Saturday, May 19, 2012

Samsung Galaxy S III Rooted By Chainfire

 
Even though the device hasn't even hit the street, noted Android developer Chainfire has obtained root on the Samsung Galaxy S III. Chainfire doesn't actually have the device in hand, so don't start berating him with questions on that matter. Rather, he got root on a firmware build that was leaked to him, and has a few juicy tidbits to share with everyone.


It appears that the Galaxy S III isn't going to be locked down in any significant way. All Chainfire had to do was repackage the kernel with a modified adb binary and install SuperUser manually. Samsung chose to use the standard boot.img kernel format as well. Previous phones used the much harder to modify zImage kernel. There is a recovery partition available in this firmware that should allow recoveries to be flashed separately from the kernel. There is, however, a counter in the bootloader that detects the modified kernel, but that is par for Samsung devices and doesn't negatively affect things.



Very notable developer Chainfire has rooted the device already. The developer has been known to root Samsung devices often and with ease, just in case you don’t want to believe him. He has also released a statement, which is below:
Unfortunately, I am not able to share the “insecure” kernel with you at the moment, because of fears it is traceable to the leaker (this is said to be the last traceable firmware revision).
This root is, as expected, trivial. It was a simple matter of repacking the stock kernel, with a modified adbd binary that thinks ro.secure=0 (even if ro.secure=1). This gives access to all adb root commands (see screenshots). Then SuperSU was installed manually.
Kernel
The modification was trivial, because this time around, Samsung is using the standard boot.img format, instead of the zImage format used for SGS1, SGS2, SGNote, etc, that is much harder to repackage.
This is also why I don’t feel particularly bad about not giving you the insecure kernel – any serious dev on this board can do the same thing in 10 minutes.
Recovery
The recovery partition is also being used this time around. And thus we can flash recoveries separately from the kernel.
Bootloaders
There was no warning triangle at boot-up after flashing the modified kernel, but download mode did show a custom kernel flash counter which increased. Whether or not flashing a custom recovery also triggers this counter is as of yet unknown.
Final note
This was all tested on a current (release candidate) SGS3 firmware. There may be a newer firmware on true retail/production devices. Though some things may change, it is unlikely to change much. Let’s hope nothing smile Galaxy S 3 Has Found Root!
Also, Triangle Away did not work. They have hidden the boot partitions again as on the latest SGNote firmwares.
(No, I don’t have an SGS3 yet, everything was done remotely)
Now, everybody say thanks to Samsung! I don’t always agree with them, but so far they have been the first and IMHO still are the only high-end Android OEM who aren’t complete douchebags in the unlock department!

Chainfire has decided against releasing the insecure kernel for the time being. He worries that the build he is working with could be traced back to the individual that leaked it. Additionally, this was all done with release candidate software, and things could technically change in the final firmware for devices. Carrier-specific versions of the Galaxy S III might also be more locked down.


   Sid Goswami is a tech enthusiast, besides being an avid Android fan and blogger, Sid wants to be a photographer and an designer. He can usually be found reading through blogs, taking photos. He's a student and a PHP web developer.