***if using XDA labs app, please stop, select the 3 dot menu button in the top right, and view this thread from browser because of formatting issues with the labs app. This is to help make the OP easier to follow along with. ***

** Please Read First **

This will be the main, and ONLY thread we will keep updated for the progress of root on the Snapdragon variants of these phones from here on out.



As the other few threads are multi topic and confusing for people anticipating root, as well as for us working on it trying to sift through comments to keep each other updated. Those will be cleaned up to avoid confusion as well. This will make it easier for everyone to check back to see any new progress as I will be updating the OP whenever we make movement



** First, and foremost, I would like to recognize and thank @STF_TimelessGoD for his work on the initial post R&D Carrier Switch/Root Snapdragon. Without his time and effort putting that thread together and maintaining it, there would still be a lot of unanswered questions and we probably would not be as far as we are **



That thread will still continue for the Carrier Switching and a full guide is available at this link

[HOW TO] Carrier Switch For S8 Snapdragon



---------------------------------------------------







Current Root Progress

We are currently working on 2 main possible methods for this. Refer to each method in RED below the Key Notes.

Please , if you do not know what terms are, or what files are, Google search them to avoid filling the thread with easily answered questions

*UPDATE* 1

6-19_2:34pm CST

We are looking for relevant files to properly flash from EDL Mode. IF anyone can get their hands on these 3 files, specific for our chipset, PLEASE let us know.

The first 2 are the main needed, as the provisioning can possibly be made from provisioning info already on the phone.

- prog_ufs_firehose_8998_ddr.elf

- prog_ufs_firehose_8998_lite.elf

- provision_samsung.xml

*UPDATE* 2

6-19_9:00pm CST

*UPDATE* 3

6-22_1:34am CST

*UPDATE* 4

6-28_4:35pm CST

Key Notes

- Pre Release Combo Firmware is only known Firm to contain Allow OEM Unlock and have SELinux set to permissive by default. However, @elliwigy went through this thoroughly and found that permissive did literally nothing to help elevate privileges as it should have, and that the OEM unlock check box didn't seem to have any effect on secureboot.



-

-

-

-

-

-

-

*UPDATE* 2

*UPDATE* 4

METHOD 1

Flashing Modified Bootloader Via EDL Mode Modify a current serial flashing tool (such as the Mi flash tool) to include our partition table and options to flash to certain partitions individually Modifying the bootloader source code to to be unlocked, then flashing unlocked bootloader via EDL At that point we could Odin Twrp and then flash whatever we wanted

METHOD 2

Flashing True ENG Boot Via EDL Mode - As the first method, would need to modify a serial flashing tool for this. - First check would be to flash the True ENG Boot to the device via EDL. - Then check if it boots because you can't Odin the Eng Boot without it failing as stated in key notes above. Because EDL has elevated privileges, it will flash to the device, but we have to see upon starting, if it will still binary check and stop from booting. - If it boots, we should then be able to access su shell, and run a batch to obtain system root as usual.

METHOD 3

Modifying Boot Parameters with SELinux - Using the permissive boot that we figured out proper capabilities - Gain access to proper partitions to make the phone load a custom selinux profile that allows rw to system - Mount system r/w and install su binaries via adb - Modify remaining parameters needed within boot.img and create a runnable script for everyone!

^^ EVERYTHING ABOVE WILL BE UPDATED AS PROGRESS IS MADE, WITH EDIT DATES. JUST LOOK FOR THE WORD *UPDATE* NEAR RELEVANT AREAS. ^^

All Relevant Files, Hosted Courtesy Of @Maltego

- CLICK HERE -



------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------



Current Contributors

@elliwigy

@Maltego

@STF_TimelessGoD

@BotsOne

@mweinbach

+ @akira01

+ @Harry44



**If you would like to help or contribute in any way, please message me.**

It may take a bit to get back to you, and for that I apologize



---------------------------------------------------------------------------------------------

**Please be patient with us as this is not a simple task and it is not a standard root method that has ever been used on Samsung as EDL was not previously available**



We have aquired the necessary Elf files from above. Now doing more research on proper ways to use them as they are qualcomm/device specificMuch much time spent combing through code of these files and tools that are able to handle them. As well as the verification process andriod uses in conjunction with qualcomm between all 3 bootloaders and the Learned a lot tonight.We learned enough to be able to begin some new tests tomorrow that is not the same as either of the methods below. However I cannot at this time divulge the method being used and for that I am sorry!We studied up a lot on our selinux and the way that Nougat 7.0 has changed how security works and are currently working on adb permissive with *a debuggable user* kernel. Refer to Update in key notes for more info.-METHODS UPDATED WITH METHOD 3In general order of them happening/being found out.Received multiple ENG Boot files, none of them contained system write capabilities as they should have. So they were no help. Someone (leaving names out) said they had ENG Boot with full root access that he would share, but stopped all involvement in the thread and we never heard back from him. Generally, just about always, an ENG Boot has system write capabilities, as that's the point of an Engineering Kernel.SELinux Permissive was acheived on Stock firmware by @ STF_TimelessGoD but it caused the phone to not charge past 80%. Trying to get into su shell from adb says it is started as root, but doesn't actually enter root shell. @ elliwigy tested this out as well with the same results. Otherwise same problems as above. elliwigy got ahold of an actual ENG Boot, however, trying to flash from Odin and phone returned "This is ENG binary. Please use USER binary! (boot.img)". Meaning 2 things. 1, it is a true ENG Boot with system access, and 2, Samsung really stepped up their securityChainfire Auto root does NOT work on our devices. To be clear, Chainfire's website has a bot that auto-compiles for all new devices regardless of it being capable or not. He did take a look at our device, but decided he wasn't going to spend the mass amount of time on it that is needed, like we currently are!Next we looked at multiple security vulnerabilities that would allow escalated privileges(access to the system) Ended up deciding against this as we do not have a dev on the project with exploit building knowledge.I brought up EDL mode as a possibility. Which is not suppose to be supported on Samsung as it needs fastboot, normally. Without fastboot, you are suppose to use a proprietary edl cable(easily made) to force your phone into it. Which still was thought to be unaccessable on Samsung. After a lot of research on how it SHOULD be done, we had mixed results. Until @ BotsOne by chance found you could get into EDL from adb command line with the phone on. So this is part of one of our methods below.I'm looking at modifying a serial flash tool to know the partition table of our devices, to make EDL mode properly work for us. This is so we can flash individual partitions and not the whole system.- No need to modify a serial flash tool, as using the Elf files from earlier takes care of that work. Working with them now to fully understand and operate with them- With the help of a fellow dev , @ akiraO1 that has much more selinux experience than us, we were able to get a foot in on changing things and making our selinux fully permissive. There is a prop setting that made it kind of tight. but changing persist.security.ams.enforcing *AND security.perf_harden* to 0 fixed most of this. But there is still much more as the fstab inside the boot.img has system set to ro. We are working on this, but things are looking up- Update 4