[Bounty] [05/20/2014]Reset KNOX counter to 0x0 (UPDATE: 3k +)
- Thread starter djnoicatse
- Start date
I will update 2nd post with donations when I get home from work. Note 3's here in Canada just got an update (security and stabilty). I'm guessing my knox will read 0x2 after I update and root again ?.
Sent from my SM-N900W8 using Tapatalk 4
Sent from my SM-N900W8 using Tapatalk 4
Use bounty to bribe
The only problem with a blown efuse is that Samsung may refuse warranty service.
Here is a creative solution
if enough money gets piled up, we can bribe a Samsung engineer to issue an official update which accidentally blows the efuse in all Note III-s. They could not base their warranty refusal on the state of the knox flag anymore.
we could just make a virus, which would do the same, then it's a vis major case... If most Note 3 knox flags are blown, we could just claim it's not our fault.
The only problem with a blown efuse is that Samsung may refuse warranty service.
Here is a creative solution
if enough money gets piled up, we can bribe a Samsung engineer to issue an official update which accidentally blows the efuse in all Note III-s. They could not base their warranty refusal on the state of the knox flag anymore.
we could just make a virus, which would do the same, then it's a vis major case... If most Note 3 knox flags are blown, we could just claim it's not our fault.
I'm working on a way to do this and I think I've got it figured out. Expect an update this weekend coming up
Sent from my SM-N9005 using Tapatalk
Sent from my SM-N9005 using Tapatalk
I would like to raise my bounty from 40$ to 120$.
Got extra cash this month and this is the right place to spend it.
Got extra cash this month and this is the right place to spend it.
AMAZING!!! I'll be waiting patiently for the weekend to arrive.?
Sent from my SM-N900W8 using Tapatalk 4
Pretty sure it's an e-Fuse... http://xdaforums.com/showpost.php?p=31622172&postcount=9
Wouldn't it be more practical at this point to make a bootloader that ignores it? Just virtualize the efuse as 0x0 instead of physically trying to reset it. Might be just as simple as shadowing a "reprogrammable" region onto the addresses that usually shadow the "q"fuse block.
Unfortunately, this is probably out of bounds for anyone without jtag.
The idea of KNOX is not that you can't beat it, but that it's impractical to do so. I'd say a bootloader is the most likely way to beat it, only with jtag could you then proove it's "really" been blown.
This would also proove that a "hardware chain of trust" can never be reliable for security. (not that we don't already know that)
Wouldn't it be more practical at this point to make a bootloader that ignores it? Just virtualize the efuse as 0x0 instead of physically trying to reset it. Might be just as simple as shadowing a "reprogrammable" region onto the addresses that usually shadow the "q"fuse block.
Unfortunately, this is probably out of bounds for anyone without jtag.
The idea of KNOX is not that you can't beat it, but that it's impractical to do so. I'd say a bootloader is the most likely way to beat it, only with jtag could you then proove it's "really" been blown.
This would also proove that a "hardware chain of trust" can never be reliable for security. (not that we don't already know that)
Z
zylor
Guest
If you show me evidences about some positive progress i will raise my bounty value
My first thought exactly
Last edited:
This reminds me of xbox360 jtagging
The e-fuses were getting blown on dash upgrades to prevent the recovery of CPU key, but the removal of the resistor R6T3,
that supplies the current to blow the e-fuse prevented any future e-fuse blowing
The efuses blow to prevent dashboard downgrades. Microsoft was actually very clever with their security - they knew that all it took was one little exploit in a firmware and the whole console would be screwed. Even if they patched it, people would just hook up a NAND flasher and downgrade - but with the efuse blown, you can't. Removing the resistor does stop them getting blown, but that also means that upgrading the dashboard will brick the console (until you use a NAND flasher on it again).
Despite the PS3 also (apparently) having efuses, it does not use them to prevent downgrading, meaning every PS3 out there is completely exploitable just by hooking up some wires and flashing an older firmware.
Now the glitch attacks, that's another level of brilliantness....
(And before anyone asks, no, we won't be able to apply the same attack here).
The Knox flag isn't a counter, it's a flag. It's either 0 or 1. It won't increase, the flash counter however will.
My first thought exactly
Why are we all so sure the bootloader is what's actually setting the flag? There are other bootloaders within the hardware, the chain of trust begins in hardware. The bootloader is just displaying a value, if that value is read from a hardware flag within the CPU, there's every chance the CPU is what's setting it in the first place.
Z
zylor
Guest
I can almost bet that if someone checks out the bootloader, we will be able to find a workaround on this :silly:
this isn't a new thing, the galaxy s4 has had this knox counter for months now and all of those developers haven't figured it out yet, either. That includes the likes of Chainfire, who made triangle away. I really don't think it's as simple as some people think.
Z
zylor
Guest
Of course it isn't simple, it is a security stuff... it's meant to be difficult to crack.. but not impossible
This isn't my point. Why do we care that an eFuse is blown if no software can see it? Software knows only what it sees.
My point is simple. Software looks at memory values, memory values can be shadowed. Just redirect requests to read that bit (or preferrably, the entire qfuse block). What i speak of is a simple function of a basic rootkit.
At the end of the day, software is what will care about that value. (otherwise we wouldn't care about it because you'd never see it)
I don't need to fool the hardware, only the software, and thus the technicians. I doub't they would jtag every phone.
And hardware chains of trust cannot work because there is nothing that can be done to stop someone from making different hardware do the same thing. Eg. Take a radio and a cpu, make it speak the protocol. No way for the other end to know it's not "trusted hardware". Even encryption doesn't work because you just pull the keys off the hardware. (which is of course why DRM can never work)
It just makes it /harder to do/. That's the point. It's our job to make it EASY.
Possible, but the point in software is to abstract. Nobody is going to program every little security feature into the hardware. Takes massive R&D with very little reward. Eg. it's not economically feasible.
Got my paycheck today, and I be happy to give $50 (and maybe an extra $25 if I have spare)! :victory:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
93Created this bounty thread hoping to find a way to reset our KNOX counter to 0x0. It's great that @designgears and @Chainfire found a way to root without tripping the Knox counter, but unfortunately a lot of us have already voided our warranty using the old way.
I know it's a long shot and almost impossible (as far as we know) to reset the Knox counter, so I'm hoping there's a dev out there that would be willing to give this a shot and see if it can be done. I'm sure there are tons of people out here in the xda community who would like to have their mind at ease knowing that their warranty will still be good when they need their phone serviced.
So I'll start off with donating $20 to the first person that finds a way to reset the infamous knox flag!
May 5th 2014
Hey everyone, sorry I haven't been able to update this thread. I've been really busy with work and my family. Any time I have to go on XDA is simply just checking up on some PM's and maybe some quick browsing. When I get the chance (hopefully soon) I will update the OP with some missed donations that I have missed. I don't even know what the update is on this whole KNOX fiasco. What I do know, is that was 4.4.2 came out, KNOX was updated to 3.0. I would assume that finding a solution is probably harder than ever.
Sent from my SM-N900W8 using Tapatalk 440Donations so far,
Me- $20
@NoEnd- $20
@Skander1998- $120
@Kinoal- $30
@Imoseyon- $20
@zylor- $50
@xda_q8 -$100
@Yuhfhrh- $20
@odeccacccp- $20
@Poisyx -80€
@danieljamie - £10
@Raphy511- $5
@apd- $20
@Jack Barrett- $10
@checkmateyou- $50
@mrQQ- $20
@Meanee- $20
@Steezy5- $20
@micger21- $20
@Kingybear- $20
@zbz999- $20
@Action B- $10
@yulet- $10
@Virusbetax- $30
@ytwytw- $20
@piit79- $40
@erubey21- $20
@perosredo- $10
@lordmusik- $50
@LemonPowerForce- $50
@AUSTAB2012- $20
@samuraiofu- $20
@valix2fr- $30
@Wayne7497- $100
@vincedoggy- $50
@almacncheese- $2
@simon2k10- $20
@iakovidis- $20
@GeorgEveS- $20
@kakyyabata- $20
@Café King- $20
@dukhan- $80
@zocster- $20
@Shadowjump- $5
@oofol- $20
@maniacscorpio- $20
@iceghost1210- $20
@chrisrotolo- $25
@Volrath- $20
@apfelsaftkotzer- $10
@layercake87- 10€
@moto211- $10
@radicalisto- £10
@tongueman87- $20
@alesa1988- 20€
@bones718- $10
@k4syx- $10
@Michuta- 10€
@m7md garrah- $250
@droidan- $52
@madridfran- $10
@trubster- $25
@dpoverlord - $20
@dukhan - $6
@OmarManLover- $20
@Maroc_Specops- $10
@ramsenn- $4
@ysr84- $40
@ashT1971- $40
@iT iS Me- $11
@eraybozkurt- $50
@vinokirk- $10
@Cyenominerva- $10
@cocokasper- $20
@hussam1988- $10
@theunderling- $40
@Bitmixer- $20
@censor2005- $15
@otakuloser- $20
@r3scue- $13
@leboural- $20
@Hepokatti- $20
@redwhiteblackandblue- $12
@IOU-1- $13
@mr sharpey- $30
Sent from my SM-N900W8 using Tapatalk 432You can take apart the param.bin file if you want - it's just a tar file. Contains some images (one of them curiously mentions Verizon) and an emmc firmware binary.
I am not aware of any other param.bin files available for the Note3 - though I must admit I had checked for Qualcomm models initially, not Exynos - so that file may be universal. I thought maybe the emmc firmware file may play some part in resetting the KNOX bits, as maybe it is stored on emmc. Flashing it to my own Note3 didn't do anything though, and I have not found the location of this file in stock firmwares to replace it in there, so far.
The bootloader itself could well make all the difference and do all the work. You'd have to disasm it to be sure. The thing is, unless we run down the entire system, figure out how the bootloader does it, and be able to replicate that from booted Android (or maybe ODIN flashable) this is completely useless.
We can't take a stock bootloader and modify it so it does the same as this one (assuming it even does anything), as the bootloaders are cryptosigned, and we cannot replicate the signatures. As such, even if we managed to get the modified bootloader on the device (which we won't), then it still wouldn't boot.
In other words, this is all well and good, but I don't see it getting us anywhere for devices X, Y and Z, unless the counterparts for those devices get leaked as well.
Again assuming we don't decode the bootloaders, find out what trick it is pulling, and manage to replicate it in some other way - which isn't very likely, as decoding bootloaders is tedious work, you're easy to miss the actual trick, and even if we do figure it out, chances are that the stock bootloader protects the area (they're already hidden now) that we need to write, so there will still be no way to do it from booted Android.
Unless we then also hack that, and and if the data is stored in a secret part of emmc then maybe that is possible, as there are some theoretical hacks to reset bootloader-set write protections - but then that would still only work if trustzone hasn't properly shielded that area of the phone anyway, regardless of emmc write protection.
Are you still with me? Maybe you understand what I'm saying - probably not. Those that do, probably have some minor technical statements to correct in the above, but it doesn't really matter. What it comes down to is that it's not bloody likely I'll be spending my time on this because it's a high effort but low chance of success endeavor, but if you have the time and the expertise, go right ahead and give it a shot. It's not impossible - just improbable (with the current knowledge of the situation)15
