chipmunkmc/rossa-vzw-tethered-exploit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Temporary bootloader unlock for the SM-G360V
6 commits 1 branch 0 tags 770 KiB
Find a file
Exact
Chipmunk 2227aca785 oops again
2025-08-24 01:01:59 -04:00
aboot_pl1.mbn rename the aboot image (oops) 2025-08-23 17:54:11 -04:00
COREPRIMELTE_USA_VZW.pit add files (todo: writeup) 2025-08-23 17:36:19 -04:00
heimdall-increase_fileTransferSequenceMaxLength.patch add files (todo: writeup) 2025-08-23 17:36:19 -04:00
LICENSE Add the original exploit repository's LICENSE (I forgot to in the previous commit) 2025-08-23 17:37:31 -04:00
payload_sd.img add files (todo: writeup) 2025-08-23 17:36:19 -04:00
payload_usb.img add files (todo: writeup) 2025-08-23 17:36:19 -04:00
README.md oops again 2025-08-24 01:01:59 -04:00
shellcode.bin add files (todo: writeup) 2025-08-23 17:36:19 -04:00
shellcode.lds add files (todo: writeup) 2025-08-23 17:36:19 -04:00
shellcode.s add files (todo: writeup) 2025-08-23 17:36:19 -04:00
WRITEUP.md oops, wrong command! 2025-08-23 23:09:29 -04:00

README.md

rossa-vzw-tethered-exploit

This is a port of the SVE-2016-7930 exploit to the Verizon variant of the Samsung Galaxy Core Prime (SM-G360V).

usage

Firstly, you will need to prepare a micro SD card. It will be repartitioned and have a boot image written to it, so choose one without important data. Insert the card into the phone, boot it into download mode, plug it into a computer and run the following command:

heimdall flash --tflash --repartition --pit COREPRIMELTE_USA_VZW.pit --BOOT payload_sd.img --RECOVERY your_custom_boot_image.img

With a prepared SD card, you can trigger the exploit.

Prerequisites:

  • You must use a heimdall executable patched with heimdall-increase_fileTransferSequenceMaxLength.patch (a pre-compiled one for x86_64 Linux exists here).
  • You need the G360VVRS3CPL1 version of aboot flashed to your phone (included here as pl1_aboot.mbn, run heimdall flash --ABOOT pl1_aboot.mbn). This should work fine with the latest firmware.

With the phone in download mode, insert the SD card, and run this command:

heimdall flash --tflash --no-reboot --BOOT payload_usb.img

After the image is 100% uploaded, the bootloader will eventually print a size error to the screen. Shortly after, the previously flashed boot image should run.

quirks

TWRP, the stock recovery image, and possibly others try to access partitions on the SD card instead of internal storage whenever an SD card with the phone's partition table is inserted. In particular, running ls -l /dev/block/platform/soc.0/by-name in TWRP reveals all of the symbolic links for partitions point to partitions on the SD card. Manually mounting partitions, such as in mount /dev/block/mmcblk0p27 /data can still allow for access to the internal storage. While this is a bit of an annoyance, if Android distributions exhibit the same behavior, this could potentially be used for easy dual-booting.

how does this work / how do I compile it

See WRITEUP.md.

thx

frederic - finding the original exploit (info), and writing shellcode for the S5, which I ported and optimized.

justaCasualCoder - compiling the patched heimdall binary I linked to in this README.

oscardagrach - writing the compiling commands and linker script here, which I adapted for compiling this shellcode.