[Replicant] backup stock ROM without root

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Mon Sep 10 15:03:59 UTC 2018 

On Sun, 09 Sep 2018 09:17:52 +0000
Fil Lupin <fillupin at protonmail.com> wrote:

> Hello,
> After searching, I did not find any method working on all devices to
> allow to backup a device's partitions without flashing it to get
> root.
Could you add a summary of your research on the wiki?

> Moreover, I found several posts assuring this is not possible
> for GT-I9300
At the beginning of Replicant, I also had a lot of comments on Android
IRC channels telling me that what I was trying to do (replace the HTC
Dream nonfree libraries with free software) was impossible.

> (see B.6. in
> https://forum.xda-developers.com/showthread.php?t=723596).
I didn't find anything stating that in B.6.

> On GT-I9300 (Samsung Galaxy S3), it seems the only way to get root is
> to flash recovery partition.
There is a bootloader exploit with a hello world (helloworld.c) in
git://github.com/oranav/i9300_emmc_toolbox.git that gives you code
execution at the bootloader level. Beside that I didn't do enough
research on rooting to have something tangible, but I know that some
have source code.

> First step should then be to get a
> recovery partition which will not harm the device before installing
> it on device. What I mean here is one should not only checking
> integrity of the downloaded file by checking MD5 signature but also
> checking that recovery partition will do what it is made for and only
> this. 
MD5 checksums are broken. And checksums only tells you that the file
you downloaded (for instance the recovery image) matches the checksum
that you check against.

To get better assurance that the file you downloaded really comes from
the developers you could rely on either or both:
- Your TLS connection, assuming that the developer(s) control the
  website they distribute the recovery from.
- detached GPG signature files, that enables you to check that the
  file you downloaded really comes from the developers. 

> Some websites allow to download firmware but I do not know how to
> guaranty those firmware authenticity. Since I am not an expert, I
> hope someone can let me know how to do this.
I've no idea beside comparing them with the stock device images that
you dumped yourself. If the websites publish hashes of the images, it
could enable people to check it way more easily.

At the end of the day I don't see many uses cases of making a backup of
the i9300 recovery: All devices are most probably out of warranty from
Samsung by now. As for the warranties of the shops selling it second
hand, they often already have TWRP or similar.

There may be cases where it might be interesting to run the stock OS
on it to test things or to understand how the stock RIL works, but so
far all that could also be done with Cyanogenmod or LineageOS.

Assuming you really need a valid recovery because you need to run the
stock OS, and it complains about you using a wrong recovery, you could
still try dodgy recoveries and look if it still complains.

If the stock OS is able to somehow check the integrity of the recovery,
there might be a way to find how to do it ourselves. The Bootloader
might also do that, in that case it's probably way easier to do it
ourselves.

However if you manage to backup all the other partitions without
erasing the user data partition, in a way that is easy enough for users
to do, and doesn't require to run nonfree or dodgy apk, it could enable
people to backup their data (but not the recovery) and be able to
migrate to Replicant without loosing all their data.

If you manage to build a free software a root exploit that works on
some Replicant compatible devices, then it should be fairly easy to
modify the source code to backup the recovery and enable users to do a
full backup.

Alternatively you could try to go use bootloader exploit to run u-boot
or something like that. There is someone working on porting u-boot to
the i9300. When USB support will be ready for u-boot, you could try to
run the this command to export the eMMC over USB:
> ums 0 mmc 0
or this one:
> ums 0 mmc 1

Both paths requires some work but it would be very beneficial as users
could way more easily migrate their data.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20180910/e683a8dc/attachment.asc>

More information about the Replicant mailing list