5,604,050 Members 48,052 Now Online
XDA Developers Android and Mobile Development Forum

A few things on knox / rooting and bootloaders that need more testing / development

Tip us?
 
ryanbg
Old
#51  
Senior Member
Thanks Meter 430
Posts: 292
Join Date: Jan 2008
Location: Minnesota
Quote:
Originally Posted by E:V:A View Post
And where is that? (Do you know what wrote it?)



Any progress? I did something similar for the SGS3, found tons of goodies. I'd like to see what you have if anything new.
Rollback protection information isn't stored in 'actual' QFPROM, but rather the RPMB. Both on Snapdragon and Exynos devices. The warranty bit is controlled by an actual hardware fuse in the MCU, while the Exynos warranty bit is also stored in the RPMB. I believe the RPMB may serve as a shadow register for all fuses also. I'm looking into the patches and ioctl for RPMB. I was dissecting an old unsigned RPMB from a Note 3 engineering build and found an 'SSD Keystore Encryption Key' and 'SSD Auth Key' within the TrustZone blob. Note I have a 160 bit key for both in plaintext, not a .key file. I'm not exactly sure if SSD is referring to the RPMB or the NAND chip itself, but it may be possible to send authenticated messages to TZ kernel/keystore. I can explain more in-depth via gtalk. We've got several theories.
The Following 5 Users Say Thank You to ryanbg For This Useful Post: [ Click to Expand ]
 
david515
Old
#52  
david515's Avatar
Junior Member
Thanks Meter 6
Posts: 20
Join Date: May 2013
Location: Ames
Default Don't know if this helps anybody wth MJE to MI9...

Quote:
Originally Posted by ryanbg View Post
Downgrading is limited to the flag fuse counter values. On MJE, I can downgrade to MI9 boot image and recovery. I was able to downgrade to some pre-release engineering SBL1, RPM, and TZ because they're signed and fuse counter is only 1 for those 3. It's very benign and basic to downgrade. Just use heimdall and try downgrading an individual image. If I figure out what P is, I'll be able to test if I can flash anything related to that flag. For some reason, I can downgrade to MI9 boot and recovery, but not the system.img. I'm just starting to learn a lot about the flags/fuse counters after dissecting aboot further. If you've got any more specific questions, feel free to PM me
I was able to flash from MJE Modem down to MI9, but system Image still on MJE but ever thing else says MI9- ( don't know if that helps anyone)
 
ryanbg
Old
#53  
Senior Member
Thanks Meter 430
Posts: 292
Join Date: Jan 2008
Location: Minnesota
Quote:
Originally Posted by david515 View Post
I was able to flash from MJE Modem down to MI9, but system Image still on MJE but ever thing else says MI9- ( don't know if that helps anyone)
The modem actually has rollback protection, but all modems seem to be '1' value.
 
david515
Old
#54  
david515's Avatar
Junior Member
Thanks Meter 6
Posts: 20
Join Date: May 2013
Location: Ames
Default I'm planning on investing in JTAG...

Quote:
Originally Posted by ryanbg View Post
The modem actually has rollback protection, but all modems seem to be '1' value.
I may be of some better help after I get a Jtag set up hopefully this next week. Thank you everyone for your efforts. J TAG has been something I've been meaning to invest in for a while.
 
siraltus
Old
#55  
Senior Member
Thanks Meter 318
Posts: 749
Join Date: Jan 2010
Quote:
Originally Posted by ryanbg View Post
Rollback protection information isn't stored in 'actual' QFPROM, but rather the RPMB. Both on Snapdragon and Exynos devices. The warranty bit is controlled by an actual hardware fuse in the MCU, while the Exynos warranty bit is also stored in the RPMB. I believe the RPMB may serve as a shadow register for all fuses also. I'm looking into the patches and ioctl for RPMB. I was dissecting an old unsigned RPMB from a Note 3 engineering build and found an 'SSD Keystore Encryption Key' and 'SSD Auth Key' within the TrustZone blob. Note I have a 160 bit key for both in plaintext, not a .key file. I'm not exactly sure if SSD is referring to the RPMB or the NAND chip itself, but it may be possible to send authenticated messages to TZ kernel/keystore. I can explain more in-depth via gtalk. We've got several theories.
SSD could stand for System Software Debug, part of the JTAG specification.
 
evilpotatoman
Old
#56  
Member
Thanks Meter 378
Posts: 88
Join Date: Jan 2010
Location: Charlotte

 
DONATE TO ME
Quote:
Originally Posted by ryanbg View Post
Rollback protection information isn't stored in 'actual' QFPROM, but rather the RPMB. Both on Snapdragon and Exynos devices. The warranty bit is controlled by an actual hardware fuse in the MCU, while the Exynos warranty bit is also stored in the RPMB. I believe the RPMB may serve as a shadow register for all fuses also. I'm looking into the patches and ioctl for RPMB. I was dissecting an old unsigned RPMB from a Note 3 engineering build and found an 'SSD Keystore Encryption Key' and 'SSD Auth Key' within the TrustZone blob. Note I have a 160 bit key for both in plaintext, not a .key file. I'm not exactly sure if SSD is referring to the RPMB or the NAND chip itself, but it may be possible to send authenticated messages to TZ kernel/keystore. I can explain more in-depth via gtalk. We've got several theories.
Create folder /sdcard/ks.license and place key files there.

May need to invoke factory mode (here's how I did it):

Boot into safe strap
advanced->terminal command
navigate to /dev/block/platform/msm_sdcc.1/by-name
open terminal
mount ./efs /efs
echo OFF > /efs/FactoryApp/factorymode
echo OFF > /efs/FactoryApp/keystr
mount ./system /system
sed -i 's/build.type=user/build.type=eng/g' /system/build.prop
sed -i 's/ship=true/ship=false/g' /system/build.prop
The Following User Says Thank You to evilpotatoman For This Useful Post: [ Click to Expand ]
 
ryanbg
Old
(Last edited by ryanbg; 16th April 2014 at 06:36 PM.)
#57  
Senior Member
Thanks Meter 430
Posts: 292
Join Date: Jan 2008
Location: Minnesota
Quote:
Originally Posted by evilpotatoman View Post
Create folder /sdcard/ks.license and place key files there.

May need to invoke factory mode (here's how I did it):

Boot into safe strap
advanced->terminal command
navigate to /dev/block/platform/msm_sdcc.1/by-name
open terminal
mount ./efs /efs
echo OFF > /efs/FactoryApp/factorymode
echo OFF > /efs/FactoryApp/keystr
mount ./system /system
sed -i 's/build.type=user/build.type=eng/g' /system/build.prop
sed -i 's/ship=true/ship=false/g' /system/build.prop
Where did you get this ks.license business? You can't tell me all this without giving me more clues
Should I just paste plaintext key and save as .key? Also, why factory mode? There's an easier way to get into it too.

update: Not quite sure what I'm looking for or doing.
 
david515
Old
(Last edited by david515; Yesterday at 04:21 PM.) Reason: link no longer exists.
#58  
david515's Avatar
Junior Member
Thanks Meter 6
Posts: 20
Join Date: May 2013
Location: Ames
Quote:
Originally Posted by ryanbg View Post
Where did you get this ks.license business? You can't tell me all this without giving me more clues
Should I just paste plaintext key and save as .key? Also, why factory mode? There's an easier way to get into it too.

update: Not quite sure what I'm looking for or doing.
This is encouraging check this post -- Evilpotatomans post http://forum.xda-developers.com/show....php?t=2721505
I hope this helps you guys out.
Thank you!!
The Following User Says Thank You to david515 For This Useful Post: [ Click to Expand ]
 
E:V:A
Old
#59  
E:V:A's Avatar
Recognized Developer
Thanks Meter 1441
Posts: 1,113
Join Date: Dec 2011
Location: -∇ϕ
Quote:
Originally Posted by david515 View Post
This is encouraging check this post -- Evilpotatomans post http://forum.xda-developers.com/showthread.php?t=2721505
I hope this helps you guys out. Thank you!!
That thread was DMCA yanked faster than you can say "yank".

Quote:
Originally Posted by evilpotatoman View Post
May need to invoke factory mode (here's how I did it):

Boot into safe strap
advanced->terminal command
navigate to /dev/block/platform/msm_sdcc.1/by-name
open terminal
mount ./efs /efs
echo OFF > /efs/FactoryApp/factorymode
echo OFF > /efs/FactoryApp/keystr
mount ./system /system
sed -i 's/build.type=user/build.type=eng/g' /system/build.prop
sed -i 's/ship=true/ship=false/g' /system/build.prop
This is weird. Any idea what this does?
It surely seem like you turn OFF Factory Mode and turn ON Engineering mode,
but I always though they'd be the same. I wonder what is different.
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands


Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
_______________________________
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I do not answer support related PM's.

 
Grompy
Old
#60  
Senior Member
Thanks Meter 77
Posts: 281
Join Date: Oct 2009
Quote:
Originally Posted by E:V:A View Post
That thread was DMCA yanked faster than you can say "yank".



This is weird. Any idea what this does?
It surely seem like you turn OFF Factory Mode and turn ON Engineering mode,
but I always though they'd be the same. I wonder what is different.

FYI google has the cached version before it was mod editted and all the stuff is still in his google drive account available for download.

Tags
knox, root
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes