free, but at the time you click on unlock, a payment of 2€ is required to proceed).
I wanted to try another solution, Galaxy_S Unlock, but if I read the comments correctly, it's not permanent, and has to be run at every reboot.
As a personal challenge, I began reverse engineering the nv_data.bin file format and the way the MD5 file is computed (it's NOT standard MD5, of course). Well, I managed to permanently unlock my phone by zeroing the simlock bytes, computing the new MD5, and putting the result in /efs/.
So, I was wondering if the method is already known and public and I just missed it, or if people would be interested to hear about it? I could also make a free (for real) app, which would be my first android app (another little challenge for me).
Anyway, if someone can tell me more about the state of the art of sim unlocking, that'd be great, so I know if I'm wasting my time or not.
Also, I'm pretty sure the method will work on any modern samsung phone.
Thanks in advance!
Click to expand...
Click to collapse
i have the same problem can you pls tell me or give a tutorial on how to do it pls.
Any update on your apps? Will be great if we could use it. Tks
Disclaimer: I try my best to produce valid answers, but if you have no idea what you're doing, don't do it.
Terms and Definitions
NVflash / APX mode
This is the lowest level of software that can talk to an Nvidia Tegra device. Basically this is the Holy Grail of memory modification, which can even fix a damaged bootloader.
To use it, one boots the tablet with [Vol +] + [Power]. This will lead to the PC detecting an "APX" device. The screen stays blank.
This is no working solution for anything yet, as not only there is no leaked NVflash binary yet, but also the communication is encrypted via an unique 128bit AES key. This key is at no stage accessible, but can be used to encrypt data during boot. This is where the wheelie tool for previous transformers was of help. The Communication itself happens via a protocol called nv3p, which actually is open source, but as long as the key is unreachable, that's not a lot of use. NOTE: I will create an extra post with a lot more details about this.
Fastboot
The Android Bootloader.
This is the essential part of software which loads Android/a Recovery image/rooting ramfs/etc.
This is the most delicate part in the Android boot process, as fastboot is the lowest level of communication we have so far. In other words: The only way to fix a damaged bootloader would be NVflash, which is not yet available for this device.
Generally the Bootloader is locked as a method to prevent unauthorized access to data stored on the device. A locked Bootloader means no Fastboot.
Bootloader unlocking
To gain access to fastboot devices, the Bootloader needs to be unlocked. This can be as simple as installing an APK provided by the manufacturer or running "fastboot unlock".
Unlocking the Bootloader always leads to three resulting actions: Fastboot now works, all data on the device is wiped, the device's warranty is now void.
Unlocking the bootloader via unlock app can require you to have internet access and a valid google account. This can be problematic in the case of one-time-passwords, as the normal password will possibly not work (and you'll wonder why the heck it doesn't run).
Bootloader locking
This is (at least currently) not possible. Warranty void remains permanent.
RamFS
Simple file system in a file, which gets loaded into RAM. We use this for rooting.
Boot image
A file generally called "boot.img". This contains the kernel.
Recovery image
A partition image that contains a bootable linux kernel and file system, which server the purpose of creating and restoring nandroid backups and perform related tasks.
Brick - general
A device with messed up software, not being able to boot let alone perform any higher task other than being a brick.
Soft brick
A device not booting, which still responds to fastboot queries.
Hard brick / Brick
Fastboot doesn't work anymore. Maybe a visible boot loop, maybe nothing. The only point in which this differs from scrap is the ability to get into APX mode.
Chances are, there will be a way to use NVflash to fix this sometime.
Unbrick
Fixing a bricked device. Currently only soft bricked devices can be unbricked.
Root
General term for having super user abilities on a linux powered device. This can be used for reading/writing/executing restricted files, modifying things, loading custom ROMs etc.
Also having Root can mean "running with scissors", as there's not much left to prevent you from deleting important files and bricking your device.
Remember: Having Root is a very useful device, but with power comes responsibility. Also there is Android malware, which specifically targets rooted devices.
Rooting
The process of gaining Root. In early methods this generally starts with unlocking the device's Bootloader, then booting a Kernel with a purposely prepared ramfs to install and modify certain files.
As always, unlocking the Bootloader means all data will be wiped. By chance at some point someone will figure out a way to do this without unlocking.
ROM
A stock or custom Android ROM image. This contains everything needed for a running system. Custom ROMs contain tweaks, themes, improvements, styles, preloaded apps etc. Also more often than not, a load of bloat ware will be removed.
Bloat ware
Apps nobody needs/many fail to understand what they actually do/bring new ways to crash your device/sniff your precious data/revive long fixed and forgotten security leaks/the manufacturer adds to promote sales ("hey look, we've got an app for that pre installed").
Most importantly, cannot be removed from your device without Root.
Stock
A mint Android ROM, just like what the device gets shipped with.
Guides
Rooting
Requirements: Currently none
Compatible versions: anything > 10.14.1.47
Method: Booting custom Kernel and ramfs
Status: Proven
Link: http://forum.xda-developers.com/showthread.php?t=2516215
Recovery
Creator: Drgravy
Version: 6.0.3.7
Status: Abandoned but functional
Requirements: Bootloader <= 10.14.1.47 (this will not work with 10.26.1.7. Trying to do so will not work, but still boot Android as usual.)
Link: http://forum.xda-developers.com/showthread.php?t=2524401
Recovery
Creator: lpdunwell
Version: 6.0.4.5
Status: Experimental, WIP
Requirements: Bootloader >= 10.26.1.7
Link: http://forum.xda-developers.com/showthread.php?t=2556944
Various information
Hardware assembly date
On the box, rear side label.
Partition information / Unbricking
Link: http://forum.xda-developers.com/showthread.php?t=2546941
Keyboard key remapping
The physical keyboard has custom keys, with functions of debatable value. Here's how to remap them to suit your needs.
Note: This also works for other ASUS Transformers.
Warning: Backup any file you attempt to edit!
Method: The keyboard mapping is described in /system/usr/keylayout/asuspec.kl. The structure is pretty straight forward.
After saving the file, reboot the device.
Code:
Key: Function: Key number: Text:
lock Delete 142 "key 142 FORWARD_DEL WAKE UNLOCK"
search ALT 217 "key 217 ALT_LEFT WAKE UNLOCK"
HDMI configuration
The HDMI resolution can be adjusted. This can be handy under certain circumstances, although results may vary.
Method: Via terminal; disable frame buffer 1, change resolution, enable frame buffer 1
Info: To get a list of valid settings, run "cat /sys/class/graphics/fb0/modes".
This will reset at reboot.
This example enforces 1920x1200 @ 59Hz, in my case to force a HP Compaq monitor to keep running (without this it'll go to sleep for whatever reason).
Code:
echo 0 > /sys/class/graphics/fb1/device/enable
echo "D:1920x1200p-59" > /sys/class/graphics/fb1/mode
echo 1 > /sys/class/graphics/fb1/device/enable
Teardown
Teardown with two images and a brief description of the process: http://forum.xda-developers.com/showthread.php?t=2564143
Q&A
Q: "I have never rooted anything before. Can you send me some fairy dust to fix my bricked tablet if anything goes wrong?"
A: No. And if you are not absolutely sure of what you're doing, there's a fair chance you'll mess it up. Been there, done that.
Q: "What are known causes of bricked TF701?"
A:
Failed upgrade
Flashing incompatible boot.img and blob
Flashing something other than blob to staging
Removal of important files after rooting
Q: "I had a quick look at your instructions for xxx and I don't understand..."
A: Tough luck.
Q: "I re-read your instructions for xxx, searched the forum and I still cannot understand..."
A: Check if there's a matching thread. If there isn't create one with a diagnostically conclusive title. Use as much detail as possible.
Final notes
I hope this helps. As always, updates will follow.
Want to see your tutorial/guide/etc. here? Send me a detailed PM with the subject "TF701 Q&A extension".
You can help making this even better!
Found a mistake or believe I'm wrong about something? Let's discuss it.
Has this helped you? Consider clicking thanks.
THANK YOU for the hack to get a forward delete on the keyboard! That has been bugging me for a year!
Works just the same on the TF700 keyboard, btw.
Ask the mod to make it sticky, then it will always be at the top of the main thread.
Sent from my superfast Asus Infinity TF701with Dock
Snah001 said:
Ask the mod to make it sticky, then it will always be at the top of the main thread.
Sent from my superfast Asus Infinity TF701with Dock
Click to expand...
Click to collapse
he is retired .... Doesnt reply to any request ...
berndblb said:
THANK YOU for the hack to get a forward delete on the keyboard! That has been bugging me for a year!
Works just the same on the TF700 keyboard, btw.
Click to expand...
Click to collapse
yeah, the keymapping crap...
I found tons of "unpack this apk, edit soandso..." but I wanted to have it changed on a lower level. the remapping should work on most if not all transformers, and be easily portable to anything that has a hardware keyboard...
Rikodu said:
he is retired .... Doesnt reply to any request ...
Click to expand...
Click to collapse
Huh? Wut?????
Considering this is the first "Q & A" post, I will sticky it.
Provided the OP updates and maintains it.
MD
I'm pretty sure the resolution hack can be improved, but it's all I needed for now...
anybody write an app for that?
Moscow Desire said:
Huh? Wut?????
Considering this is the first "Q & A" post, I will sticky it.
Provided the OP updates and maintains it.
MD
Click to expand...
Click to collapse
go for it, it's sinking...
cheers
lpdunwell said:
go for it, it's sinking...
cheers
Click to expand...
Click to collapse
Seeing if you were paying attention..... :good:
lol
Maybe you could explain where to see the build date.
As far as I know its in the serial number after the characters. But in my case (and maybe others) I can´t see a date in 160074 .
done
hard bricked tf701t
Dear lpdunwell,
I have a bricked tf701, only asus logo available and loopboot, fastboot menu is broken as well. Only APX mode working, but I could not find appropriate nvflash for my pad (s I see there is no nvflash currently available for my tab)
In your explanation about bricked device, you wrote that there is possibility to recover tf701?
Please describe what nvflash version should I use to succeed?
Thanks in advance,
stream1313
stream1313 said:
Dear lpdunwell,
I have a bricked tf701, only asus logo available and loopboot, fastboot menu is broken as well. Only APX mode working, but I could not find appropriate nvflash for my pad (s I see there is no nvflash currently available for my tab)
In your explanation about bricked device, you wrote that there is possibility to recover tf701?
Please describe what nvflash version should I use to succeed?
Thanks in advance,
stream1313
Click to expand...
Click to collapse
Sorry mate we don't have nvflash and it is too late for you now anyway If you only have access to APX you are hard bricked. Best to sell it for parts and move on.... Or if you want to revive it send it to Asus to fix at a cost or source a replacement mainboard and do it yourself.
sbdags said:
Sorry mate we don't have nvflash and it is too late for you now anyway If you only have access to APX you are hard bricked. Best to sell it for parts and move on.... Or if you want to revive it send it to Asus to fix at a cost or source a replacement mainboard and do it yourself.
Click to expand...
Click to collapse
Hi man.. Why do you think I have to forget about my toy.. It was my Christmas (New Year in Tbilisi, Georgia, opposite planet side) present to myself But it is all the lyric only
Pls explain - do you really think that for ex., several weeks / months later, smb will create the nvflash or any similar SW which will be able to fix my problem? Actually I believe that until all electronic components are ok, device is not "dead" forever... Why you so pessimistic exactly for 701 transformer tab? Pls if you have time reply me
Kind regards,
Stan
stream1313 said:
Hi man.. Why do you think I have to forget about my toy.. It was my Christmas (New Year in Tbilisi, Georgia, opposite planet side) present to myself But it is all the lyric only
Pls explain - do you really think that for ex., several weeks / months later, smb will create the nvflash or any similar SW which will be able to fix my problem? Actually I believe that until all electronic components are ok, device is not "dead" forever... Why you so pessimistic exactly for 701 transformer tab? Pls if you have time reply me
Kind regards,
Stan
Click to expand...
Click to collapse
the way nv flash works is you need to flash the special bootloader to extract your device blobs and device specific keys. As you haven't been able to do it and you CANNOT do it once you have bricked you will have no chance. How are you going to flash a bootloader that you need fastboot for?
Sorry to bring bad news but if you only have APX with no saved nv flash files (which is not yet avail for our device) then you currently have 0% chance of recovering.
sbdags said:
the way nv flash works is you need to flash the special bootloader to extract your device blobs and device specific keys. As you haven't been able to do it and you CANNOT do it once you have bricked you will have no chance. How are you going to flash a bootloader that you need fastboot for?
Sorry to bring bad news but if you only have APX with no saved nv flash files (which is not yet avail for or device) then you currently have 0% chance of recovering.
Click to expand...
Click to collapse
Thanks a lot for reply (as well as for my another, initial thread reply) I have only CWM backup of my tab, on the MD card. But I do not know, does this backup contain all needed stuff? At list, I did not found there saved nv flash or blob files. Just "blobgenerator" (462Kb) and "blobtester" (370Kb), also some system files with "nv" in the name. But I do not have Idea, does CWM saving the low level loader files, at list I was not able to recognize them there...
my apologize for too many questions as well as for my poor English - it is not my native lang
Kind regards,
Stan
stream1313 said:
Thanks a lot for reply (as well as for my another, initial thread reply) I have only CWM backup of my tab, on the MD card. But I do not know, does this backup contain all needed stuff? At list, I did not found there saved nv flash or blob files. Just "blobgenerator" (462Kb) and "blobtester" (370Kb), also some system files with "nv" in the name. But I do not have Idea, does CWM saving the low level loader files, at list I was not able to recognize them there...
my apologize for too many questions as well as for my poor English - it is not my native lang
Kind regards,
Stan
Click to expand...
Click to collapse
No having CWM backups saved won't help you as you have no way of getting to the bootloader which would then be used to open the recovery so you could restore. WIthout a working bootloader you can't proceed. NV Flash uses APX mode to restore the blobs via the wheelie binary. You haven't captured the blobs to restore and as they are encrypted to your device you can't use anyone elses.
It's a new main board or nothing I'm afraid.
sbdags said:
No having CWM backups saved won't help you as you have no way of getting to the bootloader which would then be used to open the recovery so you could restore. WIthout a working bootloader you can't proceed. NV Flash uses APX mode to restore the blobs via the wheelie binary. You haven't captured the blobs to restore and as they are encrypted to your device you can't use anyone elses.
It's a new main board or nothing I'm afraid.
Click to expand...
Click to collapse
I see, everything is clear. Thanks for your time man. But I beleive that Asus has some kind of "backdoor" for such cases, for internal usage, of course. Asus manifest about "mainboard replacement" probably just for business, normally must be some way to crack this protection. I hope somebody from Asus will share some useful info or even software for public usage... Maybe it's my dreams only, I'm realistic (I'm working as IT/IS/GSM/WCDMA, but I'm so far from programming..)
Again, thank you. Pls notify me in case of any news about K00C hack
Problems flashing CWM recovery
stream1313 said:
I see, everything is clear. Thanks for your time man. But I beleive that Asus has some kind of "backdoor" for such cases, for internal usage, of course. Asus manifest about "mainboard replacement" probably just for business, normally must be some way to crack this protection. I hope somebody from Asus will share some useful info or even software for public usage... Maybe it's my dreams only, I'm realistic (I'm working as IT/IS/GSM/WCDMA, but I'm so far from programming..)
Again, thank you. Pls notify me in case of any news about K00C hack
Click to expand...
Click to collapse
----------------------------------------------------------------------------------------
Sorry I am not yet familiar with how to ask questions.
I recently bought a TF701T having used a TF700T now for two years and before that the TF101, TF201 and TF300T.
All these tabs I installed a recovery: CWM or TWRP and flashed the best ROM I could find. Usually Cyanomod or CROMi-X.
Everything worked fine so I was very excited when I got hold of the TF701T with its incredible Q-ratings and smoothness.
Unlocking worked just fine but installing CWM just does not work: flashing with Fastboot works OK but when I boot into recovery the little green man falls down and stays there
FYI: I am on the latest BL: 10.26.1.28, so newer than the mentioned 10.26.1.18 !
Please could anyone respond ?
Regards, JOTX10 from the Netherlands.
I had a heck of a dilemma this past week.
I have the N900A that I rooted using Kingo Root. No safestrap or new roms, just rooted. I obviously had the 'Custom' icon.
At day 20, my phone wouldn't charge any more or be recognized by USB. I tried everything. Factory reset, cleaned the port, cleaned the cables, new cables. Nothing helped. And it would have to be warranty exchanged through AT&T, but the warranty was voided because of root. I couldn't use Kingo to unroot, because the PC wouldn't recognize it.
I was able to find a workaround, using this:
http://forum.xda-developers.com/showthread.php?t=2559715
In fact, I really only used the third step. I didn't download or flash the rom. By some miracle, the PC would connect to the phone when it was in download mode. I used Odin to flash those four files, rebooted, and the custom icon was gone.
I'm hoping that this has removed all trace of root from the phone. The knox counter is still at zero.
I thought I would post this in case anyone else had a similar problem.
its on here too
http://forum.xda-developers.com/showthread.php?t=2559715
Return to stock
steveh_131 said:
I had a heck of a dilemma this past week.
I have the N900A that I rooted using Kingo Root. No safestrap or new roms, just rooted. I obviously had the 'Custom' icon.
At day 20, my phone wouldn't charge any more or be recognized by USB. I tried everything. Factory reset, cleaned the port, cleaned the cables, new cables. Nothing helped. And it would have to be warranty exchanged through AT&T, but the warranty was voided because of root. I couldn't use Kingo to unroot, because the PC wouldn't recognize it.
I was able to find a workaround, using this:
http://rootzwiki.com/topic/110386-return-to-stock-mj5-works/
In fact, I really only used the third step. I didn't download or flash the rom. By some miracle, the PC would connect to the phone when it was in download mode. I used Odin to flash those four files, rebooted, and the custom icon was gone.
I'm hoping that this has removed all trace of root from the phone. The knox counter is still at zero.
I thought I would post this in case anyone else had a similar problem.
Click to expand...
Click to collapse
Ok so, only doing step 3 returns the device to complete stock? I would do all the steps, but I don't really understand all of them.
asilva54 said:
its on here too
http://forum.xda-developers.com/showthread.php?t=2559715
Click to expand...
Click to collapse
Thank you, didn't see that when I searched last time.
ZOMBIExM4STER said:
Ok so, only doing step 3 returns the device to complete stock? I would do all the steps, but I don't really understand all of them.
Click to expand...
Click to collapse
I believe the rest of the steps serve to load the MJ5 version ROM onto the device (in case you've installed a newer one or something). Since I already had the stock ROM, they proved unnecessary for me. I just used Odin to flash those 4 files and since the icon disappeared, I stopped there.
steveh_131 said:
Thank you, didn't see that when I searched last time.
I believe the rest of the steps serve to load the MJ5 version ROM onto the device (in case you've installed a newer one or something). Since I already had the stock ROM, they proved unnecessary for me. I just used Odin to flash those 4 files and since the icon disappeared, I stopped there.
Click to expand...
Click to collapse
I'm on stock too, I want to do this because I'm having problems with the keyboard. The whole process is really confusing to me, do you think you can help me out?
ZOMBIExM4STER said:
I'm on stock too, I want to do this because I'm having problems with the keyboard. The whole process is really confusing to me, do you think you can help me out?
Click to expand...
Click to collapse
I will try, but I am not an expert by any means. I tinker, but hopefully these other more experienced guys will chime in if I say something incorrect.
1. Download odin from here: http://www.firmware-files.com/download.php?id=1&token=QDXtLX5r3hLhxpTt604CYR6zP9twKSmr
2. Extract odin to a folder on your computer
3. Download these four files:
http://www.firmware-files.com/download.php?id=8&token=1QMc777QYjZgceInVMKs1HlcxAWv2wrU
http://www.firmware-files.com/download.php?id=7&token=6AfQkrv4S1mjr2oClQdwHp62lZpT8BK5
http://www.firmware-files.com/download.php?id=6&token=rXopUUlOTAGrBAQfksBLl1lKu52xIjl0
http://www.firmware-files.com/download.php?id=15&token=5CYaBqGOCoJSQMM6K7WECGlLDK4NYWTT
4. These four files will be zipped. You need to extract the zip files somewhere onto your computer. Each file should have a .tar.md5 extension once you extract them.
5. Power off your phone. Put it into download mode. To do this:
Power off your phone completely'
Hold down the home button, volume down button and power button all at the same time
When the screen comes on, let go of the buttons
It will give you a warning. Press the volume up button to proceed to download (odin) mode.
6. Run the Odin3 v3.09.exe application (that you extracted in step 2)
7. Now that odin is running and hopefully connected, you need to specify the four files that you extracted to be downloaded. You should end up with a screen that looks like this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
8. Click start and let it run until it is finished. Once it is finished, hold down the power button to power off your phone then do the same to turn it back on. The custom icon should be gone.
First thing I do after rooting is Wanam and turn off the Custom - just in case something like this happens. If the phone later blows up, factory reset if possible and walk it in for an exchange. Then if, when it blows up, even Odin can't see it, there's still no lock on the screen.
Rukbat said:
First thing I do after rooting is Wanam and turn off the Custom - just in case something like this happens. If the phone later blows up, factory reset if possible and walk it in for an exchange. Then if, when it blows up, even Odin can't see it, there's still no lock on the screen.
Click to expand...
Click to collapse
Doesn't factory reset delete the Xposed framework?
With AT&T you can't do a walk-in exchange after 14 days - pretty scary to mail it in for exchange and risk a $650 charge when they discover you rooted it.
I had the icon turned off with Wanam, but it came back.
steveh_131 said:
Doesn't factory reset delete the Xposed framework?
Click to expand...
Click to collapse
I could probably write an accounting program for an agency as large as the US government (or have fixed the health insurance site - doing something for half a century does pound some knowledge into even rock hard heads like mine), but when it comes to Android, I'm one of the learners, not one of the teachers. You know the answer to this question better than I do. I'd assume it does. I've made a lot of stupid assertions over the years, so ...
I downloaded a course that I may start reading one of these days, so I might yet learn enough to write a "Hello, World" app for Android. (Programmers know what I'm talking about - the difference between being able to develop a program and being able to code something to run in a particular environment - and the only internal environment I know in Android is where the battery and cards go.)
With AT&T you can't do a walk-in exchange after 14 days
Click to expand...
Click to collapse
SSSSSSHHHHHHHH!!!!!!! You weren't supposed to tell them that. I hope they didn't read this thread, and I hope the very nice lady who gave me the phone I'm using now doesn't get into trouble. (I'm not talking about walking in and saying "I don't like this phone, may I have a different one, please?" I'm talking about walking in during the warranty period and saying "could you please make my phone work?" and being told that they'll have to give you another phone. The only thing I'd trade my N3s for is N3s with unlocked bootloaders. I just want to see something other than comets revolving around Samsung's name.)
I had the icon turned off with Wanam, but it came back.
Click to expand...
Click to collapse
Mine stayed off - for the 3 or 4 days that the hardware didn't die on me. Then ... well, maybe Samsung has a way to read melted silicon, or whatever it did to make itself electrically invisible, but I'm not going to worry about it.
Wanam will keep the icon hidden but once you factory reset the phone I believe it deletes the xposed framework and the icon comes back.
I could be wrong about that, but that is my understanding.
I don't think you'd ever fool the warranty department that way, unfortunately, which is why I used this method.
Sent from my SAMSUNG-SM-N900A using Tapatalk 2
after doing just step 3 did you run a root check to see if that was gone? also what was the state of your phone after only doing step 3....meaning custom on dl mode and lock on boot screen....just wondering cause the files are so small to think that it would completely return to stock (like day 1)
ryant100 said:
after doing just step 3 did you run a root check to see if that was gone? also what was the state of your phone after only doing step 3....meaning custom on dl mode and lock on boot screen....just wondering cause the files are so small to think that it would completely return to stock (like day 1)
Click to expand...
Click to collapse
No custom and no lock. I didn't run a root check, not even sure how.
The files are small because you're not flashing an entire ROM. My ROM was still stock.
Dear Administrator or moderators...
Once this thread went to a conflict with gekkehenkie11 and according to that I spent about a week time researching this "knox" thing without having normal sleep even it was the limit for me, when by the words of gekkehenkie11 he pointer at me boing uselessly wasting people's time and like I'm being a liar. I got finally mad and deleted(overwritten own original posts). I need a 3-4 days to come down and think if I continue development of this KNOX thing(pointing at me like a liar and noob is a very bad motivation to continue, but maybe I will continue just for other people who didn't point at me that way). So far, Admin and moderators it's up to you to decide either to restore original posts from backup(if you have ones) or delete this topic. Any your decision will be accepted without any protest from my side. (I personally didn't leave any backups for myself).
Thanks for understanding!
i dont want to come across as a boyscout or anything, but isnt this essentially committing fraud (possibly insurance fraud)?
it depends
deleted
phoenix91140 said:
Hi Guys. Hope here are some programmers.
I have a good news for all Galaxy Note 4 users and owners, who have ever rooted it and got "KNOX WARRANTY VOID: 1" message. So from now(if developers, who write cf-auto-root tool) will use my advice, you can forget about warranty void. I'm linux expert and C/C++ programming expert too. So, once Samsung told me, that because of root warranty is void and they don't wanna repair factory cauzed mainboard damage(short-circle on mainboard), I wondered, how to solve that problem. And I found the solution(will do it on my own for my device when it gets back from service center) to hack that warranty void thing. So, first of all you go there sammobile.com /firmwares/database/SM-N910C/ to get original firmware(in my case SM-N910C, but choose yours, or you'll kill your device). You'll get original firmware. And KNOX uses value to print if warranty is 0 or 1 (0x0 or 0x1). But actually it makes no sence, since in service centers they just place Odin boot to check if it's 0 or 1. More over, they not goig to place root on it, to figure out, if knox works fine or not.
WARNING!!! READ CAREFULLY!!!
Any kind of warranty or usability are voided! By using this hacking method you accept, that you USE IT ON YOUR OWN RISK!!! This info basically is meant for xda-developers crew to release a massive hack. Any broken, died etc phone - IS YOUR OWN FAULT! If you don't know what you're doing - DON'T USE IT, UNTILL YOU KNOW WHAT YOU'RE DOING!!!
NEW!!! Since new Android Lollipop released, it's unknown behavior on android 5 firmware. I strongly reccomend to get a default stock firmware(Kitkat 4.4.4), cauze this hack was made on Kitkat and not tested on Lollipop(Android 5),
So guide to disable KNOX WARRANTY void:
1) download original firmware
2) unzip file you get(it is about 1.6 GB).
3) Need to modify sboot.bin image. Suitable is disassembler, or hex editor like Octeta for linux.
4) Search "KNOX WARRANTY VOID" text in sboot.bin file. You'll find something like (test device) ??? KNOX WARRANTY VOID: %d. In my case start position is 2786.
5) Now need to make it print Zerro (0). They use ordinary printf() command. "%d" symbol means, that digital value(number) gonna be printed. Here we can place statical Zerro, or if you're good at assembler and hacking, can search what varriable is used and where it comes from. But regular 0 on Odin near field of "KNOW Warranty void" is enough. So we take "%d" down and placing "0 " (ZERO + SPACE, 2 chars must be used, otherwise you you'll break binary file geometry and it will crash on execution time causing segmentation fault. Probably, if you break geometry of bin file device will die) instead.
6) When sboot.bin hacking is done, you'll need to pack all contents back again(images we got from original firmware archive, including hacked "sboot.bin" file), then upload new firmware(original + hacked sboot.bin inside) and reboot device.
7) Place reset to factory firmware(turn off phone, hold volume up + home button + power button) on emergency recovery during boot(so that root will be lost).
8) Done. Run Odin, and see that Odin shows Warranty void 0. Now warranty restored and you can go to nearest repair center, and make them note, that warranty void is 0. If they update firmware and it's 1 again, it's not your problem anymore.
Hope XDA-DEVELOPERS crew will release new cf-auto-root with this hack, or make a firmware(factory default) with KNOX warranty void hacked.
To those, who are not a programmers, please ask xda-developers to apply that stuff to firmware on this site.
Now the question, can we cooperate with xda-developers to make that hack publicly available?
To those of you, who used that hack, please provide feedback(phone model, sboot.bin availability and the result of odin status(mean if that helped you to get 0 or not). If you have any problems, ask xda-developers crew, or me for assistance.
Enjoy.
PS. I attach photo so, that you can see where to search warranty void stuff. I believe it's the same story for all new Samsung mobile phones.
Enjoy once again.
Click to expand...
Click to collapse
if this actually works, it doesn't change the FUSE-based KNOX warranty flag. i.e., it makes the software/bootloader prints 0x0, but this will change once you flash official firmware.
it's a fake value, but it helps
deleted
phoenix91140 said:
Yes, it works and yes, on firmware reinstallation it will get back 1(I wrote about it in my first post). But, if you have the latest firmware installed with that hack, they only check knox warranty void status(they have no reason for installing again the same firmware). But there should be an official status(that's why you need official firmware). And if problem on device carries hardware deffect issue(short-circuits, damaged BGA etc) and you can show the deffect in action - then they repair device(they do not change chips etc, they replace entire mainboard). Sure, if have broken bootloader and your device is a "software brick" it will not help, and it's already your fault. But for hardware issues it will pass. More over, even KIES on software update crash can set 1 to knox warranty void, so, even if they flash firmware, they will see 0 at first place and then see, that their action made it 1. And believe me, they not gonna look KNOX WARRANTY VOID twice. If at the time they flash firmware it's 0 and you have broken hardware(factory deffect) they will replace it. Also Samsung service friend told me that all damaged mainboards are destroyed after replacement, cauze they will place the same IMEI and the same S/N to new mainboard and the reason for that is that on network carrier cann't be at the same time 2 devices with the same IMEI.
Samsung services don't have programmers there and they have no idea about such hack and how to identify that. But to be serious, it's up to you to choose to fake "know warranty void" and get ~90% chance for warranty works or to pay on your own for repair works. And if xda-developers will take a look at that file, there should be assembler instructions for getting that warranty void value, so can track where it comes from and try to reset it.
Click to expand...
Click to collapse
I know it's a fake trick that may help in your situation with warranty claim.
Unfortunately, this is confusing when compared with real KNOX reset for Exynos Note 3 (N900) by a leaked firmware. Moreover, it seems that you own N910C while your thread is posted on N910V section where the majority (retail editions) are on LOCKED bootloader & without ROOT access (so, they can't even flash any modified images).
deleted
phoenix91140 said:
OK. I'll write to moderator once again. I'm newbie here, and didn't find the correct section for this topic.
Click to expand...
Click to collapse
No problem! Thanks for sharing your trick
deleted
+1 amazingly nice solution. will it work if a knox container tries to access the value as well ?
sounds like it will since youre hard coding the knox value in the kernel.
yes, it will
deleted
You can check knox status even when Phone is powered on, here is a simple app that can do that https://play.google.com/store/apps/details?id=it.ale32thebest.galaxywarrantycheck (I'm the dev of the app, if can help i can tell you how i read the value) if can help, i have n910f and i tried the app on it and other internarional samsung Phone model (s3-s4-s5)
deleted
phoenix91140 said:
You're welcome. At the moment I simply don't know ARM assebler well, since I'm linux programmer and there basically x86 & x86_64 assembler instructions used. But if you want to hack counter itself, it's also a good place to start from, cauze this sboot.bin originally has access to that "0x1" value and disassembling the code we could find out where and how it comes from. This hack is just a temporary solution for the cases of factory deffects revealed and warranty voided cauze of rooting device.
Click to expand...
Click to collapse
does it mean if I know where the variable comes from, I can modify KNOX mechanism so that. I can.flash everything without tripping it. maybe I can modify the official firmware so that even my device doesn't know KNOX fuse exist?
PS: I have voided my warranty, can I still use Kies to update in this way?
deleted
Sent from my SM-N910C using XDA Free mobile app
Great work man,hats off
Sent from my SM-N910G using XDA Premium 4 mobile app
phoenix91140 said:
Yep. Point is, that even if imagine, that we cann't overwrite 0x1 flag to set it real 0x0, we still can if we find where knox(except bootloader, cauze I showed already how to make it show 0) print 0 and think its 0. Such way we make it lie like it's all ok. That is option number 1.
Second option is to disassemble sboot.bin and see on low programming level where it takes value and try to make it overwrite it to 0 back. But it's already much harder. For warranty terms its enought if bootloader lies like its all ok. You can also hack KNOX libs too. There are always much more then one option to hack the system
There is one more great solution, but I would need xda crew help for that. Look. We could hack bootloader(the one I did) and make it on firmware update ignore new sboot.bin or replace it with itself. So then it would be odin mode ALWAYS 0 even on firmware update. But to do it alone not easy. Even one more improovement. We could make sboot.bin to load new sboot.bin or delete it is some file contains some magic key.
Sent from my SM-N910C using XDA Free mobile app
Click to expand...
Click to collapse
I see! can I say in this way? sboot.bin does nothing but to void our warranty, if we just leave this bit*ch alone, don't touch her, we.are free to flash into whatever we want without tripping knox?
---------- Post added at 05:30 AM ---------- Previous post was at 05:19 AM ----------
phoenix91140 said:
Yep. Point is, that even if imagine, that we cann't overwrite 0x1 flag to set it real 0x0, we still can if we find where knox(except bootloader, cauze I showed already how to make it show 0) print 0 and think its 0. Such way we make it lie like it's all ok. That is option number 1.
Second option is to disassemble sboot.bin and see on low programming level where it takes value and try to make it overwrite it to 0 back. But it's already much harder. For warranty terms its enought if bootloader lies like its all ok. You can also hack KNOX libs too. There are always much more then one option to hack the system
There is one more great solution, but I would need xda crew help for that. Look. We could hack bootloader(the one I did) and make it on firmware update ignore new sboot.bin or replace it with itself. So then it would be odin mode ALWAYS 0 even on firmware update. But to do it alone not easy. Even one more improovement. We could make sboot.bin to load new sboot.bin or delete it is some file contains some magic key.
Sent from my SM-N910C using XDA Free mobile app
Click to expand...
Click to collapse
lol, looks like you just need two more posts to express your terrific idea to the developer. I strongly believe it will be a millstone in Samsung mobile, please, just make it happen! what you did will be great appreciated by note4. and S6 and later Samsung device community!
Oh boy, this is a hell of a risky hack. The file sboot.bin is the secondary bootloader. If you somehow screw up the change, such as... say adding a 00 instead of replacing it in the file - a very common screwup when hexediting, I might add - you will have a HARD BRICK on your hands that cannot be fixed or reverted without Samsung repair. The phone will appear to no longer power up as the sboot.bin file is executed before anything the user would notice.
So yeah.... just be really careful.
I know. And to be EXTREMELLY CAREFULL. AND ANY WARRANTY IS VOID. Use at your own risk
Sent from my SM-N910C using XDA Free mobile app
deleted
Code:
/*
[SIZE=1]* Your warranty is void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the
app failed. Please
* do some research if you have any concerns about unlocking your bootloader and how it pertains to you.
* before flashing ANYTHING YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
[/SIZE]
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The time is finally here, the day you’ve been eagerly anticipating, you can now unlock the bootloader on your Sprint OnePlus 7 Pro 5G (GM1925)!
*NOTE: UNLOCKING THE BOOTLOADER ON THIS PHONE WILL PREVENT YOU FROM INSTALLING FUTURE UPDATES VIA OTA, MEANING THEY'LL NEED TO BE FLASHED WITH FASTBOOT OR YOU'LL NEED TO REFLASH STOCK AND RELOCK THE BOOTLOADER TO UPDATE.*.
THERE IS NOT A FEE FOR UNLOCKING THE BOOTLOADER, THE PART OF THIS THAT COSTS MONEY IS THE SHIPPING, IF YOU WOULD LIKE TO DONATE, THAT IS WELCOME AS WELL.
Starting now, you can place a request for bootloader unlock via this MAIL-IN service:
YOUR DEVICE WILL BE WIPED DURING THE UNLOCK
YOU ARE RESPONSIBLE FOR INSURING YOUR DEVICE DURING TRANSIT, IF YOU DO NOT PAY FOR INSURANCE AND ANYTHING HAPPENS TO YOUR PHONE DURING SHIPMENT, THATS ON YOU, EVEN WHEN INSURED, WE ARE NOT RESPONSIBLE FOR ANY REPLACEMENTS OR REPAIRS!
THIS SERVICE IS MAIL IN ONLY, PROCESS IS AS FOLLOWS:
You (the customer) will pay for shipping to the address of the servicer and will send return postage via PayPal before sending us your phone.
You are responsible for insuring the package, if you do not insure the package, and something happens, you will be out of luck, as it’s not our responsibility to replace or repair your phone if it gets lost in transit.
This is a one-time service, meaning that once your bootloader is unlocked and you have received your device back, if you re-lock the bootloader for ANY reason (THIS INCLUDES FLASHING STOCK FIRMWARE WITH MSMDOWNLOADTOOL), You must submit a new request and re-do the mail in process at your own expenditure.
Request will be processed on an individual basis, once we receive your request we will ask you for your:
Full Name
IMEI
Address for return shipping
Phone Number to contact you if necessary.
After receiving the device, we will flash the latest firmware and unlock the bootloader, requests will be shipped back out at the end of the week we receive the phone, or potentially sooner depending on the volume of requests.
TO MAKE A REQUEST, PLEASE LEAVE A COMMENT ON THIS THREAD AND SEND AN EMAIL TO:
[email protected]
We will then direct you where to ship your device, and give you an estimate of return shipping, which will need to be sent via PayPal BEFORE sending us your device.
We will reply to your request via e-mail and collect your personal information from there as well.
The mail-in method is now discontinued due to a more recent development, we (the group of us who have been testing different ways to unlock) have acquired an MSM tool that will allow unlocking the bootloader on the Sprint model without any need to mail it in or even do a remote session!
HOW-TO UNLOCK:
Make sure you have the latest adb/fastboot binary installed and your driver's are fully up to date.
Download the unlocking MSMDownloadTool from here: View attachment guacamoles_unlock.zip
Reboot to EDL mode (Volume Up+Volume Down+USB)
Allow the MSMTool to run to completion, BUT STAY ALERT!
As soon as the MSMTool finishes, it will reboot the phone, DO NOT ALLOW IT TO BOOT TO THE SYSTEM, INTERRUPT THE REBOOT BY ENTERING FASTBOOT
Immediately run "fastboot flashing unlock"
You should now have an unlocked bootloader!
IF YOU ARE ON SLOT B, YOU MAY GET STUCK IN FASTBOOT, TO FIX THIS FOLLOW THESE INSTRUCTIONS:
fastboot --set-active=other
fastboot reboot-bootloader
fastboot --set-active=other (again)
fastboot boot twrp.img
TWRP for Q (10)
Once in twrp, format data again, and then try to reboot.
Install TWRP/Magisk:
TWRP for Q (10)
TWRP for Pie (9)
TWRP Installer zip
Magisk Installer
* Copy the TWRP img to your adb directory and run:
Code:
fastboot boot twrp-3.3.1-79-guacamole-unified-Q-mauronofrio.img
* Or for Pie:
Code:
fastboot boot twrp-3.3.1-4-guacamole.img
* Copy the installation zips to your storage
* Flash twrp-3.3.1-79-guacamole-unified-installer-mauronofrio.zip
* Flash Magisk-v20.4.zip
* Reboot
HAPPY FLASHING!
SCREENSHOTS FOR PROOF:
Edit: This reply was made when it was a mail-in service. You can disregard now.
Uhh, I know this is posted by a senior member and all, but this seems super sketchy to me... Why is there any need to send it in? Do you not want your code public as of rn? Do you need specialized hardware to do it? A little explanation in that area would be nice...
Guy50570 said:
Uhh, I know this is posted by a senior member and all, but this seems super sketchy to me... Why is there any need to send it in? Do you not want your code public as of rn? Do you need specialized hardware to do it? A little explanation in that area would be nice...
Click to expand...
Click to collapse
Exactly that, the developer of the tool that is being used does not want the code public as of right now, but has authorized us to perform unlocks for those willing to ship their device.
Whoareyou said:
Exactly that, the developer of the tool that is being used does not want the code public as of right now, but has authorized us to perform unlocks for those willing to ship their device.
Click to expand...
Click to collapse
Hmm... Alright, that's understandable I suppose. As for everyone else I would just proceed with caution till we have a couple confirmed success stories on here. No offense to you @Whoareyou, but I've seen this type of thing before to where many people ended up having their devices stolen because of fake mail-in services. Either way tho, fairly excited to know there's at least some possibility of a bootloader unlock!
Guy50570 said:
Hmm... Alright, that's understandable I suppose. As for everyone else I would just proceed with caution till we have a couple confirmed success stories on here. No offense to you @Whoareyou, but I've seen this type of thing before to where many people ended up having their devices stolen because of fake mail-in services. Either way tho, fairly excited to know there's at least some possibility of a bootloader unlock!
Click to expand...
Click to collapse
Totally understand your hesitation, I'd be wary too, hopefully a few will take the plunge so some trust can be formed here.
I have more proof that this works if you guys would like...
I too can vouch that this works.
Hahaha you still have no proper twrp and roms and I highly doubt this will change that....
xdg4y said:
Hahaha you still have no proper twrp and roms and I highly doubt this will change that....
Click to expand...
Click to collapse
TWRP is already unified for the 5G variant and works fine,
See this post about ROMs:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
His method is confirmed working. I have TWRP installed and magisk working correctly. I currently went through his process. It's honestly nice as hell for him to be offering this service for free.
I'm def looking into this next payday.
[BOOTLOADER UNLOCK] Sprint OnePlus 7 Pro 5G [MAIL IN ONLY]
lreyes said:
His method is confirmed working. I have TWRP installed and magisk working correctly. I currently went through his process. It's honestly nice as hell for him to be offering this service for free.
Click to expand...
Click to collapse
Check PM please.
Awesome!
Would it be possible to offer this service remotely with a tool such as USB Redirector? I work with a handful of companies who do all sorts of firmware flashing and unlocks using this tool and I've rarely had issues with it. It might be a bit more hassle given that both you and the "customer" have to be online and connected at the same time (though easily mitigated with Discord or another IM service) but it eliminates the liability of a phone being lost or stolen and people won't be without their phones for days at a time.
coromd said:
Would it be possible to offer this service remotely with a tool such as USB Redirector? I work with a handful of companies who do all sorts of firmware flashing and unlocks using this tool and I've rarely had issues with it. It might be a bit more hassle given that both you and the "customer" have to be online and connected at the same time (though easily mitigated with Discord or another IM service) but it eliminates the liability of a phone being lost or stolen and people won't be without their phones for days at a time.
Click to expand...
Click to collapse
We explored that route, unfortunately the delay is too long for the tool to work, we were able to connect to the phone to the tool but it fails to work with a timeout error from the tool and the phone reboots with no changes.
I can also confirm that this works. I can also confirm that the reason be for the mail in, because the Author of the said tool, does not want it released to public, We are looking for other
avenues to make this process faster and much easier without having to mail in or release said tools.
Bootloader
I am very interested. I'm assuming twrp and magisk will be installed too when you unlock the bootloader.
mirceaanghelescu said:
I am very interested. I'm assuming twrp and magisk will be installed too when you unlock the bootloader.
Click to expand...
Click to collapse
I can certainly do that, though it's very easy to do after the bootloader is unlocked.
yea.. sending phone to a stranger to unlock bl bcuz they dont want to share publicly means they have a business and want to make $$$ lol
its a shame
elliwigy said:
yea.. sending phone to a stranger to unlock bl bcuz they dont want to share publicly means they have a business and want to make $$$ lol
its a shame
Click to expand...
Click to collapse
Not sure where you're getting that implication, but the service is free, you just have to pay for shipping.
Again, I didn't write this tool, I simply have been given permission by the person who did to offer mail in unlocks since I have the free time to dedicate to it.
They have requested it not be made public, therefore it's not my place to release the tool, I can however, offer mail in unlocks, as that doesn't expose the exact method and has been green-lit by the creator.
If you have a problem paying for shipping, or are uncomfortable with your device being mailed to a stranger, I fully understand that, you don't have to take advantage of the service or you can wait until a remote method potentially becomes available, but don't display your discomfort as negativity with unwarranted accusations.
I'm just trying to help people get unlocked and spur some development for this phone.