Galaxy S4 probably not rooted
Posted on 2013-04-02, 42 comments, 150 +1's, imported from Google+/Chainfire

NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.

So, various Android, mobile, and tech news sites picked up that the S4 (I9500) was rooted today. It seems nobody has bothered checking anything out in depth in this case, and the news is premature at best.

All instances I can find point back to modified ROMs posted on XDA have the apk and su binary for Superuser or SuperSU pre-installed, but that nobody has tested.

With a lot of (Samsung) devices in the past that really has been all there is to rooting - just get the files in place somehow and voila - and flashing a modified stock firmware to do this is certainly a valid method for this.

However, I would like to point out that we've tried this trick with the I9505 weeks ago (and we actually tested it on a real device), and this time around, it is not a simple case of injecting the files. There is some further protection in the firmware that prevents the su binary (which is needed for root access) from functioning properly - without any known workaround at this time. No  doubt somebody will quickly figure it out when they have the device in-hand though.

Now, I played with an I9505, which is not the same as an I9500, and the firmwares are weeks old by now, and a lot more disclaimery stuff - but so far nobody has actually posted anything resembling proof, or even a comment that they tried the root and it has worked.

As such, I would take any news that the S4 has been rooted with at least a spoonful of salt until somebody posts some convincing evidence ...

(please, don't actually eat a spoonful of salt, that's dangerous)

I'd love to be proved wrong, and no doubt the S4 will be rooted soon, but I remain extremely skeptical as to the current claims, without any further proof. Maybe we all got lucky and Samsung decided to drop this protection in the I9500 or all new S4 firmwares, but I somehow doubt it.

Milan Berger commented on 2013-04-02 at 14:17:

Now I am thirsty and my teeth still crunch.

Jorrit Jongma commented on 2013-04-02 at 14:23:

+Colin Azzam They could, but I'm not sure they would. The S3 was rooted before release as well, and they didn't patch that. In fact, that same root method still works today. All I'm really against here is that claims to root have been made, but nobody seems to have actually tested if it works. I've made pre-release root claims myself in the past, but always only after testing with somebody who has an actual (sometimes pre-prod) device.

zé belchior commented on 2013-04-02 at 14:49:

With the fantastic developers whe have, surely going to happen and that's what matters.

Karn Kaul commented on 2013-04-02 at 14:51:

+zé belchior Most of the fantastic developers have sworn never to touch Samsung again.

Matt Adid commented on 2013-04-02 at 14:52:

No root No live

zé belchior commented on 2013-04-02 at 14:56:

+Karn Kaul Devs will always be working in one of the world's best-selling smartphone.

Karn Kaul commented on 2013-04-02 at 15:25:
jerrick Davis commented on 2013-04-02 at 15:38:

its not a working root im trying some things out now

Giovanny Rondan commented on 2013-04-02 at 16:02:

+Karn Kaul In my honest opinion cm is pointless on samsung devices anyway. The only time I really enjoyed cm was on my og evo and my hp touchpad. On my evo 3d it was always broken and now on the note 2 (as far as I know) the s pen and other sammy features doesn't work and has bugs n stuff. Another note is that I honestly didn't even feel like I had to root until the all apps in multi view mod came out and for tethering. Samsung is doing such a great job with their phones and features that unless u absolutely have to root for a certain app or function u don't even need or miss it. But this is just my 2 cents

Karn Kaul commented on 2013-04-02 at 16:15:

And in my honest opinion TouchWiz is pointless :-)

In any case, I'd linked Daniel's interview so prove a point - that devs are really fed up of Samsung's attitude. Also, if a flagship device has a sudden death eMMC failure bug, a root exploit (Exynos), framework modifications that open insecure loopholes, problems of chargers, USB cables and headphones frying... it speaks volumes about the manufacturer's idea of quality.

Giovanny Rondan commented on 2013-04-02 at 16:53:

+Karn Kaul I totally agree with u, touchwiz suck balls but this is android so I rock the note 2 with NOVA launcher. I also have MacksROM themed which is one of the best roms I've ever used including cyanogen mod. Back when android was in it's infancy I did love cm for everything they brough to the table and I totally respect the devs (heck any dev) but I have very little use of it now but again this is just to my needs. I haven't experienced any of the above u mentioned personally but everything is flawed in one way or another and at the very least they didn't blame it on us using the device wrong lmao. The only thing that I've seen was the lockscreen exploit that I guess they copied from ios lol but I never lock my phone because it is ALWAYS attached to the hip so it wouldn't apply to me. But yet again this is me personally.

Adam Outler commented on 2013-04-02 at 17:22:

The GS4 is for housewives. I have no development expectations for this device. It will probly take a large effort to root and unlock. Even after that it will be a huge PITA. The only way Samsung has to redeem this atrociousness is if the device will boot to SD without any mod. I'm extremely disappointed with what I'm hearing so far and I have been a Samsung user for a long time.

Joshua J. Drake commented on 2013-04-02 at 17:28:

To be honest, it doesn't really matter until the devices are widely available anyway. If you can touch it, you can root it. I think that general premise isn't going away any time soon.

Adam Outler commented on 2013-04-02 at 17:41:

+Joshua J. Drake that's simply not true. It would be a trivial matter to lock down a device. 99.9% of people stand on the backs of giants when it comes to rooting. I can tell you for a fact that I know where the security holes are, can see ways patch them up, and implement an immutable, encrypted auto-restore which will make it impossible to keep root even if you get it. If a security hole is found, patch, then invalidate the old bootloader on upgrade using a efuse, eliminate everything from the boot-chain on down and install a new kernel with a new trust zone and recovery image.

Joshua J. Drake commented on 2013-04-02 at 17:45:

Indeed that would make it very expensive to root, but not impossible.

Adam Outler commented on 2013-04-02 at 17:50:

+Joshua J. Drake it would make it so you'd have to root every time you turn on the device. It would also mean it would be easy to invalidate those methods once discovered. There aren't always methods available for rooting.

Joshua J. Drake commented on 2013-04-02 at 17:53:

How do you address key recovery via silicon inspection?

Giovanny Rondan commented on 2013-04-02 at 18:07:

Didn't they try that with the note 2? At first it was a hassle with temp root and flash counters but it's fixed now. I been rooted for a long time. Please school me if I'm mistaking 2 separate things.

Adam Outler commented on 2013-04-02 at 18:11:

No need. Send encrypted packages and let the users have the public key. Even then, the encryption key can be changed on a monotonic counter

Adam Outler commented on 2013-04-02 at 18:17:

+Giovanny Rondan we managed to get the key for the Note2... actually we got the key for all Exynos4412 devices and we made our own bootloader. Initial root was made simple by kernel regression. I compiled sevetal separate exploits together to make a 20 meg package that jailbreaks, roots and installs a custom recovery. Had they made a monotonic counter in exynos4, it would not been possible. The Exynos5 has a monotonic counter. If they implement filesystem checks and hide a separate recovery SD behind the TrustZone shield we are all screwed.

Giovanny Rondan commented on 2013-04-02 at 18:21:

+Adam Outler ohhh I see. But the state side s4 is a snapdragon correct?

David A Murman D.A.M.LIFECOACH commented on 2013-04-02 at 18:24:

Remember The Creed

Adam Outler commented on 2013-04-02 at 18:28:

+Giovanny Rondan Qualcomms security is even tighter. Now that Samsung has monotonic counter they match Qualcomm. For reference, every HTC One X and Sony root method requires unlocking your device with the manufacturer. They both use Qualcomm.

Giovanny Rondan commented on 2013-04-02 at 18:28:

We are fucked

Joshua J. Drake commented on 2013-04-02 at 18:42:

+Adam Outler TrustZone doesn't have enough permanent storage capacity. They could probably work out a way to work around that issue though. Maybe some dedicated flash..

Adam Outler commented on 2013-04-02 at 18:48:
Bhargav Shukla commented on 2013-04-02 at 19:08:

My qualcomm experience has just been a nightmare..

We've been trying to s-off a 120$ phone for over 6 months now, and the best we've got so far is displaying the 's-off' string on the screen.. No working results yet..

Damien Duncombe commented on 2013-04-02 at 20:30:

Can somebody please help me.......... I keep getting soft bricked when flashing. I cant wipe data/dalvik manually because my volume buttons are bad. Help please?!

Steve LeMoine commented on 2013-04-02 at 20:56:

Great to read your comments on the S4, Adam. When you speak, I listen

Giovanny Rondan commented on 2013-04-02 at 22:39:

+Adam Outler Wait I reread this and gave it some thought you said "IF they implement filesystem checks and hide a separate recover SD behind the TrustZone shield". so this is hypothetical, right? Because on my evo 3d I unlocked with manufacturer through the htc website and was able to flash roms and kernels with s-on using 4ext recovery and smart flash. I'm sure someone will figure something out I'm not too worried. I'm going to have the note 2 for 2 years but I'm not complaining at all :-P

Sinan Çetinkaya commented on 2013-04-02 at 23:06:

Samsung has really become a pain in the ass.

Dante J commented on 2013-04-03 at 00:18:

After the first wave of GS4 hit the store there will be a root method n 1-2 week. I love the root waiting game besides the epic touch 4g wait... Right now im waiting to pre-order my phone. No contract renew here.

Nitro The Husky commented on 2013-04-03 at 00:32:

+Damien Duncombe Hey, it's a really simple fix as long as your touchscreen still works.

1) Download this:

2) Extract it to your desktop and open the folder.

3) Right Click Odin3 v3.07.exe and run as administrator

4) Boot your phone into recovery mode by holding the Power, Home, and Volume DOWN at the same time. Wait a second after the screen loads and then press up to continue at the prompt.

5) Load s3-touch-recovery.tar in the PDA folder into the PDA slot in Odin.

6) If under ID:COM something is showing up that means your phone is recognized so the last thing to do is to press start.

Note: If it doesn't recognize it under ID:COM make sure your phone is in download mode and unplug and replug the phone in again.

7) Wait for a minute or so. The program will tell you if it was successful or not and it will auto reboot the phone.

8) Lastly, boot into recovery mode by holding: Power, Home, and Volume Up for a few seconds and that should do it!

9) Enjoy the ability to flash ROMS and other firmware with a much more user friendly interface with non-functioning volume keys.

Karn Kaul commented on 2013-04-03 at 05:46:

+Damien Duncombe Use a touch recovery.

Launa Coll commented on 2013-04-03 at 06:04:

II um 4 on the sleep off talk tomorrow

Jay Hiza commented on 2013-04-03 at 07:35:

These root issues and lockdowns are exactly why I migrated to a Nexus device.

If you place a premium on root access, updates, stability, developer support, and no manufacturer BS, a Nexus phone is the best way to go. I'm sure the S4 will be a cute device, but I'm not paying $600 for a phone that requires 4 hours, two computer programs, and manufacturer clearance for me to root... To each his own though. 

Chris Margaritis commented on 2013-04-03 at 12:29:

no party.without root and a full working cm rom i will not buy again samsung phone

Joshua Brindle commented on 2013-04-03 at 14:45:

Looks like SE Android is in use. I see mac_permissions.xml in the system partition for labeling processes, I can't find a copy of the boot partition to inspect the SELinux policy though. The SELinux policy could easily prevent su'ing. 

Xiao-Long Chen commented on 2013-04-03 at 19:57:

+Joshua Brindle Is the SELinux policy replaceable or easily extendable in Android? In Fedora, I can load my own policies without changing the default "targeted" policy. I wonder if something similar can be done with SEAndroid.

I'm not too familiar with Android (GNU/Linux user :P), but even if the policy isn't easily changeable, couldn't the su binary be labeled under the same context as another binary that's setuid root?

Joshua Brindle commented on 2013-04-03 at 20:11:

+陈小龙 That is 100% up to the vendor. Upstream AOSP just rejected patches allowing management of the SELinux policy citing application compatibility concerns. I'm told that Samsung is letting MDM vendors manage the policy, though I don't know if that'll be extended to others or not. 

Xiao-Long Chen commented on 2013-04-03 at 20:18:

Well darn. I wonder how Samsung's Knox software changes the policy then.

But anyway, if Samsung didn't change the policy to much, the Android equivalent of "sudo chcon -t su_exec /path/to/su" should allow root access, I assume.

EDIT: Actually, if su is placed in /system/xbin/, a relabeling of the file system may be enough:

George Leon commented on 2013-04-13 at 17:37:

Anyne tried to root the GT-N5110 Note 8.0 yet? Just curious as I received one from my friends at +Samsung Mobile USA this past week & finally had time to open it today.

+Chainfire , I imagine I can mod the prop & flash a tar vis Odin setting to 0 for now, unless you have a better idea, or maybe I should look at the points, I have a feeling the will be similar to the Note 10.1 & make for an easy cf-auto edit for the masses.

This post is over a month old, commenting has been disabled.