Galaxy S7 Bootloader Lock Explained: You Might Not Get AOSP After All
The Samsung Galaxy S7 and the S7 Edge are some of the most powerful devices you could buy right now. But our regular readers and forum dwellers would know that Samsung devices aren’t the supreme best when it comes to development.
A lot of the issues with Samsung and development can be traced back to Exynos and its lack of documentation. So, naturally, when we heard news that the Samsung Galaxy S7 would come in a variant with Qualcomm’s Snapdragon 820 instead of Samsung’s own Exynos 8890, the developer community crossed its fingers and hoped for the best. Could this be the first Samsung flagship in recent memory which will have good support for AOSP based development? Could it actually be possible to remove TouchWiz entirely from a Samsung flagship, and enjoy an AOSP experience sans all the bloat? Could one expect to get on the latest Android version without waiting months for Samsung to port it over to the device?
Alas, that would be wishful thinking. The road began with roadblocks at the get-go. For starters, only the devices sold in the USA would come with the Qualcomm Snapdragon 820. Devices sold internationally would come with the Exynos 8890, which meant that a large part of the world would be bereft of community works on AOSP just like previous flagships from Samsung. However, this was somewhat expected, and as such, this news was not surprising.
Then, there come the carriers. US carriers have a strong history of locking down devices, with Verizon and AT&T being the worst when it comes to bootloader locking. So users on those carriers could very much expect to be stuck with what came out of the box for the most part. Updates to the Android system has to be first implemented in TouchWiz by Samsung, and then has to pass through the carrier to reach the device, adding another step in the update deployment process.
So, with all of this being said and done, Sprint and T-Mobile Samsung Galaxy S7 and S7 Edge users would be the luckiest of the lot, right? Afterall, even though these carriers undertake SIM locking practices on devices, they are traditionally not so uptight as the other carriers are when it comes to Samsung bootloaders. The devices still do not compare to fully unlocked devices, but something is better than nothing, right? Right?
No, not really. Samsung has done it again.
It started off in our T-Mobile Samsung Galaxy S7 Edge forums, where an anticipatory root discussion thread was created, aiming to get root on the device as soon as possible and then distributing to other forum users in an easy-to-follow manner. XDA Recognized Developer Fenny made a quick observation that signalled that all might not be right afterall:
Looks like the bootloader is locked, both qualcomm secure boot, and secure download enabled.
Eh, that doesn’t seem too bad though. OEM Unlock is still present in the Developer settings, so maybe that needs toggling before one proceeds. Fenny answered that he did do so, but remained wishful of other methods through which root could be obtained.
Just got my device today… after a quick look, I don’t see anything locked. If you are referring to:
QUALCOMM SECUREBOOT: ENABLE
SECURE DOWNLOAD: ENABLE
that’s perfectly normal… nothing to worry about…
Others contributed to the discussion, but it became apparent that Odin could not flash anything except untouched stock images.
There is no TWRP as of yet. I can’t even Odin a kernel with a totally unchanged, but repacked, initramfs. Stock images flash fine.
At this stage, Samsung released the kernel source codes for the Exynos variants of the Galaxy S7 and the S7 Edge. Not to be confused for anything more than the bare minimum required for being GPL compliant, this kernel source code will only aid in developing custom kernels for the Exynos variants. AOSP still remains a dream, as of now.
Spurred by the kernel code, XDA Senior Member jcadduono was able to treat International (Exynos) owners of the Galaxy S7 and S7 Edge to builds of TWRP, opening up the world of possibilities to the userbase. But what about the Qualcomm variants? Well, this is where the bad news actually starts flowing in.
Jcadduono called up Samsung’s engineering mobile department, where he was told that the T-Mobile S7 had a secure-flash locked bootloader, which is similar to Verizon’s previous Samsung devices. He also mentioned that dm-verity is enabled in the kernel, which means you won’t be able to flash modified system partitions in the current state, which was how certain locked Galaxy S6 models got their root.
To further the development and research, jcadduono asked people in the thread to see if they could flash TWRP that he built for the device. Depending on the error the device the device displays, a conclusion could be reached. And then, all fears were confirmed.
This was no ordinary write failure. A secure check failure, in simple terms, indicates a locked down bootloader. As far as my personal knowledge and understanding goes, this prevents any operations from executing unless the signature of the file matches with the OEM’s public key stored on the boot partition of the device. This essentially restricts all activities to those that come directly from the OEM, Samsung in this case. You can’t flash anything, not even repacked stock images with no other modifications.
To quote XDA Recognized Developer Fenny:
Qualcomm secureboot has us shackled with the near-bulletproof chain of trust.
Q: Is it possible that making selinux permissive would help? Thats what we had to do on the s6 as I recall.
A: No, the recovery image can’t even be flashed. The issue is not with booting it, but with actually flashing it.
The download mode bootloader loads the image sent from Odin into memory, then runs a checksum and signature validation on the image. If it doesn’t match, it’s simply free’d from memory and not written to the device at all.
We can’t do anything except get our TWRP images signed by T-Mobile.
Why would T-Mobile lock down the bootloaders of what may very well be one of Samsung’s best selling devices of 2016? Here is some speculation on why they would choose to do so, despite being lenient with several other devices in the past:
My guess would be Samsung just decided to enable secure flash verification on all the Snapdragon variants since that’s what all the other carriers want.
T-Mobile voids warranty for rooting now according to their facebook rep, so maybe T-Mobile didn’t bother asking for unlocked devices from Samsung and decided to join the others as well.
Having the sources released doesn’t make a difference. You can’t flash ANYTHING to the phone unless it is OEM signed.
With this, Samsung has effectively locked all development on the Snapdragon 820 variants of the Galaxy S7 and S7 Edge. Even though most of this discussion exists in the T-Mobile S7 Edge forums, the scenario and the consequences apply to all carriers and to the S7 (SD-820) as well. What was supposed to be a developer friendly device from Samsung in a long time has become even more locked down than the Exynos variants. This is really frustrating for users who are specifically looking for a Samsung device with development, since they were more likely to roll with the Snapdragon 820 variant than the Exynos variant based on past experiences.
Is all lost though? Will the device never ever get any development?
The situation is not a 100% disaster yet. There is still a very small chance that root could be obtained via vulnerabilities and exploits. These are crude ways to obtain root, but it can be done, though none have been found yet. But the problems with vulnerabilities and exploits is that they get patched in future updates. The end user has to decide whether he wishes to get on the latest update but be without root until new exploits are found, or stay on an outdated update and remain content with root. You update to the latest and you are back to square one.
The boot image has dm-verity on which means you’ll get a boot loop if you ever do anything to mount/write to the system partition. Live roots will be the only way.
Good news is, you should be able to create a loop device image in data partition and mount that with executable permissions to create your own sort of writable mini-system overlay if a live root exploit comes out. Similar to SuperSU systemless I suppose.
This is an optimistic view of the future, mainly because it heavily relies on the existence as well as discovery of a live root exploit. There could be no such exploit present, or it could be present but none may be able to find it. That is a very big IF attached to the development scenario of the Snapdragon 820 based Galaxy S7 and S7 Edge on all USA carriers.
Are we actually surprised? Personally, I kind of expected it. With Samsung Pay being made such a huge deal, Samsung was not going to easily compromise on their mobile payment solution. While the developer community’s intent is clean when looked from a wide viewpoint, one can’t deny that root and things beyond are used for nefarious activities. Acts of rooting and unlocking the bootloader open the device up to a world of possibilities, and this world has both the positives and negatives to it. Things will get serious when you consider that a large populace is expected to migrate their banking information to these devices and use them at all local payment terminals. The variables involved are huge, and Samsung would certainly not risk the reputation of its devices as well Samsung Pay’s as competitors to more “secure” alternatives like Apple and Apple Pay.
But does that make this locking down acceptable? No. At the very least, a disclaimer should have been presented to the public at large. It does not even have to be marketed negatively. Samsung could have very well mentioned these security features in their launch event, saying that these devices have additional security layers for Samsung Pay, making them difficult to hack and exploit. We’d take the hint, really.
Samsung could have also introduced a special program for unlocking devices, much like other OEM’s like Sony work. This is one of those possibilities that can still be feasible, allowing the best of both worlds. The non-dev public gets a phone that is secure to the very best of Samsung’s current capabilities, while the developer community gets their bootloaders unlocked at the cost of losing Samsung Pay and other security-dependent features.
This has certainly been a disappointing turn of events. What was to be AOSP’s best hope in the dark world of TouchWiz has been left crippled behind the likes of even Exynos. While the possibility of root, custom kernels, recoveries and ROM’s still exists for Samsung’s Snapdragon 820 devices, the likelihood of them attracting major development works remains slim after this devastating blow.
What are your thoughts on this turn of events? Let us know in the comments below!