NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.
Contrary to what some claim in the forums, all SGS4 models do store a flash counter (it's just no longer visible from Download mode) and kernel binary status.
On the Exynos5-based SGS4 they have added protections against resetting this counter. This protection is certainly not unbeatable - there are a few obvious attacks possible - however, I do not own an GT-I9500 or comparable Exynos5 device. As such, mucking with this is an extremely tiresome operation: modify some code, compile a kernel, package it, send it to somebody for testing, have them unpack it, flash it, test it, send back results - with all the timing problems that come with that. Somehow you're never online at the same time :)
I have been doing that for a bit past weekend, but I'm going to stop testing for now - there is other code that needs my attention. If I end up with an I9500 myself I might continue. Or if others decide to share their patches around this issue - I know a workaround exists in the wild ...
Thx 4 update on that matter!
Have you considered setting up a device donation page? You can list the devices you need and include the donation amounts needed and received for the devices. I'd contribute to that, as I'm sure many others would.
+Stephane Richard No, I don't do device donation pages. Those always come with implicit (if not downright explicit) strings attached. What if I can't pull it off? Or what if I can, but it appears to be too much work to be worth it for me? Or what if I get distracted by a shiny object and/or squirrel?
That's a big old mess I don't want to get involved in - somehow it'll end in drama. I might still get an I9500 so all is not lost, and even if I don't, quite likely there'll be some near future device with that chip I can use for testing (Note 3 perhaps ?) and backport.
Do you have US GS4? I'm modifying mine in a few minutes. If you need something let me know.
+Adam Outler no I have an international (I9505), but they're identical (aside from optional bootloader locks) as far as I know.
I was wondering when samsung was going to hide such info from the end user, back to the cat and mouse business.
They probly put it in the trust zone.
What happened to the days where Samsung was much more developer friendly?
Yeah man.. It used to be that you could just use Odin. Now you have to use CASUAL :D
Excuse my ignorance but what exactly are you talking about, is it flashing gs4 rom or what
It's flashing a recovery because the US variants are locked down.
+Scott Steinhart its believed that samsung is implementing such locked down because carriers request them.
This is because carriers don't want the extra burden of supporting custom flashed phones. Probably.
But surely if you've flashed your phone your carrier is no longer obligated to you under their warranty rules? I wanted to flash my s2 so as to use a firewall app on my phone and was told by my operator that my warranty would be null and void. Curious to know if its the same outside Scotland.
+Adam Outler Only for AT&T/VZW ... for all other models, there is CF-Auto-Root ;)
Actually, I don't think this specific move is for carriers. What Triangle Away resets is data Samsung may want to use to deny your warranty, and has little to do with either trustzone or carriers. The protection used is also a standard one, which is employed (and exploited) on various HTC devices as well.
Like I said I was curious lol and now I'm confused.
Peace out peeps
+Chainfire think of trust zone like a shield that protects parts of the hardware. In this case I'm suspecting that there is some storage location in the protected area that prevents read/write except by the boot loader.
Trust zone can be extended over any hardware. When trust zone is implemented, it appears to the kernel as the actual hardware, when in reality it is a program that executes and responds to calls made by the kernel.
thx for your continuous wonderful work.
but i have a little comment about your thread, I9500 CF-Auto-Root at XDA, users who read the OP understand that TA is working on their devices, and they try it, that may possibly harm their devices. wishing to make an editing step.
thx in advance
+Chainfire The i9505 has something funky going on with mounting system and cache. Also it behaves very strange if you have any file in the data partition and perform operations in a custom recovery. I have beeb working remotely like you as well but on the i9505 model and once I get the device (soon) I hope to get to what makes the i9505 fail in recovery operations whereaa the us counterparts work perfectly (devices with the same partition layout). If you have a clue please let us know in the xda oadev i9505 forum. Cheers!
+Wiktor Kasz interesting, I'm having weird issues in I9505 recovery as well ... Let me know if you find anything relevant at all.
+Adam Outler The I9500 issue I really don't think has anything to do with TrustZone, as what they're using is a documented feature of the eMMC hardware. There's no need to emulate that in TZ, because it's already there in the eMMC.
Some of the issues with the I9505 though, I would not be surprised are TZ related ...
Its this just a ploy from samsung to keep an eye on who is rooting? Maybe its just to stop people overclocking there device and when it breaks coz they have overclocked to much they flash back and warrenty it.. maybe if we stoped all the devs from makeing overclocking for any device the oems/samsung would be more helpfull on letting us root and use custom software on our devices.. this i see as the only reason behind this is coz many mods/roms do have the cpu overclocking enabled on them.. y would samsung do the warrenty if they see overclocking in the custom software.. stop the overclocking in software and we might see oems/samsung letting us root and useing custom software no problem.. Rom tool box is a prime reason for this statement.. y has rom tool box got cpu control? To be use for many people to overclock there devices cpu..
+Chainfire I think you should go ahead with the device donation idea, and add explicit disclaimers that indemnify you from consequences of failure and any sort of expectations that donors demand from you?
It simply has to do with the GT-I9500 bootloader setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.
This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone)
While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.
Because this is set in the bootloader long before a kernel starts to run, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)
Seems like a lot of trouble just to be keeping a warranty intact.
Cant you somehow gain root without the flash counter going up.. cant root be done on device?
Yes you can, the counter does not prevent you from flashing custom kernels
+Andy Cullis I have used motochopper on the S600, but on the Exynos5 it won't work I guess
in exynos 5 i9500 devices to get cwm use first flash the adam kernel then proceed further i think..
please provide the triangle away for galaxy s4 i9500 device i have the 00xxuamdk kernal before but for rooting i first flash the adam kernel then it works on my device but i want my hardware warranty as well so i need triable away and please if u want donate all agrees i think..
i download your trangle away from play store but it can't work on my exynos 5 i9500 device..
When does the triangle away for the Galaxy S4 exyno 5
LOL ... I'm screwed
Please, Chainfire, do something for 9500! : (
Any love for 9500 yet ? :D
please we want triangle away for i9500 please im sure you can do it
Hi, I own a 9500 octacore. I know nothing. But i offer my phone for testing, haha. Tell me if there anything I can do to help
If you know of a workaround that would be great. Please could you share it? I dont mind getting my hands dirty but I need to get this thing reset.
Hi Chainfire I recently got a I9500 and I havent even rooted it yet because I didnt want to mess with the warranty....I will wait patiently if you ever want me to do any testing I will be always ready......Whenever u wish u can tell me I will be available...thanks a lot for your great work.......
pleeeeeaaaseee do it!!
Please, make it possible, I believe you can, many people are waiting for triangle away support on i9500, I'm rooted, and I need reset it.
How can I install triangle away foe my gs4 i9500 ??
Waiting patiently to see the support for I9500, so that I can go ahead with rooting my phone SGS4!!!!
You are doing a great job. I'm looking forward for TA for i9500. thanks for your effort
9500 tringle away?
With the new Knox bootloader I guess it has become difficult but Waiting patiently to see TA for I9500
Pls chainfire bro support 9500 universal for knox bootloader we are waiting you you are best of the best plsss support
Chainfire any news in regards to the status of the release for the TA towards the reset of binary on the I9500?
You have many people that is looking for your support please.
Chainfire we have many people in the world that are ready in need of your assistance in regards to the braking of this code and protection for the reset of the binary counter on the i9500, warranty is now an issue for all the people that rooted their phones. We would really appreciate if you can have another go at it and see if you can assist the many followers you have. Thanks
Hi Chainfire, please can you assist the i9500 community in regards to the completion of the triangle away for it. We know you can do it and would like to ask you to assist us. You will make so many people around the world very happy in this regards. Please can you just try and see if you can get the program that is already written tweeked for the binary counter reset on the i9500. Thank you
OK .. chainfire. I would ask u .. can I root my i9500 4.3 ?
I can tester for you.i have sgs4 9500.just dont break my phone :D
Chainfire: I can see how this message board with all the posts from peeps to lazy to read could frustrate you. I happen to know some unsavory characters that could source me a I9500 but it would be blocked as a stolen phone. If you can put ethics aside, would a dodgy device donation be of any use to you? there wont be any complaints and you could burn the phone if you like, and it most likely would not be a new phone. Email me if your interested.
Thanks for all your hard work, L8r
como va eso?
Dear +Chainfire I own an i9500 international and would love to beta test for you. Appreciate your hardword and Hope u find a way to bypass Knox.
Dear +Chainfire , Is there any update for the triangle away for the i9500 version?
Just wait till your warranty expires and root away... It's just one goddam year ffs..
try this guys you ill get official status without triangle away for gt-i9500
+Hari sh is this method working on i9500? will i be able to get OTA after that ?
Disculpas no hablo mucho el ingles, pero existe una manera de resetear el contador de flasheos en el I9500 con Android 4.3. Gracias.
can anyone help me update I9500XXUEMJ8 on kitkat 4.4.2....
Sir Chainfire please do some thing about i9500 trianglaway app please
hey bro since this post has already gone 1 year
and here isnt anykind of solution to reset this fucking binary on i9500?
Any news for triangle away for galaxy s4 i9500?
Ok ok ok