[Bounty] [05/20/2014]Reset KNOX counter to 0x0 (UPDATE: 3k +)

Search This thread
By:
Advanced…
djnoicatse

djnoicatse

Senior Member
Jun 4, 2010
369
257
Toronto
Created this bounty thread hoping to find a way to reset our KNOX counter to 0x0. It's great that @designgears and @Chainfire found a way to root without tripping the Knox counter, but unfortunately a lot of us have already voided our warranty using the old way.

I know it's a long shot and almost impossible (as far as we know) to reset the Knox counter, so I'm hoping there's a dev out there that would be willing to give this a shot and see if it can be done. I'm sure there are tons of people out here in the xda community who would like to have their mind at ease knowing that their warranty will still be good when they need their phone serviced.

So I'll start off with donating $20 to the first person that finds a way to reset the infamous knox flag!

May 5th 2014

Hey everyone, sorry I haven't been able to update this thread. I've been really busy with work and my family. Any time I have to go on XDA is simply just checking up on some PM's and maybe some quick browsing. When I get the chance (hopefully soon) I will update the OP with some missed donations that I have missed. I don't even know what the update is on this whole KNOX fiasco. What I do know, is that was 4.4.2 came out, KNOX was updated to 3.0. I would assume that finding a solution is probably harder than ever.


Sent from my SM-N900W8 using Tapatalk 4
 
Last edited:
  • Like
Reactions: gzuberi, Ice Fire, MarkusOSx and 90 others
djnoicatse

djnoicatse

Senior Member
Jun 4, 2010
369
257
Toronto
Donations so far,

Me- $20
@NoEnd- $20
@Skander1998- $120
@Kinoal- $30
@Imoseyon- $20
@zylor- $50
@xda_q8 -$100
@Yuhfhrh- $20
@odeccacccp- $20
@Poisyx -80€
@danieljamie - £10
@Raphy511- $5
@apd- $20
@Jack Barrett- $10
@checkmateyou- $50
@mrQQ- $20
@Meanee- $20
@Steezy5- $20
@micger21- $20
@Kingybear- $20
@zbz999- $20
@Action B- $10
@yulet- $10
@Virusbetax- $30
@ytwytw- $20
@piit79- $40
@erubey21- $20
@perosredo- $10
@lordmusik- $50
@LemonPowerForce- $50
@AUSTAB2012- $20
@samuraiofu- $20
@valix2fr- $30
@Wayne7497- $100
@vincedoggy- $50
@almacncheese- $2
@simon2k10- $20
@iakovidis- $20
@GeorgEveS- $20
@kakyyabata- $20
@Café King- $20
@dukhan- $80
@zocster- $20
@Shadowjump- $5
@oofol- $20
@maniacscorpio- $20
@iceghost1210- $20
@chrisrotolo- $25
@Volrath- $20
@apfelsaftkotzer- $10
@layercake87- 10€
@moto211- $10
@radicalisto- £10
@tongueman87- $20
@alesa1988- 20€
@bones718- $10
@k4syx- $10
@Michuta- 10€
@m7md garrah- $250
@droidan- $52
@madridfran- $10
@trubster- $25
@dpoverlord - $20
@dukhan - $6
@OmarManLover- $20
@Maroc_Specops- $10
@ramsenn- $4
@ysr84- $40
@ashT1971- $40
@iT iS Me- $11
@eraybozkurt- $50
@vinokirk- $10
@Cyenominerva- $10
@cocokasper- $20
@hussam1988- $10
@theunderling- $40
@Bitmixer- $20
@censor2005- $15
@otakuloser- $20
@r3scue- $13
@leboural- $20
@Hepokatti- $20
@redwhiteblackandblue- $12
@IOU-1- $13
@mr sharpey- $30




Sent from my SM-N900W8 using Tapatalk 4
 
Last edited:
  • Like
Reactions: Ice Fire, rezapn1255, aminpc and 37 others
kaos_king

kaos_king

Senior Member
Sep 22, 2008
669
178
I was wondering how they can make knox irreversible.

One idea i came up with is there could be a piece of hardware that is triggered, irreversibly by maybe destroying it.

Does anyone else think it could be linked to hardware?
 
I

iankellogg

Senior Member
Jun 9, 2010
73
27
THe knox flag is an EFUSE, you will NEVER be able to reset it back to 0. It is PHYSICALLY destroyed in the S800 chip and there is no way to change that fact. The best you can hope for custom bootloader that fakes the flag. But they will always be able to check the flag.
 
  • Like
Reactions: Lucieudo, tarekh020, hobbya and 10 others
Skander1998

Skander1998

Senior Member
May 23, 2012
1,619
607
29
Doha
Samsung Galaxy Note 3
Samsung Galaxy S7
iankellogg said:
THe knox flag is an EFUSE, you will NEVER be able to reset it back to 0. It is PHYSICALLY destroyed in the S800 chip and there is no way to change that fact. The best you can hope for custom bootloader that fakes the flag. But they will always be able to check the flag.
Click to expand...
Click to collapse

There is no concrete evidence that it is an e-FUSE.
All is speculation.
 
  • Like
Reactions: adzu_69, tarekh020, fffft and 4 others
djnoicatse

djnoicatse

Senior Member
Jun 4, 2010
369
257
Toronto
iankellogg said:
THe knox flag is an EFUSE, you will NEVER be able to reset it back to 0. It is PHYSICALLY destroyed in the S800 chip and there is no way to change that fact. The best you can hope for custom bootloader that fakes the flag. But they will always be able to check the flag.
Click to expand...
Click to collapse

I've heard this too....
Nothing is impossible if it hasn't been tried.

Sent from my SM-N900W8 using Tapatalk 4
 
N

NoEnd

Senior Member
Jul 28, 2010
313
20
Muharraq
iankellogg said:
THe knox flag is an EFUSE, you will NEVER be able to reset it back to 0. It is PHYSICALLY destroyed in the S800 chip and there is no way to change that fact. The best you can hope for custom bootloader that fakes the flag. But they will always be able to check the flag.
Click to expand...
Click to collapse

I'm not an expert, but guessing if KNOX is a hardware validation, can we replace this chip or manipulate with it?
 
  • Like
Reactions: abdulbasitnawaz
I

iankellogg

Senior Member
Jun 9, 2010
73
27
NoEnd said:
other smartphones like the G2 uses the same chipset, how come they don't have the same validation?

I guess that either Samsung have their own version of S800 or there is another chipset in the system represents KNOX.
Click to expand...
Click to collapse

So I was wrong about the number of Efuses (which qualcomm calls QFuses) THere are over 100 of these QFuses. THey can be used for pretty much anything the manufacture wants (from what I have read all manufactures use QFuses for disabling Debugging). All Qualcomm chips and pretty much any CPU or FPGA on the market has at least 1 EFuse. It is up to the company to determine how those are used. LG decided against using EFuse checks in their bootloader. Samsung decided it was the only way to make Knox secure.
 
N

NoEnd

Senior Member
Jul 28, 2010
313
20
Muharraq
iankellogg said:
So I was wrong about the number of Efuses (which qualcomm calls QFuses) THere are over 100 of these QFuses. THey can be used for pretty much anything the manufacture wants (from what I have read all manufactures use QFuses for disabling Debugging). All Qualcomm chips and pretty much any CPU or FPGA on the market has at least 1 EFuse. It is up to the company to determine how those are used. LG decided against using EFuse checks in their bootloader. Samsung decided it was the only way to make Knox secure.
Click to expand...
Click to collapse

Ok now I understood your point

Thanks for explaining
 
  • Like
Reactions: Miftolog
N

neoKushan

Senior Member
Nov 7, 2008
462
105
Warrington
NoEnd said:
other smartphones like the G2 uses the same chipset, how come they don't have the same validation?

I guess that either Samsung have their own version of S800 or there is another chipset in the system represents KNOX.
Click to expand...
Click to collapse

What you have to remember is that Qualcomm license their chipsets out, but it's up to the device manufacturer to use it however they want. Not all features get used or enabled and not all will be used for the same purpose. They all use efuses for things like disabling debugging and such but Samsung has potentially chosen to use it as a hardware flag for Knox.

kaos_king said:
I was wondering how they can make knox irreversible.

One idea i came up with is there could be a piece of hardware that is triggered, irreversibly by maybe destroying it.

Does anyone else think it could be linked to hardware?
Click to expand...
Click to collapse

What you're describing is an "efuse". It's a well known method of securing a system to prevent it from doing things like downgrades. It's a piece of hardware, as you describe, that gets permanently "blown". This is nothing like a traditional fuse that you can replace, it's a tiny, tiny part of the silicon inside the CPU itself. You can't "repair" it, it's only a few nm in size. It would be easier to thread a needle using two Boeing 747's.

Anyway...

The efuse thing is, at this time, speculation. There's a lot of evidence to say it's an efuse being used but nothing concrete as of yet. There's a good chance we may never be able to reset the Knox flag, however it has been shown that we can at least bypass it in certain instances.
 
  • Like
Reactions: bbbobbbo, amerkiller1995, JCM800 and 1 other person
I

iankellogg

Senior Member
Jun 9, 2010
73
27
neoKushan said:
What you have to remember is that Qualcomm license their chipsets out, but it's up to the device manufacturer to use it however they want. Not all features get used or enabled and not all will be used for the same purpose. They all use efuses for things like disabling debugging and such but Samsung has potentially chosen to use it as a hardware flag for Knox.



What you're describing is an "efuse". It's a well known method of securing a system to prevent it from doing things like downgrades. It's a piece of hardware, as you describe, that gets permanently "blown". This is nothing like a traditional fuse that you can replace, it's a tiny, tiny part of the silicon inside the CPU itself. You can't "repair" it, it's only a few nm in size. It would be easier to thread a needle using two Boeing 747's.

Anyway...

The efuse thing is, at this time, speculation. There's a lot of evidence to say it's an efuse being used but nothing concrete as of yet. There's a good chance we may never be able to reset the Knox flag, however it has been shown that we can at least bypass it in certain instances.
Click to expand...
Click to collapse

To add to this. The motorola bootloader for the atrix, razr and others used an EFuse to lock the bootloader and I wouldn't be surprised if that was the case here now for samsung. If you aren't familar, Motorola's bootloader can not be unlocked (unless its a dev phone) and their solution to people was to give them a coupon to buy a new device that didn't have a locked bootloader. I have no faith that we will be able to reverse KNOX flag or be able to unlock the bootloaders but I do have confidence that we will have a safestrap.
 
You must log in or register to reply here.

Similar threads

TheMasterR
[ROOT][apk]{TowelRoot}[4.4.2] Does not trip KNOX and does not touch bootloader
Replies
249
Views
496K
J
JJEgan
_alexndr
★ [ROOT][N9005] ★ Rooting 4.4.2 FNF4 & NEWER stock firmwares ★ (KNOX 0x0) ★
Replies
596
Views
316K
rayman95
rayman95
joytest
SUCCESS !!! Knox 0x0 with Mobile Odin Pro 3.85 !!!
Replies
895
Views
231K
J
JJEgan
X
  • Locked
Knox is a software trigger and can be reset !
Replies
713
Views
341K
Moscow Desire
Moscow Desire
Z
  • Locked
[ROOT] (Kingo Root Tool) - No ODIN flash required! Knox stays cool (0x0)
Replies
124
Views
101K
M
malybru

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 93
    djnoicatse
    djnoicatse
    Created this bounty thread hoping to find a way to reset our KNOX counter to 0x0. It's great that @designgears and @Chainfire found a way to root without tripping the Knox counter, but unfortunately a lot of us have already voided our warranty using the old way.

    I know it's a long shot and almost impossible (as far as we know) to reset the Knox counter, so I'm hoping there's a dev out there that would be willing to give this a shot and see if it can be done. I'm sure there are tons of people out here in the xda community who would like to have their mind at ease knowing that their warranty will still be good when they need their phone serviced.

    So I'll start off with donating $20 to the first person that finds a way to reset the infamous knox flag!

    May 5th 2014

    Hey everyone, sorry I haven't been able to update this thread. I've been really busy with work and my family. Any time I have to go on XDA is simply just checking up on some PM's and maybe some quick browsing. When I get the chance (hopefully soon) I will update the OP with some missed donations that I have missed. I don't even know what the update is on this whole KNOX fiasco. What I do know, is that was 4.4.2 came out, KNOX was updated to 3.0. I would assume that finding a solution is probably harder than ever.


    Sent from my SM-N900W8 using Tapatalk 4
    View
    40
    djnoicatse
    djnoicatse
    Donations so far,

    Me- $20
    @NoEnd- $20
    @Skander1998- $120
    @Kinoal- $30
    @Imoseyon- $20
    @zylor- $50
    @xda_q8 -$100
    @Yuhfhrh- $20
    @odeccacccp- $20
    @Poisyx -80€
    @danieljamie - £10
    @Raphy511- $5
    @apd- $20
    @Jack Barrett- $10
    @checkmateyou- $50
    @mrQQ- $20
    @Meanee- $20
    @Steezy5- $20
    @micger21- $20
    @Kingybear- $20
    @zbz999- $20
    @Action B- $10
    @yulet- $10
    @Virusbetax- $30
    @ytwytw- $20
    @piit79- $40
    @erubey21- $20
    @perosredo- $10
    @lordmusik- $50
    @LemonPowerForce- $50
    @AUSTAB2012- $20
    @samuraiofu- $20
    @valix2fr- $30
    @Wayne7497- $100
    @vincedoggy- $50
    @almacncheese- $2
    @simon2k10- $20
    @iakovidis- $20
    @GeorgEveS- $20
    @kakyyabata- $20
    @Café King- $20
    @dukhan- $80
    @zocster- $20
    @Shadowjump- $5
    @oofol- $20
    @maniacscorpio- $20
    @iceghost1210- $20
    @chrisrotolo- $25
    @Volrath- $20
    @apfelsaftkotzer- $10
    @layercake87- 10€
    @moto211- $10
    @radicalisto- £10
    @tongueman87- $20
    @alesa1988- 20€
    @bones718- $10
    @k4syx- $10
    @Michuta- 10€
    @m7md garrah- $250
    @droidan- $52
    @madridfran- $10
    @trubster- $25
    @dpoverlord - $20
    @dukhan - $6
    @OmarManLover- $20
    @Maroc_Specops- $10
    @ramsenn- $4
    @ysr84- $40
    @ashT1971- $40
    @iT iS Me- $11
    @eraybozkurt- $50
    @vinokirk- $10
    @Cyenominerva- $10
    @cocokasper- $20
    @hussam1988- $10
    @theunderling- $40
    @Bitmixer- $20
    @censor2005- $15
    @otakuloser- $20
    @r3scue- $13
    @leboural- $20
    @Hepokatti- $20
    @redwhiteblackandblue- $12
    @IOU-1- $13
    @mr sharpey- $30




    Sent from my SM-N900W8 using Tapatalk 4
    View
    32
    Chainfire
    Chainfire
    You can take apart the param.bin file if you want - it's just a tar file. Contains some images (one of them curiously mentions Verizon) and an emmc firmware binary.

    I am not aware of any other param.bin files available for the Note3 - though I must admit I had checked for Qualcomm models initially, not Exynos - so that file may be universal. I thought maybe the emmc firmware file may play some part in resetting the KNOX bits, as maybe it is stored on emmc. Flashing it to my own Note3 didn't do anything though, and I have not found the location of this file in stock firmwares to replace it in there, so far.

    The bootloader itself could well make all the difference and do all the work. You'd have to disasm it to be sure. The thing is, unless we run down the entire system, figure out how the bootloader does it, and be able to replicate that from booted Android (or maybe ODIN flashable) this is completely useless.

    We can't take a stock bootloader and modify it so it does the same as this one (assuming it even does anything), as the bootloaders are cryptosigned, and we cannot replicate the signatures. As such, even if we managed to get the modified bootloader on the device (which we won't), then it still wouldn't boot.

    In other words, this is all well and good, but I don't see it getting us anywhere for devices X, Y and Z, unless the counterparts for those devices get leaked as well.

    Again assuming we don't decode the bootloaders, find out what trick it is pulling, and manage to replicate it in some other way - which isn't very likely, as decoding bootloaders is tedious work, you're easy to miss the actual trick, and even if we do figure it out, chances are that the stock bootloader protects the area (they're already hidden now) that we need to write, so there will still be no way to do it from booted Android.

    Unless we then also hack that, and and if the data is stored in a secret part of emmc then maybe that is possible, as there are some theoretical hacks to reset bootloader-set write protections - but then that would still only work if trustzone hasn't properly shielded that area of the phone anyway, regardless of emmc write protection.

    Are you still with me? Maybe you understand what I'm saying - probably not. Those that do, probably have some minor technical statements to correct in the above, but it doesn't really matter. What it comes down to is that it's not bloody likely I'll be spending my time on this because it's a high effort but low chance of success endeavor, but if you have the time and the expertise, go right ahead and give it a shot. It's not impossible - just improbable (with the current knowledge of the situation)
    View
    18
    OmanGhost
    OmanGhost
    Just wait 4me. I am work on it. Soon knox 0x0

    Sent from my SM-N9005 using XDA Premium 4 mobile app
    View
    15
    M
    m7md garrah
    I donate 250$
    View

New posts