
6 weeks after release, Samsung S5 VZN/ATT still not rooted. Bounty at $17k - fivedogit
http://forum.xda-developers.com/showthread.php?t=2728051
======
mmastrac
Ugg -- if I weren't still employed full-time right now I'd be all over this. I
really miss my phone-hacking days.

There are _so many_ vectors to privilege escalation on mobile devices. The
only reason I stopped working on projects like this is that (most) of the
manufacturers released official "root" tools for those on "decent" carriers.

~~~
L_Rahman
I got curious about what you actually did in your phone hacking days only to
go to your profile and discover that you're the person behind unrevoked.

My first ever phone was the Evo 4G and I spent many hours tinkering with it
and running ROMs thanks to unrevoked so let this be a belated thank you for
your efforts.

~~~
mmastrac
There was a bunch of us in the unrevoked days that contributed to the success
of the project (everything from the userland parts to the UI that actually
drove the installer). I was one of the guys deep in the radio for hours at a
time, and occasionally the Android system source but it was definitely a high-
functioning team that made it happen. :)

The Evo4G was our first and biggest coup, and we used that as a shim to get
lots of press coverage shaming the carriers and manufacturers, as well as
contacts inside of both HTC and Sprint that led to our eventual "victory" with
HTC's official unlock program. Glad you found it useful!

~~~
L_Rahman
The early days of Android were really something else. Today we're fortunate
enough to be able to take Nexus devices, one line bootloader unlocks and
production devices shipping with CyanogenMod for granted.

What are you working now that you're no longer spending inordinate amounts of
time unlocking phones?

~~~
JshWright
You must not be a Verizon customer...

~~~
gcb0
You are because you want to.

Also, the grandpatent post that eats the marketing BS of the nexus devices...
You still don't have access to ALL the hardware. You can only use alternative
versions of Android that Google provided you with because you have to reuse
driver binary blobs and such. So stop spreading that falsehood.

~~~
L_Rahman
I'm under no delusions that I have access to all the hardware and I hope there
comes a day when we do. Till then however, it would be unfair to not
acknowledge that we have made some strides in gaining more access to our
devices by default compared to just a few years ago.

~~~
gcb0
How? I still can't put a new kernel and use my radio chip, audio chip, camera,
digitizer... Exactly the same as the first nexus.

In fact it was a little better with the g1 :)

------
api
The fact that you need to "root" your own property -- I am just astounded that
there isn't more yelling over this. Microsoft could _never_ have gotten away
with this in the 90s or early 2000s. You probably still couldn't get away with
it on commodity PCs. Hell, you can even run Linux on a Mac. But change the
form factor and all the sudden nobody cares.

~~~
lmm
It's because Apple did it first. Even in the PC days Apple behaved far worse
than Microsoft, but somehow they army of fans that will defend any action from
them. Heck, I remember when they introduced those tamperproof screws and on
this very site there were people claiming that it was actually just a better
screw design.

------
bobbles
It'd be hilarious if the bounty got so high that Samsung just does this
themselves

~~~
fpgeek
Samsung has already done it themselves (for a price, of course):
[http://www.samsung.com/us/mobile/cell-
phones/ET-G900VMKAVZW](http://www.samsung.com/us/mobile/cell-
phones/ET-G900VMKAVZW)

~~~
kfir
The developer edition is $599 when getting locked phone is usually a buy one
get one free kind of deal.

------
herokusaki
The bounty only explicitly mentions stock firmware but it is implied that the
exploit should also not require disassembling your device and messing with its
hardware. This makes me wonder: would a hardware exploit be easier? Modchips
have been a staple of the console scene since at least the original
PlayStation but I am unaware of their use in smartphones.

~~~
userbinator
I'm not familiar with the S5 in particular but in principle I think all you
need to do is get direct write access to the filesystem and you can write
whatever firmware you want, so being able to read/write the eMMC directly
should be enough --- provided it's not been encrypted/password protected/etc.
Correct me if I'm wrong.

~~~
talonstriker
On most (if not all), the "firmware" is under the /system partition. That
partition is mounted as read-only. You need root to remount it as r/w.

AFAIK, rooting exploits in the past took advantage of buffer overflows and
remote code exploits to execute code at a raised privilege levels. Now a days,
that's also difficult since past vulnerabilities have been fixed and the
proliferation of SE Linux.

------
pkulak
Not being snarky at all, but why is this so important to people? Why not just
buy a Nexus 5? Or a Play Edition phone?

~~~
runjake
Because some people can't "afford" the price of the unsubsidized Nexus 5 next
to a "$199" (on contract) S5. Some people like better cameras, some people
prefer the S5 hardware, etc etc.

~~~
lstamour
If you can't afford an off-contract phone, you really can't afford an on-
contract phone. You just don't know it yet ... ;-)

~~~
Kurtz79
It's not that different than contracting a mortgage of asking for a lease to
pay a car...

Maybe it's not a matter of "affording" the same way most people cannot afford
to pay for a house on the spot, but I can understand that some people prefer
to pay ultimately more money, but a much smaller sum over time.

~~~
wmf
If your credit is good enough for a phone contract it's probably also good
enough for a credit card that could buy the phone outright.

------
dfc
I am not very familiar with mobile security and/or the differences between
carriers. Right now the bounty is $10k for root@vzw and $7k for root@att. How
likely is it that someone wins the bounty for VZW but is unable to apply the
method to ATT or vice versa? Are VZW and ATT the usual contenders for last to
fall?

~~~
ibrahima
AT&T and Verizon are usually the only carriers that bother locking bootloaders
with no authorized unlock option. Most international/unlocked phones have some
way of unlocking the bootloader. Samsung has recently started locking things
down more with Knox I suppose, but I think the bootloader is still relatively
open (my T-Mobile Note 3 and international Galaxy Note 10.1 2014 happily
installed a custom recovery without any fiddling).

------
kasabali
It's tangential but I want to point out to those who doesn't follow the
rooting community closely that Samsung doesn't lock the bootloaders of phones
unless it's requested by the carrier. International editions, Play store
editions, and contract phones from carriers which doesn't request locking are
unlocked by default. You can install whatever you want on it. Even if it has
Knox. Knox doesn't mean locked bootloader, its relation to rooting is that it
voids the warranty when it detects rooting, it doesn't lock the bootloader or
prevent rooting.

Corollary: I'm aware of the fact that it is not always possible, but buy your
phones off contract when possible. Life is too short for fiddling with those
nonsense, and also vote with your wallet.

------
Dorian-Marie
Seems like it's just people posting the amount of what they __would __give, so
I would expect the hacker to receive less than $17k.

~~~
mikeknoop
You'd be surprised. I've been on the receiving end of one of these bounties
and nearly everyone fulfilled their pledge.

On top of that, donations trickled in for months after from folks who didn't
originally pledge.

The XDA community is very good about these things.

[http://forum.xda-developers.com/showthread.php?t=499076](http://forum.xda-
developers.com/showthread.php?t=499076)

~~~
voltagex_
Just occasionally the XDA community really impresses me. I don't know how
people deal with the SnR though.

~~~
Kiro
SnR?

~~~
fivedogit
I believe he means signal-to-noise ratio.

------
higherpurpose
Does Samsung offer an unlocking tool for the GS5? If not, they should. Google
is making Android harder to root, which makes "official" unlocking all the
more important, and hopefully people will keep asking for it whenever it's not
available.

~~~
codesuela
> Google is making Android harder to root Did I miss something? Could you
> please elaborate.

~~~
voltagex_
[http://www.securelist.com/en/blog/9175/Android_4_3_and_SELin...](http://www.securelist.com/en/blog/9175/Android_4_3_and_SELinux)
and [https://source.android.com/devices/tech/security/dm-
verity.h...](https://source.android.com/devices/tech/security/dm-verity.html)

Sorry for just dropping links, I'm not particularly well versed in this area.

