Overcome downgrade problem Device 4, Binary 3 in Odin?

[droidvoider]

Samsung Note 5 N920A has a locked bootloader and I realize it is risky, just talking about it could brick it :) But is it feasible that I could patch over the area that is preventing downgrading to earlier official firmware?

This question applies to many Samsung devices at minimum. It sounds like we can patch in, for example, the available OJ1 recovery. While I'm a programmer I have so very little knowledge about Android. Downgrade typically also gets people root for those looking for that.

[jcadduono]

You can indeed use this to flash a signed OEM recovery to your device. It will take some modifications however... You will need to find a way to allow the applypatch binary to take a file input. I think this might be doable if you find a way to capture logcat output in applypatch/install_recovery context, then transfer the recovery image file as base64 via logging followed by some EOF magic to flash it.

Once you're in the older recovery though, I'm not sure how you will accomplish flashing. Doesn't ATT only provide partial OTAs? They check every partition before flashing, not just recovery :(

[droidvoider]

I have user created firmware I've downloaded including PB2 which is what most people want to get back to for root. I can flash all the files except the BL, this is the one file Samsung seems to be blocking/checking. This is going to be a lot of research thank you very much for letting me know it is plausible.

[jcadduono]

be aware that each BL stage contains a pubkey used to verify next stage, ex. boot image... pub key may have changed to prevent downgrading which could make this a no go

[droidvoider]

Ok thanks. I have a lot of reading to do but I am reading about just that topic right now. It isn't critical that I downgrade and if I am not confident on every topic I won't even try it. I want to dedicate some time to understanding the Android os a little more rather than hacking my way through it.

[Mera-balou]

@droidvoider @jcadduono Hi gentlemen,

What i have: Device : Samsung J3 2016 (SM-J320FN) Kernel : 5.1.1 (vulnerable to dcow, make test => Ok) ABI : v7a API : 22 Phone unroot, OEM locked

Before any manipulation with your PoC, i just want to understand why it's risky (or not?) to try it on my locked bootloader device. I would appreciate if you can you explain me technical reasons?

I can also flash custom system partition on my device (no signature check for system). So, depend on your answer, can it be less risky to compile binary and to:

• unpack ROM system.img
• replace /system/bin/applypatch by compiled recowvery-applypatch (rename it of course)
• maybe directly change some instructions inside install-recovery.sh
• repack system.img and flash it

After all, if device bricks, can i repair it in download mode and flash original stock rom which contains recovery.img?

Thanks