No Triangle Away for Exynos5-based SGS4 GT-I9500 (for now)
Posted on 2013-05-27, 70 comments, 125 +1's, imported from Google+/Chainfire

NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.

Contrary to what some claim in the forums, all SGS4 models do store a flash counter (it's just no longer visible from Download mode) and kernel binary status. 

On the Exynos5-based SGS4 they have added protections against resetting this counter. This protection is certainly not unbeatable - there are a few obvious attacks possible - however, I do not own an GT-I9500 or comparable Exynos5 device. As such, mucking with this is an extremely tiresome operation: modify some code, compile a kernel, package it, send it to somebody for testing, have them unpack it, flash it, test it, send back results - with all the timing problems that come with that. Somehow you're never online at the same time :)

I have been doing that for a bit past weekend, but I'm going to stop testing for now - there is other code that needs my attention. If I end up with an I9500 myself I might continue. Or if others decide to share their patches around this issue - I know a workaround exists in the wild ...

Thomas Martha commented on 2013-05-27 at 09:15:

Thx 4 update on that matter!

Stephane Richard commented on 2013-05-27 at 09:47:

Have you considered setting up a device donation page? You can list the devices you need and include the donation amounts needed and received for the devices. I'd contribute to that, as I'm sure many others would. 

Chainfire commented on 2013-05-27 at 10:18:

+Stephane Richard No, I don't do device donation pages. Those always come with implicit (if not downright explicit) strings attached. What if I can't pull it off? Or what if I can, but it appears to be too much work to be worth it for me? Or what if I get distracted by a shiny object and/or squirrel?

That's a big old mess I don't want to get involved in - somehow it'll end in drama. I might still get an I9500 so all is not lost, and even if I don't, quite likely there'll be some near future device with that chip I can use for testing (Note 3 perhaps ?) and backport.

Adam Outler commented on 2013-05-27 at 11:03:

Do you have US GS4? I'm modifying mine in a few minutes. If you need something let me know.

Chainfire commented on 2013-05-27 at 11:22:

+Adam Outler no I have an international (I9505), but they're identical (aside from optional bootloader locks) as far as I know.

Jose Faria commented on 2013-05-27 at 11:36:

I was wondering when samsung was going to hide such info from the end user, back to the cat and mouse business.

Adam Outler commented on 2013-05-27 at 12:43:

They probly put it in the trust zone.

Scott Steinhart commented on 2013-05-27 at 12:50:

What happened to the days where Samsung was much more developer friendly?

Adam Outler commented on 2013-05-27 at 13:24:

Yeah man.. It used to be that you could just use Odin. Now you have to use CASUAL :D

CASUAL Galaxy S4 Root and Recovery by Dan Rosenburg

Alex Gibson™ commented on 2013-05-27 at 13:24:

Excuse my ignorance but what exactly are you talking about, is it flashing gs4 rom or what

Adam Outler commented on 2013-05-27 at 13:33:

It's flashing a recovery because the US variants are locked down. 

Alexis Jacobs commented on 2013-05-27 at 13:37:

+Alex Gibson web are talking about Triangle Away, one of +Chainfire 'S apps. This one resets the custom flash count to 0 ie it shows as non modified.

Jose Faria commented on 2013-05-27 at 13:39:

+Scott Steinhart its believed that samsung is implementing such locked down because carriers request them.

Alexis Jacobs commented on 2013-05-27 at 13:40:

This is because carriers don't want the extra burden of supporting custom flashed phones. Probably.

Alex Gibson™ commented on 2013-05-27 at 14:00:

But surely if you've flashed your phone your carrier is no longer obligated to you under their warranty rules? I wanted to flash my s2 so as to use a firewall app on my phone and was told by my operator that my warranty would be null and void. Curious to know if its the same outside Scotland.

Chainfire commented on 2013-05-27 at 14:01:

+Adam Outler Only for AT&T/VZW ... for all other models, there is CF-Auto-Root ;)

Chainfire commented on 2013-05-27 at 14:03:

Actually, I don't think this specific move is for carriers. What Triangle Away resets is data Samsung may want to use to deny your warranty, and has little to do with either trustzone or carriers. The protection used is also a standard one, which is employed (and exploited) on various HTC devices as well.

Alex Gibson™ commented on 2013-05-27 at 14:09:

Like I said I was curious lol and now I'm confused.

Peace out peeps

Adam Outler commented on 2013-05-27 at 14:31:

+Chainfire think of trust zone like a shield that protects parts of the hardware. In this case I'm suspecting that there is some storage location in the protected area that prevents read/write except by the boot loader.

Trust zone can be extended over any hardware. When trust zone is implemented, it appears to the kernel as the actual hardware, when in reality it is a program that executes and responds to calls made by the kernel.

White Sam Arrow commented on 2013-05-27 at 16:48:

thx for your continuous wonderful work.

but i have a little comment about your thread, I9500 CF-Auto-Root at XDA, users who read the OP understand that TA is working on their devices, and they try it, that may possibly harm their devices. wishing to make an editing step.

thx in advance


Wiktor Kasz commented on 2013-05-27 at 17:09:

+Chainfire The i9505 has something funky going on with mounting system and cache. Also it behaves very strange if you have any file in the data partition and perform operations in a custom recovery. I have beeb working remotely like you as well but on the i9505 model and once I get the device (soon) I hope to get to what makes the i9505 fail in recovery operations whereaa the us counterparts work perfectly (devices with the same partition layout). If you have a clue please let us know in the xda oadev i9505 forum. Cheers!

Chainfire commented on 2013-05-27 at 21:01:

+Wiktor Kasz interesting, I'm having weird issues in I9505 recovery as well ... Let me know if you find anything relevant at all.

Chainfire commented on 2013-05-27 at 21:11:

+Adam Outler The I9500 issue I really don't think has anything to do with TrustZone, as what they're using is a documented feature of the eMMC hardware. There's no need to emulate that in TZ, because it's already there in the eMMC.

Some of the issues with the I9505 though, I would not be surprised are TZ related ...

Andy Cullis commented on 2013-05-28 at 12:06:

Its this just a ploy from samsung to keep an eye on who is rooting? Maybe its just to stop people overclocking there device and when it breaks coz they have overclocked to much they flash back and warrenty it.. maybe if we stoped all the devs from makeing overclocking for any device the oems/samsung would be more helpfull on letting us root and use custom software on our devices.. this i see as the only reason behind this is coz many mods/roms do have the cpu overclocking enabled on them.. y would samsung do the warrenty if they see overclocking in the custom software.. stop the overclocking in software and we might see oems/samsung letting us root and useing custom software no problem.. Rom tool box is a prime reason for this statement.. y has rom tool box got cpu control? To be use for many people to overclock there devices cpu..

Shaun Lin commented on 2013-05-29 at 21:46:

+Chainfire I think you should go ahead with the device donation idea, and add explicit disclaimers that indemnify you from consequences of failure and any sort of expectations that donors demand from you?

Mathieu Hervais commented on 2013-05-31 at 14:57:

It simply has to do with the GT-I9500 bootloader setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.

This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone) 

While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.

Because this is set in the bootloader long before a kernel starts to run, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)

Seems like a lot of trouble just to be keeping a warranty intact.

Andy Cullis commented on 2013-05-31 at 22:54:

Cant you somehow gain root without the flash counter going up.. cant root be done on device?

Mathieu Hervais commented on 2013-05-31 at 23:54:

Yes you can, the counter does not prevent you from flashing custom kernels

Lukas Wiest commented on 2013-06-02 at 07:51:

+Andy Cullis  I have used motochopper on the S600, but on the Exynos5 it won't work I guess

Nishat Malik commented on 2013-06-03 at 14:28:

in exynos 5 i9500 devices to get cwm use first flash the adam kernel then proceed further i think..

Nishat Malik commented on 2013-06-03 at 14:31:

please provide the triangle away for galaxy s4 i9500 device i have the 00xxuamdk kernal before but for rooting i first flash the adam kernel then it works on my device but i want my hardware warranty as well so i need triable away and please if u want donate all agrees i think..

Nishat Malik commented on 2013-06-03 at 14:32:

i download your trangle away from play store but it can't work on my exynos 5 i9500 device..

Leonardo Barreto commented on 2013-06-04 at 22:33:

When does the triangle away for the Galaxy S4 exyno 5

Carlos Pascoal commented on 2013-06-11 at 09:48:

LOL ... I'm screwed

Carlos Pascoal commented on 2013-06-11 at 09:49:

Please, Chainfire, do something for 9500! : (

Shashank Shrimal commented on 2013-06-14 at 11:12:

Any love for 9500 yet ? :D

Ahmed Younis commented on 2013-06-20 at 00:16:

please we want triangle away for i9500 please im sure you can do it

David Ferreiro commented on 2013-06-26 at 01:40:

Hi, I own a 9500 octacore. I know nothing. But i offer my phone for testing, haha. Tell me if there anything I can do to help

Reuben Fergusson commented on 2013-08-07 at 10:18:

Hi Chainfire

If you know of a workaround that would be great. Please could you share it? I dont mind getting my hands dirty but I need to get this thing reset.

Hypergamer ! commented on 2013-08-18 at 05:58:

Hi Chainfire I recently got a I9500 and I havent even rooted it yet because I didnt want to mess with the warranty....I will wait patiently if you ever want me to do any testing I will be always ready......Whenever u wish u can tell me I will be available...thanks a lot for your great work.......

Ahmed Younis commented on 2013-08-19 at 21:18:

pleeeeeaaaseee do it!!

洪旭佑 commented on 2013-08-23 at 17:16:

Please, make it possible, I believe you can, many people are waiting for triangle away support on i9500, I'm rooted, and I need reset it.

Mohamed Khaled commented on 2013-08-30 at 00:36:

How can I install triangle away foe my gs4 i9500 ??

Ankur Jhavery commented on 2013-09-11 at 20:56:

Waiting patiently to see the support for I9500, so that I can go ahead with rooting my phone SGS4!!!!

Michael Gefen commented on 2013-09-23 at 20:17:

You are doing a great job. I'm looking forward for TA for i9500. thanks for your effort

Turgut Malkoc commented on 2013-10-25 at 09:15:

9500 tringle away?

Ankur Jhavery commented on 2013-10-25 at 09:22:

With the new Knox bootloader I guess it has become difficult but Waiting patiently to see TA for I9500

Atila izmir commented on 2013-10-25 at 12:15:

Pls chainfire bro support 9500 universal for knox bootloader we are waiting you you are best of the best plsss support

Jacques De Kock commented on 2013-10-28 at 13:05:

Chainfire any news in regards to the status of the release for the TA towards the reset of binary on the I9500?

You have many people that is looking for your support please.

Jacques De Kock commented on 2013-10-29 at 07:41:

Chainfire we have many people in the world that are ready in need of your assistance in regards to the braking of this code and protection for the reset of the binary counter on the i9500, warranty is now an issue for all the people that rooted their phones. We would really appreciate if you can have another go at it and see if you can assist the many followers you have. Thanks

Jacques de Kock commented on 2013-10-30 at 02:51:

Hi Chainfire, please can you assist the i9500 community in regards to the completion of the triangle away for it. We know you can do it and would like to ask you to assist us. You will make so many people around the world very happy in this regards. Please can you just try and see if you can get the program that is already written tweeked for the binary counter reset on the i9500. Thank you

Mohamed Khaled commented on 2013-11-01 at 06:53:

OK .. chainfire. I would ask u .. can I root my i9500 4.3 ?

Hepter terhep commented on 2013-12-25 at 02:21:

I can tester for you.i have sgs4 9500.just dont break my phone :D

Jason Borejszo commented on 2013-12-28 at 03:33:

Chainfire: I can see how this message board with all the posts from peeps to lazy to read could frustrate you. I happen to know some unsavory characters that could source me a I9500 but it would be blocked as a stolen phone. If you can put ethics aside, would a dodgy device donation be of any use to you? there wont be any complaints and you could burn the phone if you like, and it most likely would not be a new phone. Email me if your interested.

Thanks for all your hard work, L8r

Pablo Segovia commented on 2014-01-10 at 20:38:

como va eso?

Sanjay Natarajan commented on 2014-01-15 at 20:56:

Dear +Chainfire I own an i9500 international and would love to beta test for you. Appreciate your hardword and Hope u find a way to bypass Knox.

Agustin Matarazzo commented on 2014-01-21 at 15:19:

Dear +Chainfire , Is there any update for the triangle away for the i9500 version?

Diel Ultra commented on 2014-02-12 at 13:44:

Just wait till your warranty expires and root away... It's just one goddam year ffs..

Hari sh commented on 2014-02-16 at 08:03:

try this guys you ill get official status without triangle away for gt-i9500

Sanjay Natarajan commented on 2014-03-02 at 14:16:

+Hari sh is this method working on i9500? will i be able to get OTA after that ?

Emerson Xoyon commented on 2014-03-02 at 20:21:


Emerson Xoyon commented on 2014-03-02 at 20:23:

Disculpas no hablo mucho el ingles, pero existe una manera de resetear el contador de flasheos en el I9500 con Android 4.3. Gracias.

Hari sh commented on 2014-03-16 at 08:21:

yes u ill get +Sanjay Natarajan 

Caner Gezgez commented on 2014-07-20 at 13:24:


Md Imran Hossain commented on 2014-09-25 at 12:41:

can anyone help me update I9500XXUEMJ8 on kitkat 4.4.2....

Faiz Khwaja commented on 2014-10-29 at 10:05:

Sir Chainfire please do some thing about i9500 trianglaway app please

Kaki Bzhalava commented on 2014-10-31 at 01:26:

hey bro since this post has already gone 1 year

and here isnt anykind of solution to reset this fucking binary on i9500?

h sc commented on 2015-02-17 at 07:50:

Any news for triangle away for galaxy s4 i9500?

Md Imran Hossain commented on 2015-05-05 at 15:43:


علي جبار العبياوي commented on 2015-12-23 at 05:15:

Ok ok ok

This post is over a month old, commenting has been disabled.