A couple of days ago, XDA Elite Recognized Developer AdamOutler wrote an article explaining locked bootloaders and what they mean for Verizon Samsung Galaxy S III owners. Even if you don’t own a Verizon Galaxy S III, it’s worth a read.
So now we know why we hate locked bootloaders, but the real question on everyone’s mind is how much progress the devs have made in this regard. AdamOutler is heading up the movement with a thread dedicated to unlocking the device’s bootloader. How dedicated? The thread is heavily moderated so no one—not even AdamOutler himself—can post any shenanigans.
Do not post in here unless you have something constructive to say. “Thanks”, “Hey this is wonderful”, and any other comments like that are not wanted. They take up space and make it more difficult to find information. I’m requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.
In a nutshell, the progress so far has been focused around gathering information and procuring a full stock restore image to be used via Odin or Heimdall. This is needed due to the highly dangerous nature of testing anything that unlocks a bootloader. Those attempting this could very easily brick their devices, and a full stock restoration would help get the devices up and running once again. Currently, there’s enough uploaded to restore a device, but everyone would be more comfortable with a complete backup.
Devs are currently working on identifying all of the partitions, obtaining UART Logs, and identifying potential points of exploitation. It is too early to say that any piece of information at this point is more important than any other, as any piece could eventually lead to the bootloader being unlocked. However, here are the possible points of exploitation:
Possible entry point MODEM – Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS – Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT – Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT – We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM – It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.
There is still a lot of work to be done, and there are no methods that have been tested yet. However, as information trickles in and the restoration files get completed, that’s likely to change very soon.
For additional information, check out the original thread. As previously stated, the thread is heavily modified to only include posts that are helpful in the effort. So be sure that before you post, it’s about something helpful!