Security researcher Dan Rosenberg claims to have found a “design flaw” in Samsung’s secure boot system for the Galaxy S4. When exploited, the security hole allows the owner of the device to install another operating system other than the version of Android used by Samsung.
The S4, which has already passed 10 million channel sales one month after launch, comes in a variety of models, most of which include an unlocked bootloader. This means most S4 owners can flash custom kernels and make other modifications to the software on their own devices.
Unfortunately, the AT&T and Verizon versions ship with a locked bootloader, which Rosenberg has detailed and in which he has discovered a vulnerability that lets users bypass it. As a result, S4 users on the two largest carriers in the US could potentially run custom unsigned kernels and recovery images, just like their peers.
Samsung’s secure boot feature only allows kernels with the company’s RSA-2048 digital signature to boot the device. Since it is essentially impossible to crack RSA with 2048-bit keys, at least with the computing power available to most, Rosenberg had to sidestep the security in another fashion.
The security researcher says he reverse engineered Samsung’s code to figure out the memory address where the bootloader will load the kernel to carry out the signature check. He found the memory address can be chosen in such a way that the bootloader’s check_sig() function is overwritten before the loader actually calls it, thus bypassing the need to check whether a valid signature is present or not.
Rosenberg offers a tool to work around the bootloader’s security system. That being said, it’s not easy an easy process, so we recommend waiting a bit until other hackers build up simpler solutions on top of his work.
Either way, if you’re interested, head to this thread over at XDA Developers. All the files you need are hosted on GitHub.