loki_tool/README.txt - LeafOS-Devices/android_hardware_samsung - Gitiles


 WARNING:

 This project is no longer actively maintained, because the vulnerability that
 it leverages was patched several years ago. No new updates will be provided.
 The current codebase will remain here for reference purposes.


 =============================
 Loki
 by Dan Rosenberg (@djrbliss)
 =============================

 Loki is a set of tools for creating and flashing custom kernels and recoveries
 on the AT&T and Verizon branded Samsung Galaxy S4, the Samsung Galaxy Stellar,
 and various locked LG devices. For an explanation of how the exploit works,
 please see the technical blog post at:

 http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

 Devices must be rooted in order to flash custom kernels and recoveries.

 loki_tool:
 [patch] option is primarily intended for developers to create custom
 kernels and recoveries. It's designed to take a specific aboot image and an
 unmodified boot or recovery image, and it generates an output image in a new
 file format, ".lok". The resulting .lok image is specifically tailored for the
 device build it was created with, and can be flashed directly to the recovery
 or boot partition on the target device.

 [flash] option can be used to flash a .lok image to an actual device.
 It will verify that the provided .lok image is safe to flash for a given target
 and then perform the flashing if validation is successful. It is also possible
 to simply use "dd" to flash a .lok image directly to the boot or recovery partition,
 but using [flash] option is recommended in order to validate that the .lok matches
 the target device.


 =============
 Sample usage
 =============

 First, a developer must pull the aboot image from a target device:


 dan@pc:~$ adb shell
 shell@android:/ $ su
 shell@android:/ # dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/data/local/tmp/aboot.img
 shell@android:/ # chmod 644 /data/local/tmp/aboot.img
 shell@android:/ # exit
 shell@android:/ $ exit
 dan@pc:~$ adb pull /data/local/tmp/aboot.img
 3293 KB/s (2097152 bytes in 0.621s)


 Next, a .lok image can be prepared using loki_tool [patch]:


 dan@pc:~$ loki_tool patch
 Usage: ./loki_tool [patch] [boot|recovery] [aboot.img] [in.img] [out.lok]
 dan@pc:~$ loki_tool patch recovery aboot.img cwm.img cwm.lok
 [+] Detected target AT&T build JDQ39.I337UCUAMDB or JDQ39.I337UCUAMDL
 [+] Output file written to cwm.lok


 Finally, the .lok image can be flashed using loki_tool [flash]:


 dan@pc:~$ adb push cwm.lok /data/local/tmp
 dan@pc:~$ adb push loki_tool /data/local/tmp
 dan@pc:~$ adb shell
 shell@android:/ $ su
 shell@android:/ # chmod 755 /data/local/tmp/loki_tool
 shell@android:/ # /data/local/tmp/loki_tool
 Usage: /data/local/tmp/loki_tool [flash] [boot|recovery] [in.lok]
 shell@android:/ # /data/local/tmp/loki_tool flash recovery /data/local/tmp/cwm.lok
 [+] Loki validation passed, flashing image.
 2253+1 records in
 2253+1 records out
 9230848 bytes transferred in 0.656 secs (14071414 bytes/sec)
 [+] Loki flashing complete!

	WARNING:

	This project is no longer actively maintained, because the vulnerability that
	it leverages was patched several years ago. No new updates will be provided.
	The current codebase will remain here for reference purposes.


	=============================
	Loki
	by Dan Rosenberg (@djrbliss)
	=============================

	Loki is a set of tools for creating and flashing custom kernels and recoveries
	on the AT&T and Verizon branded Samsung Galaxy S4, the Samsung Galaxy Stellar,
	and various locked LG devices. For an explanation of how the exploit works,
	please see the technical blog post at:

	http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

	Devices must be rooted in order to flash custom kernels and recoveries.

	loki_tool:
	[patch] option is primarily intended for developers to create custom
	kernels and recoveries. It's designed to take a specific aboot image and an
	unmodified boot or recovery image, and it generates an output image in a new
	file format, ".lok". The resulting .lok image is specifically tailored for the
	device build it was created with, and can be flashed directly to the recovery
	or boot partition on the target device.

	[flash] option can be used to flash a .lok image to an actual device.
	It will verify that the provided .lok image is safe to flash for a given target
	and then perform the flashing if validation is successful. It is also possible
	to simply use "dd" to flash a .lok image directly to the boot or recovery partition,
	but using [flash] option is recommended in order to validate that the .lok matches
	the target device.


	=============
	Sample usage
	=============

	First, a developer must pull the aboot image from a target device:


	dan@pc:~$ adb shell
	shell@android:/ $ su
	shell@android:/ # dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/data/local/tmp/aboot.img
	shell@android:/ # chmod 644 /data/local/tmp/aboot.img
	shell@android:/ # exit
	shell@android:/ $ exit
	dan@pc:~$ adb pull /data/local/tmp/aboot.img
	3293 KB/s (2097152 bytes in 0.621s)


	Next, a .lok image can be prepared using loki_tool [patch]:


	dan@pc:~$ loki_tool patch
	Usage: ./loki_tool [patch] [boot\|recovery] [aboot.img] [in.img] [out.lok]
	dan@pc:~$ loki_tool patch recovery aboot.img cwm.img cwm.lok
	[+] Detected target AT&T build JDQ39.I337UCUAMDB or JDQ39.I337UCUAMDL
	[+] Output file written to cwm.lok


	Finally, the .lok image can be flashed using loki_tool [flash]:


	dan@pc:~$ adb push cwm.lok /data/local/tmp
	dan@pc:~$ adb push loki_tool /data/local/tmp
	dan@pc:~$ adb shell
	shell@android:/ $ su
	shell@android:/ # chmod 755 /data/local/tmp/loki_tool
	shell@android:/ # /data/local/tmp/loki_tool
	Usage: /data/local/tmp/loki_tool [flash] [boot\|recovery] [in.lok]
	shell@android:/ # /data/local/tmp/loki_tool flash recovery /data/local/tmp/cwm.lok
	[+] Loki validation passed, flashing image.
	2253+1 records in
	2253+1 records out
	9230848 bytes transferred in 0.656 secs (14071414 bytes/sec)
	[+] Loki flashing complete!