Originally Posted by ryanbg
Rollback protection information isn't stored in 'actual' QFPROM, but rather the RPMB. Both on Snapdragon and Exynos devices. The warranty bit is controlled by an actual hardware fuse in the MCU, while the Exynos warranty bit is also stored in the RPMB. I believe the RPMB may serve as a shadow register for all fuses also. I'm looking into the patches and ioctl for RPMB. I was dissecting an old unsigned RPMB from a Note 3 engineering build and found an 'SSD Keystore Encryption Key' and 'SSD Auth Key' within the TrustZone blob. Note I have a 160 bit key for both in plaintext, not a .key file. I'm not exactly sure if SSD is referring to the RPMB or the NAND chip itself, but it may be possible to send authenticated messages to TZ kernel/keystore. I can explain more in-depth via gtalk. We've got several theories.
Create folder /sdcard/ks.license and place key files there.
May need to invoke factory mode (here's how I did it):
Boot into safe strap
navigate to /dev/block/platform/msm_sdcc.1/by-name
mount ./efs /efs
echo OFF > /efs/FactoryApp/factorymode
echo OFF > /efs/FactoryApp/keystr
mount ./system /system
sed -i 's/build.type=user/build.type=eng/g' /system/build.prop
sed -i 's/ship=true/ship=false/g' /system/build.prop