After reading the XDA post, and getting an unsolicited PM from OP, I don't really understand why this deserves any recognition at all.
Basically the obstacle here is that Samsung included a single security feature on the device (as opposed to the many dozens that non-android devices usually include), and therefore the average 11 year old couldn't just make a zip file and "root" it. This single security feature came in the form of an on-cpu EPROM, the same feature used on a raspi or an iphone. When the device powers on, the entire contents of this ROM is moved to memory and then jumped to. After this, the code then loads the "bootloader" image, runs a signature check on it, and if the signature matches Samsung's signature, it runs the code, which eventually boots the device.
The "method" the "devs" used to bypass this security actually didn't bypass it at all, it just exploited the serious uselessness of Samsung and their affiliates. All they did was run a few Google searches for the engineering (usually for factory tests) firmware, which I managed to find a copy of (dated long before the XDA post was written) in about 70 seconds. After that, they just took advantage of factory used binaries that were present in the non-production firmware to modify the filesystem (which was still unsecured).
This is actually pretty similar to what was going on in the iPhone jailbreak scene circa 2008. Many times back then, things were overlooked or just outright left in because the engineers didn't see them as a risk. One of the earliest examples (2006/7) was the CP command being left in the restore mode firmware, allowing you to push custom files to the device, ultimately allowing you to modify the USB access permissions. (
[To see links please register here]
)
After that, things got more difficult. To date, the pre-kernel chain of trust has only been broken 5 times in the course of 12 years. It's nice to see that Samsung is actually starting to put security features on their devices, but they're still 10 years behind.
]
