Ugg -- if I weren't still employed full-time right now I'd be all over this. I really miss my phone-hacking days.
There are _so many_ vectors to privilege escalation on mobile devices. The only reason I stopped working on projects like this is that (most) of the manufacturers released official "root" tools for those on "decent" carriers.
I got curious about what you actually did in your phone hacking days only to go to your profile and discover that you're the person behind unrevoked.
My first ever phone was the Evo 4G and I spent many hours tinkering with it and running ROMs thanks to unrevoked so let this be a belated thank you for your efforts.
There was a bunch of us in the unrevoked days that contributed to the success of the project (everything from the userland parts to the UI that actually drove the installer). I was one of the guys deep in the radio for hours at a time, and occasionally the Android system source but it was definitely a high-functioning team that made it happen. :)
The Evo4G was our first and biggest coup, and we used that as a shim to get lots of press coverage shaming the carriers and manufacturers, as well as contacts inside of both HTC and Sprint that led to our eventual "victory" with HTC's official unlock program. Glad you found it useful!
The early days of Android were really something else. Today we're fortunate enough to be able to take Nexus devices, one line bootloader unlocks and production devices shipping with CyanogenMod for granted.
What are you working now that you're no longer spending inordinate amounts of time unlocking phones?
Also, the grandpatent post that eats the marketing BS of the nexus devices... You still don't have access to ALL the hardware. You can only use alternative versions of Android that Google provided you with because you have to reuse driver binary blobs and such. So stop spreading that falsehood.
What falsehood did grandparent wrote? All s/he claimed is that you can unlock the bootloader and run CyanogenMod, nobody said anything about having "access to ALL the hardware".
I'm under no delusions that I have access to all the hardware and I hope there comes a day when we do. Till then however, it would be unfair to not acknowledge that we have made some strides in gaining more access to our devices by default compared to just a few years ago.
The post you refer to said nothing about "all the hardware" and Ubuntu seems to be able to get along with binary blob drivers on Nexus devices, besides.
Ha! I was about to come and comment on this, and was glad to see that you already made it in the thread :-) I also wish I still had time for unrevoked-like projects.
One of the things that I think differentiates the Android community from the iOS community is a focus on short term results. I'm not sure whether this is a good thing or a bad thing. On the upside, more freed devices is generally a positive thing, and OEM branches of Android -- at least, in the past -- have been a veritable 0day tree (shake them and exploits just fall out onto the ground). On the downside, vendors have been getting more competent at reverse engineering exploits than they were in the unrevoked days, and so exploits are usually well and truly burned once they've been released. This means that early users who want "more more more, now now now" mean that later users may not get to unlock their device at all.
The iOS groups seem to solve this by timing releases together, based on Apple hardware. I suspect that this is a more sustainable model... but on the other hand, it doesn't matter what I think, because as bounties like this grow, it's not a model that can thrive :-) Oh, well.
Unfortunately, these days it's more like iOS group - there's only one. It helps that Apple usually doesn't bother to patch the bugs until the next release, so jailbreaks last a long time, but there's only so far you can go with a lack of interested people. (Don't look at me...)
There was a great slide show posted here a while back that explained the theory being rooting android, but for the life of me I cannot find it. Google "Android rooting theory" and you'll get a set of fairly rich results. For more depth I'd recommend looking into specific exploits, such as Zerg Rush
The fact that you need to "root" your own property -- I am just astounded that there isn't more yelling over this. Microsoft could never have gotten away with this in the 90s or early 2000s. You probably still couldn't get away with it on commodity PCs. Hell, you can even run Linux on a Mac. But change the form factor and all the sudden nobody cares.
It's because Apple did it first. Even in the PC days Apple behaved far worse than Microsoft, but somehow they army of fans that will defend any action from them. Heck, I remember when they introduced those tamperproof screws and on this very site there were people claiming that it was actually just a better screw design.
It's not the form factor, it's the pricing structure. Most phones are "free" with contract or very near to it. It's difficult to complain about something you're getting for "free".
Now look at off-contract phones. I have a Dev Edition Moto X. I unlocked and rooted my phone with official tools provided by Motorola. I paid for the phone in full. I wouldn't have bought it unless I got a device that I completely owned.
If you want hardware that you can completely own and control, you can buy it. Most people simply choose not to.
The bounty only explicitly mentions stock firmware but it is implied that the exploit should also not require disassembling your device and messing with its hardware. This makes me wonder: would a hardware exploit be easier? Modchips have been a staple of the console scene since at least the original PlayStation but I am unaware of their use in smartphones.
I'm not familiar with the S5 in particular but in principle I think all you need to do is get direct write access to the filesystem and you can write whatever firmware you want, so being able to read/write the eMMC directly should be enough --- provided it's not been encrypted/password protected/etc. Correct me if I'm wrong.
On most (if not all), the "firmware" is under the /system partition. That partition is mounted as read-only. You need root to remount it as r/w.
AFAIK, rooting exploits in the past took advantage of buffer overflows and remote code exploits to execute code at a raised privilege levels. Now a days, that's also difficult since past vulnerabilities have been fixed and the proliferation of SE Linux.
JTAG is usually an extremely effective way of breaking into the phone, but it's usually used as a first step in reverse engineering rather than for the end-user.
Of course, some phones (Apple) are glued shut which prevents end-user modding.
Because some people can't "afford" the price of the unsubsidized Nexus 5 next to a "$199" (on contract) S5. Some people like better cameras, some people prefer the S5 hardware, etc etc.
It's not that different than contracting a mortgage of asking for a lease to pay a car...
Maybe it's not a matter of "affording" the same way most people cannot afford to pay for a house on the spot, but I can understand that some people prefer to pay ultimately more money, but a much smaller sum over time.
Isn't it more about the instant gratification part of the whole deal? People usually think it's easier/better/nicer to receive what they want and pay over time rather than to save the money and buy it at a later date. Or am I just wrong?
So, AT&T/Verizon sell subsidized locked phones and get their money back on the long run.
If I wanted to, in the US, could I get a contract with a lower value because I'm not buying this subsidy? If so, wouldn't the right move would be to do so and buy an unlocked phone? I'm guessing AT&T/Verizon's interest is far larger than banks', leading to a better deal, even if you don't have the money right now.
On the other hand, locking my phone is the wrong way to enforce anything. It's my device to do what I want with.
T-Mobile goes down the route you are suggesting: Lower monthly charges if you BYOD with the option of going the traditional contract route. They even push this as a competitive advantage.
ATT and Verizon to my knowledge do not offer equal quality service as their contract plans at lower prices for BYOD customers.
ATT does. If you're using their Mobile Share / Next scheme, you get a discount on your plan if you're not on a contract. If you use Next, they're effectively financing your phone for 0% interest for 18 or 24 months. (My bill is $40 for 2GB, $40 for the phone, minus $15 for not being in a contract.)
I have a Kindle Fire HDX from Nov.2013 sitting around waiting for an unlocked bootloader to run custom ROMs. Why not just get a Nexus tablet? Because I don't like the design of those; Kindle Fire HDX is much prettier IMHO.
I am not very familiar with mobile security and/or the differences between carriers. Right now the bounty is $10k for root@vzw and $7k for root@att. How likely is it that someone wins the bounty for VZW but is unable to apply the method to ATT or vice versa? Are VZW and ATT the usual contenders for last to fall?
AT&T and Verizon are usually the only carriers that bother locking bootloaders with no authorized unlock option. Most international/unlocked phones have some way of unlocking the bootloader. Samsung has recently started locking things down more with Knox I suppose, but I think the bootloader is still relatively open (my T-Mobile Note 3 and international Galaxy Note 10.1 2014 happily installed a custom recovery without any fiddling).
It's tangential but I want to point out to those who doesn't follow the rooting community closely that Samsung doesn't lock the bootloaders of phones unless it's requested by the carrier. International editions, Play store editions, and contract phones from carriers which doesn't request locking are unlocked by default. You can install whatever you want on it. Even if it has Knox. Knox doesn't mean locked bootloader, its relation to rooting is that it voids the warranty when it detects rooting, it doesn't lock the bootloader or prevent rooting.
Corollary: I'm aware of the fact that it is not always possible, but buy your phones off contract when possible. Life is too short for fiddling with those nonsense, and also vote with your wallet.
Does Samsung offer an unlocking tool for the GS5? If not, they should. Google is making Android harder to root, which makes "official" unlocking all the more important, and hopefully people will keep asking for it whenever it's not available.
Samsung does, they don't care all that much, they sell devices. ATT/Verizon (carriers) are the ones locking the phones down here (and want to lock the users into their contracts).
Its important to note as well that "unlocking" and "rooting" are very different with very different end goals. One allows you to move between phone carriers (unlocked phone), the other allows you full software control of your phone (rooting).
There are _so many_ vectors to privilege escalation on mobile devices. The only reason I stopped working on projects like this is that (most) of the manufacturers released official "root" tools for those on "decent" carriers.