Quote:

Originally Posted by

Here's where it's at, but first a few notes and thoughts;



A) Even after upsetting dm-verity, the system remained somewhat stable*

*The only issues I see are the system:custom message, an unlocked boot logo, and that the stock installer refuses to install anything but FOTAs or a sec_csc.zip flashed on the CACHE partition. If cleared, the system boots up normally

B) It's extremely difficult to reverse dev this device - Every piece of secure-trust-knox-DRK-verity-crapola increases the chance of a misstep and ending up with a really nice IOT brick. Because of all this security, looking for buffer overflows and random execs would take ages. I focused on stupid programming mistakes, sifting through log files, much like I did when developing the original Note 3 recovery method.C) The HOME_CSC partition file that seems to fail typical odin flashes -- It sets something permanent, like kind of hard-coding the verity keys. During my testing, I flashed one only to later realize that my CSC was then hard-coded to Chinese branding. Before that flash, I could mess around with the branding at will (and subsequently write to the system partition). It was only after I flashed that CSC_HOME that dm-verity actually failed. In short -- I had root BEFORE download mode labeled my system as custom. I flashed HOME_CSC, dm-verity then failed when I changed the CSC following the hard-code.I have yet to fully re-create my EFS partition, and sent it to someone who wears darker hats than I for a fix. Because I won't have the phone for a while (at least 2 weeks), I've decided to give a brain dump in hopes that someone can pick up where I left off.PM me for additional details, but the following should get better devs searching for a more stable method.sec_csc.zips (found in cache.img.ext4) can be used to modify the system partition, and the partition itself isn't signed. Those zips also set the region.*A particularly interesting csc zip exists for the G9300's CSC file.....Odin happily flashes specific "partitions" individually, so piece-meal it out.nand partitions can be written to while still failing in odin (but system.img is signed in 2 places, so fyi)The exploit leverages those download-mode/recovery, plus the stupid programming error found below:on the stock firmware, there's a boot script that calls a missing binary, which is a perfect -in- for the su daemon.