FORUMS
Remove All Ads from XDA

A few things on knox / rooting and bootloaders that need more testing / development

1,161 posts
Thanks Meter: 338
 
By xclub_101, Senior Member on 9th February 2014, 03:08 PM
Post Reply Email Thread
4th February 2016, 11:54 AM |#201  
Account currently disabled
Thanks Meter: 319
 
Donate to Me
More
Can it be possible with S6? Because it has Exynos.
 
 
17th April 2016, 05:57 PM |#202  
toastido's Avatar
Senior Member
Flag Huntsville, AL
Thanks Meter: 1,177
 
Donate to Me
More
I'm not sure if this helps, but... I now have a LG V10, and it uses the qualcomm chipset as well. It also seems to dump qfuse registers and addresses, along with the "blow data". Since qfuse is what Sammy claims to use for Knox, I thought it might be helpful... Here's the output from my device:

Code:
[    8.990396 / 04-17 16:44:12.670][0] [QFUSE]qfusing_show start
[    8.990418 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verify_data start
[    8.990427 / 04-17 16:44:12.670][0] [QFUSE]qfprom_secdat_read start
[    8.990436 / 04-17 16:44:12.670][0] [QFUSE]qfprom_secdat_read : secdata file already loaded
[    8.990446 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data start
[    8.990455 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b80a8 check complete
[    8.990465 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 10 fusing_verification
[    8.990474 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b80e8 check complete
[    8.990483 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 14 fusing_verification
[    8.990491 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b80f0 check complete
[    8.990500 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 15 fusing_verification
[    8.990509 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b80f0 check complete
[    8.990518 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 35 fusing_verification
[    8.990527 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b81d0 check complete
[    8.990536 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 75 fusing_verification
[    8.990544 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b83a8 check complete
[    8.990553 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 7d fusing_verification
[    8.990563 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b83d0 check complete
[    8.990571 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: fd fusing_verification
[    8.990580 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: 0xfc4b83f8 check complete
[    8.990589 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data: ff fusing_verification
[    8.990597 / 04-17 16:44:12.670][0] [QFUSE]qfprom_result_check_data end
[    8.990606 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data start
[    8.990615 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990641 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80a8, value:0x20700000
[    8.990649 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990658 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990671 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80ac, value:0xfff6ffce
[    8.990680 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990689 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b80a8 check complete
[    8.990699 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 10 fusing_verification
[    8.990708 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990723 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80e8, value:0x3fc000c0
[    8.990732 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990740 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990754 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80ec, value:0x80001fff
[    8.990763 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990771 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b80e8 check complete
[    8.990780 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 14 fusing_verification
[    8.990788 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990801 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80f0, value:0x310f00
[    8.990810 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990819 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b80f0 check complete
[    8.990827 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 15 fusing_verification
[    8.990836 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990849 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b80f4, value:0x266
[    8.990857 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990866 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b80f0 check complete
[    8.990875 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 35 fusing_verification
[    8.990883 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.990896 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b81d0, value:0xe5f00000
[    8.990905 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.990913 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991269 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b81d4, value:0x0
[    8.991277 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991286 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b81d0 check complete
[    8.991295 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 75 fusing_verification
[    8.991304 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991318 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83a8, value:0x1f
[    8.991326 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991335 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83a8 check complete
[    8.991343 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991356 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83d0, value:0x99cabab5
[    8.991364 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991372 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991385 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83d4, value:0x2401ec5a
[    8.991394 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991402 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83d0 check complete
[    8.991414 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: fd fusing_verification
[    8.991422 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991437 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83d8, value:0xb92eb32d
[    8.991445 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991453 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991466 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83dc, value:0x27a39ce4
[    8.991474 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991482 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83d8 check complete
[    8.991491 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991504 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83e0, value:0xc2d4f740
[    8.991513 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991521 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991535 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83e4, value:0xcaa5361
[    8.991544 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991553 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83e0 check complete
[    8.991562 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991576 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83e8, value:0x825a0ca6
[    8.991584 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991593 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991606 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83ec, value:0x6c993fa0
[    8.991614 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991623 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83e8 check complete
[    8.991632 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991645 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83f0, value:0xe398c6af
[    8.991653 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991661 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991674 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83f4, value:0x3000000
[    8.991683 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991691 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83f0 check complete
[    8.991700 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991713 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83f8, value:0x303030
[    8.991722 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991730 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read start
[    8.991744 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read address:0xfc4b83fc, value:0x69000000
[    8.991752 / 04-17 16:44:12.670][0] [QFUSE]qfprom_read end
[    8.991761 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: 0xfc4b83f8 check complete
[    8.991770 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data: ff fusing_verification
[    8.991779 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verification_blow_data end
[    8.991788 / 04-17 16:44:12.670][0] [QFUSE]verification_blow_value = ff
[    8.991796 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verify_data: verification success
[    8.991805 / 04-17 16:44:12.670][0] [QFUSE]qfprom_verify_data end
[    8.991814 / 04-17 16:44:12.670][0] [QFUSE]qfusing_show end
It looks like they're all in the 0xfc4b memory block.
13th May 2016, 11:35 AM |#203  
Member
Flag Kottayam
Thanks Meter: 17
 
More
Quote:
Originally Posted by RuchRha

(Knox had been triggered on the the tested device already), This has been tested & working on Note 3 N900/Exynos on KitKat ND1 firmware which was on official status without root but Knox triggered, The file was flashed using Odin and after flashing I went into download mode and to my surprise Knox was been reset from 0x1 to 0 but the device status had turned custom (was official before flashing the Knox reset), however I will re-flash the firmware and see if Knox remains 0 and device status turns to official, also there are some different stuff in download mode which I hadn't ever seen before like EMMC PIN, Binary Sboot Version and all. I'll be attaching the screenshots for the same kindly find in attachments.

Edit/Update 1 : After re-flashing the firmware stuff like EMMC PIN and Binary Sboot Version has disappeared Current Binary has turned to official and the Knox has remained to 0 however System Status still appears to be Custom...

Edit/Update 2 : (Refers to previous updates regarding System Status being Custom and not turning to Official.) After trying to flash the firmware several times nothing really worked (nothing to do with Knox and Current Binary only referred to System Status being Custom) hence I went to stock recovery and wiped Data/Factory Reset and Cache Partition and then re-flashed the firmware (ND1 KitKat) and VOILA! Binary/System Status are now Official and now Knox is 0, seems a great success for the Exynos users, I also do have an snapdragon version so will be looking forward to it, screenshots attached....

Edit/Update 3 : The steps for resetting Knox (Exynos Note 3 ONLY!) :

1 - Download the bootloader.zip and extract bootloader from it (find in attachments)

2 - Open Odin and put device in download mode.

3 - Select AP/PDA (depending on Odin version you have) and select the bootloader (which was downloaded during step 1) don't select any other option in odin except F reset time and auto reboot (are selected by default).

4 - After the file is flashed go to download mode and check if the Knox has turned back to 0.

5 - Flash official firmware from sammobile and after flashing is done let the device reboot and boot up to device set-up screen, don't proceed the set-up for setting up device and turn of it off.

6 - Reboot to stock recovery (power + vol up + home) and wipe data/cache and flash the firmware again, once flashing the firmware is completed enter download mode and check if current binary and system status has turned to official if not follow steps number 5 and 6 again.

And that's pretty much it , you have successfully been able to reset Knox and regain warranty by this.

PS : I had done all this steps on ND1 firmware, and this will not keep root access, to root Knox has to be tripped or keep Knox 0 but Current Binary or System Status will be custom wit Knox being 0. Also to note this might get (patched) in future updates (bootloaders) if we look at Samsung's history of patching stuff , though not sure about it...

This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the bootloader for (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

Edit/Update 4 : Downgrading Note 3 N900/N9000/Exynos from 4.4.2 to 4,3 has been successful, check out this post by me to be updated on steps regarding the same.

I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.

Please tell me how to knox back in galaxy J700F exynos ????
19th July 2016, 10:30 AM |#204  
Junior Member
Thanks Meter: 0
 
More
Has someone managed to utilize TrustZone exploit on Samsung devices?
30th July 2016, 09:06 AM |#205  
Senior Member
Thanks Meter: 96
 
More
Quote:
Originally Posted by RuchRha

(Knox had been triggered on the the tested device already), This has been tested & working on Note 3 N900/Exynos on KitKat ND1 firmware which was on official status without root but Knox triggered, The file was flashed using Odin and after flashing I went into download mode and to my surprise Knox was been reset from 0x1 to 0 but the device status had turned custom (was official before flashing the Knox reset), however I will re-flash the firmware and see if Knox remains 0 and device status turns to official, also there are some different stuff in download mode which I hadn't ever seen before like EMMC PIN, Binary Sboot Version and all. I'll be attaching the screenshots for the same kindly find in attachments.

Edit/Update 1 : After re-flashing the firmware stuff like EMMC PIN and Binary Sboot Version has disappeared Current Binary has turned to official and the Knox has remained to 0 however System Status still appears to be Custom...

Edit/Update 2 : (Refers to previous updates regarding System Status being Custom and not turning to Official.) After trying to flash the firmware several times nothing really worked (nothing to do with Knox and Current Binary only referred to System Status being Custom) hence I went to stock recovery and wiped Data/Factory Reset and Cache Partition and then re-flashed the firmware (ND1 KitKat) and VOILA! Binary/System Status are now Official and now Knox is 0, seems a great success for the Exynos users, I also do have an snapdragon version so will be looking forward to it, screenshots attached....

Edit/Update 3 : The steps for resetting Knox (Exynos Note 3 ONLY!) :

1 - Download the bootloader.zip and extract bootloader from it (find in attachments)

2 - Open Odin and put device in download mode.

3 - Select AP/PDA (depending on Odin version you have) and select the bootloader (which was downloaded during step 1) don't select any other option in odin except F reset time and auto reboot (are selected by default).

4 - After the file is flashed go to download mode and check if the Knox has turned back to 0.

5 - Flash official firmware from sammobile and after flashing is done let the device reboot and boot up to device set-up screen, don't proceed the set-up for setting up device and turn of it off.

6 - Reboot to stock recovery (power + vol up + home) and wipe data/cache and flash the firmware again, once flashing the firmware is completed enter download mode and check if current binary and system status has turned to official if not follow steps number 5 and 6 again.

And that's pretty much it , you have successfully been able to reset Knox and regain warranty by this.

PS : I had done all this steps on ND1 firmware, and this will not keep root access, to root Knox has to be tripped or keep Knox 0 but Current Binary or System Status will be custom wit Knox being 0. Also to note this might get (patched) in future updates (bootloaders) if we look at Samsung's history of patching stuff , though not sure about it...

This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the bootloader for (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

Edit/Update 4 : Downgrading Note 3 N900/N9000/Exynos from 4.4.2 to 4,3 has been successful, check out this post by me to be updated on steps regarding the same.

I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.

Is possible to do this in S4 GT-I9500 Exynos?
1st August 2016, 03:16 AM |#206  
Member
Thanks Meter: 5
 
More
Has anyone successfully gained warranty using this to reset knox flag? Samsung still might have some tricks up their sleeve.
Post Reply Subscribe to Thread

Tags
knox, root
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes