Join us at TNW Conference 2021 for insights into the future of tech →

The heart of tech

This article was published on May 24, 2013


Security researcher bypasses Samsung Galaxy S4’s secure boot check on AT&T and Verizon phones

Security researcher bypasses Samsung Galaxy S4’s secure boot check on AT&T and Verizon phones Image by: AFP/Getty Images
Emil Protalinski
Story by

Emil Protalinski

Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, incl Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.

Azimuth security researcher Dan Rosenberg claims to have found a “design flaw” in Samsung’s secure boot system for the Galaxy S4. When exploited, the security hole allows the owner of the device to install another operating system other than the version of Android used by Samsung.

The S4, which has already passed 10 million channel sales one month after launch, comes in a variety of models, most of which include an unlocked bootloader. This means most S4 owners can flash custom kernels and make other modifications to the software on their own devices.

Unfortunately, the AT&T and Verizon versions ship with a locked bootloader, which Rosenberg has detailed and in which he has discovered a vulnerability that lets users bypass it. As a result, S4 users on the two largest carriers in the US could potentially run custom unsigned kernels and recovery images, just like their peers.

Samsung’s secure boot feature only allows kernels with the company’s RSA-2048 digital signature to boot the device. Since it is essentially impossible to crack RSA with 2048-bit keys, at least with the computing power available to most, Rosenberg had to sidestep the security in another fashion.

The security researcher says he reverse engineered Samsung’s code to figure out the memory address where the bootloader will load the kernel to carry out the signature check. He found the memory address can be chosen in such a way that the bootloader’s check_sig() function is overwritten before the loader actually calls it, thus bypassing the need to check whether a valid signature is present or not.

Rosenberg offers a tool to work around the bootloader’s security system. That being said, it’s not easy an easy process, so we recommend waiting a bit until other hackers build up simpler solutions on top of his work. The FAQ says as much:

This all seems complicated. What about a step-by-step guide?

These tools are primarily intended for developers, who will be able to use them and provide ordinary users with easy ways to flash custom ROMs. Be patient, I’m sure your favorite ROM developer will come up with something for you.

If you’re still interested, head to this thread over at XDA Developers. All the files you need are hosted on GitHub.

Top Image Credit: Greg Wood / Getty Images

Also tagged with