[herokusaki]

The bounty only explicitly mentions stock firmware but it is implied that the exploit should also not require disassembling your device and messing with its hardware. This makes me wonder: would a hardware exploit be easier? Modchips have been a staple of the console scene since at least the original PlayStation but I am unaware of their use in smartphones.

[userbinator]

I'm not familiar with the S5 in particular but in principle I think all you need to do is get direct write access to the filesystem and you can write whatever firmware you want, so being able to read/write the eMMC directly should be enough --- provided it's not been encrypted/password protected/etc. Correct me if I'm wrong.

[talonstriker]

On most (if not all), the "firmware" is under the /system partition. That partition is mounted as read-only. You need root to remount it as r/w.

AFAIK, rooting exploits in the past took advantage of buffer overflows and remote code exploits to execute code at a raised privilege levels. Now a days, that's also difficult since past vulnerabilities have been fixed and the proliferation of SE Linux.

[pjc50]

JTAG is usually an extremely effective way of breaking into the phone, but it's usually used as a first step in reverse engineering rather than for the end-user.

Of course, some phones (Apple) are glued shut which prevents end-user modding.

[rsynnott]

iPhones aren't glued shut (though the battery is glued down in the newest one): http://www.ifixit.com/Teardown/iPhone+5s+Teardown/17383

You may be thinking about the HTC One, which is almost impossible to disassemble without destroying it (though this has improved a bit in the M8).

[morenoh149]

It's such a small form factor, a phone. I don't think many ppl would be willing to put after market chips in there.