Wow I didnt know such an app does exist!!
Ill downgrade again later after I get home and see results ... thanks
Sent from my GT-I9505 using xda app-developers app
[RESEARCH] Samsung Knox: Warranty Void Behavior
- Thread starter theq86
- Start date
Wow I didnt know such an app does exist!!
Ill downgrade again later after I get home and see results ... thanks
Sent from my GT-I9505 using xda app-developers app
I found this today in the bootloader UART output for I9505.
Some info about SMC call from ARM: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0301h/ch02s12s13.html
Full log:
Code:
3640] [TIMA trusted boot]: SEAndroid MAGIC failure (boot.img)
[3640] KL: API Status 0x0
[3640] [TIMA boot measurement] : Old/non-CL device - KNOX warranty void
[3650] [TIMA trusted boot]: SMC call to set the warranty violation fuse succeededSome info about SMC call from ARM: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0301h/ch02s12s13.html
Full log:
Code:
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk
[10] platform_init()
[10] target_init()
[10] HW REV FLAG : 0
[10] HW REV11 : (1, 0, 1, 1)
[20] check power key with 0x88e843d
[20] Power on reason 4
[20] Power on status : 0x4 (Key Power On)
[40] magna_octa_full_hd_panel_power on completed
[40] display_init() ldi_chip : LDI_LSI
[40] PARAM : param partition table doesn't exist
[50] display_init : MID (MIPI_FB_ADDR(0x87e00000))
[50] display_init(),target_id=3949.
[60] samsung_octa_full_hd_panel_power on completed
[70] Config MIPI_VIDEO_PANEL.
[70] changing DSI regs
[100] lcd : panel_reset completed enable
[100] id1 : 0x42 id2 : 0x80 id3 : 0x47
[230] Turn on MIPI_VIDEO_PANEL.
[260] [CID] : 150100414645414242002a1d1fd750d2
[330] init_microusb_ic: MUIC: CONTROL1:0x1b
[340] init_microusb_ic: MUIC: CONTROL1:0x1b
[340] init_microusb_ic: MUIC: CONTROL2:0x3b
[340] init_microusb_ic: MUIC: CONTROL2:0x3b
[350] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[350] aboot_early_charging_init
[410] set_charger_state: buck(1), chg(0), reg(0x04)
[410] set_charging_current_limit_data : input current limit: reg = c0, 460mA(0x17)
[420] get_battery_detect : MAX77693_DETBAT (0x1d)
[430] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[430] get_wireless_charger_detect : WCIN_OK 0x00)
[440] get_wireless_charger_detect : CHG_DTLS(0x00)
[440] aboot_early_charging_init, [battery] batt_id_value (0), cable_type(0)
[450] set_fast_charging_current_data : fast charging current 460mA(0x0e)
[510] set_charger_state: buck(1), chg(1), reg(0x05)
[510] [tspdrv]nForce===7
[510]
VIBRATOR is ENABLED :::
[510] immvibespi amp enable
[520] vibrator started
[720] vibrator stopped[720]
VIBRATOR is DISABLED :::
[720] immvibespi amp disable
[720] Power on reason 4
[720] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[730] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[740] get_wireless_charger_detect : WCIN_OK 0x00)
[740] get_wireless_charger_detect : CHG_DTLS(0x00)
[740] aboot_dev_charging_init : cable_status(0), cable_type(1024)
[760] get_battery_detect : MAX77693_DETBAT (0x1d)
[760] [battery] batt_id_value (0)
[760] Vref_batt_therm disable
[760] [battery] external charger init
[770] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[780] get_wireless_charger_detect : WCIN_OK 0x00)
[780] get_wireless_charger_detect : CHG_DTLS(0x00)
[780] set_fast_charging_current_data : fast charging current 0mA(0x00)
[790] set_charging_current_limit_data : input current limit: reg = c0, 460mA(0x17)
[850] set_charger_state: buck(1), chg(0), reg(0x04)
[900] [fuelgauge] battery type : 1
[910] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[910] get_wireless_charger_detect : WCIN_OK 0x00)
[920] get_wireless_charger_detect : CHG_DTLS(0x00)
[920] [fuelgauge] apply 4.35V battery
[920] fuelguage : OriginalRCOMP = 0x6f, OriginalAlert = 0x1e
[930] fuelguage : OCV_DATA = 0xc332
[940] fuelguage : re-write RCOMPseg data
[1150] fuelguage : SOC_DATA1 = 0xe9, SOC_DATA2 = 0x19
[1150] fuelguage : model was loaded successful
[1150] fuelguage : RCOMP(0x76) is applied
[1160] fuelguage : OCV_DATA = 0xc332
[1360] [max17048] hibrt, vart, vreset setting
[1370] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[1380] get_wireless_charger_detect : WCIN_OK 0x00)
[1380] get_wireless_charger_detect : CHG_DTLS(0x00)
[1380] [fuelgauge] Discharging table soc
[1390] 6837 = ( 384000 - 339351 ) *100 / 653
[1390] soc(60), table_soc(68), vcell(384000)
[1390] [fuelgauge] fg_reset_soc (0)
[1400] init cc mode flag 0xfffffffen[1400] check_boot_mode = key Down[0], Up[0]
[1410] check_ramdump_mode :: k_param.debuglevel[0x574f4c44]
[1410] Do checksum V2
[1410] Not Need Movinand Checksum
[1420] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[1420] get_wireless_charger_detect : WCIN_OK 0x00)
[1430] get_wireless_charger_detect : CHG_DTLS(0x00)
[1430] is_reboot_case =0
[1430] cable_status = 0
[1440] get_battery_detect : MAX77693_DETBAT (0x1d)
[1440] enter normal booting mode
[1450] AST_POWERON
[3430] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[3430] get_wireless_charger_detect : WCIN_OK 0x00)
[3440] get_wireless_charger_detect : CHG_DTLS(0x00)
[3440] microusb_get_attached_device: STATUS1:0x3d, 2:0x00
[3450] rb=0 jig=1
[3450] v=3838 soc=60
[3450] skip check low battery
[3450] reboot_mode = 0x88e843d, boot_mode = 0, por = 0x4
[3460] kernel_addr: 0x80208000
[3460] RAMDISK ADDRESS: 0x82200000
[3470] second_addr: 0x81100000
[3470] tags_addr: 0x80200100
[3640] [TIMA trusted boot]: SEAndroid MAGIC failure (boot.img)
[3640] KL: API Status 0x0
[3640] [TIMA boot measurement] : Old/non-CL device - KNOX warranty void
[3650] [TIMA trusted boot]: SMC call to set the warranty violation fuse succeeded
[3660] SET WV: API Status 0x0
[3660]
kernel @ 80208000 (5086384 bytes)
[3670] ramdisk @ 82200000 (463981 bytes)
[3670] WV: API Status 0x0
[3670] lcd_attached=1
[3670] init_ddi_data: usable ddi data.
[3680] WV: API Status 0x0
[3680] Power on reason 4
[3680] booting linux @ 0x80208000, ramdisk @ 0x82200000 (463981)
[3690] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 sec_log=0x100000@0xffe00008 sec_dbg=0x80000@0xfff00008 sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=1 lcd_attached=1 lcd_id=0x4280[3710] booting linux @ 0x80208000, ramdisk @ 0x82200000 (463981)
[3710] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 sec_log=0x100000@0xffe00008 sec_dbg=0x80000@0xfff00008 sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=1 lcd_attached=1 lcd_id=0x4280[3710] Booting Linux
[ 0.000000] Truncating memory at 0xc0000000 to fit in 32-bit physical address space
Last edited:
How did you get uart output? Resistor value or?
Sent from my GT-I9505 using Tapatalk
sorry guys
i sold my device without much loss yesterday and like i said that was my last Samsung and will never get back to it
if they still counting on the same method by the memory and device
i sold my device without much loss yesterday and like i said that was my last Samsung and will never get back to it
if they still counting on the same method by the memory and device
Anybody need QFUSES dump before and after phone got an knox bit ?
Отправлено из моего iPad используя Tapatalk HD
Send this dump and we can start experimenting with modified aboot.
Sent from my GT-I9505 using Tapatalk
Sent from my GT-I9505 using Tapatalk
Are you sure you can modify aboot? It shoul br signed.. if you modify it the 3rd stage loader should refuse it..
Inviato dal mio GT-I9505 utilizzando Tapatalk
Yes sbl3 does signature verification but you could modify aboot while in RAM, replace with new version and jump to it if you have an exploit and we do! Will try it once I figure out why aboot doesn't load completely in IDA
Sent from my GT-I9505 using Tapatalk
Good idea but i haven't so much knowledges to do so. I noticed this too... other binaries don't fully load. E.g. i ve a .ko that have at the end some debug data that ida 6.1 discards. 6.4 trial know how to load it.
I doubt samsung left debug data... maybe encrypted data.. uncompressed in ram.. maybe the wvapi...
Inviato dal mio GT-I9505 utilizzando Tapatalk
I have written my own loader for MBN files and while all other mbn load just fine(sbl(1/2/3), rpm, tz) aboot.mbn has a ton of undefined areas.... :/
Use this http://xdaforums.com/showthread.php?t=2641245 if you know your way around IDA. If you have HexRays ARM then even better
Use this http://xdaforums.com/showthread.php?t=2641245 if you know your way around IDA. If you have HexRays ARM then even better
Last edited:
this might be nothing but i noticed when i had my i9505 that if you have KWV 0x0 when you start knox app it download 171 MB online on the knox shell
but if you had KWV 0x1 it only download 169 MB on the shell.
but if you had KWV 0x1 it only download 169 MB on the shell.
Hi, I have 2 gs4 one with knox 0x1 fna5 and another without knox with 4.2.2 bootloader and 4.3 firmware.
If someone need help...
Enviado do meu GT-I9505 através de Tapatalk
If someone need help...
Enviado do meu GT-I9505 através de Tapatalk
if in exynos variant the wv bit is in the rpmb (resetting with jtag confirmed), in snapdragon variant, that uses set of qfuses (maybe confirmed because one guy have knox resetted by sammy and then the last line in dl mode became A2,B2 instead of A1,B1..) i bet that informations of locations of qfuses stay also in the rpmb, so a variant of the reset method for exynos is theorically possible, but after wiping all emmc, we have to set flash also real or fake data of qfuses. in fact, if we use the reset method on snap version, after flashing it remains to 0x1 because it checks the same qfuses as before wipe, so it would do the trick wiping and flashing new rpmb with fake qfuses data! do u agree?
Inviato dal mio SM-N9005 utilizzando Tapatalk
Inviato dal mio SM-N9005 utilizzando Tapatalk
I think you're on to something. I think the Snapdragon variant keeps the QFPROM shadow register in the RPMB. There's also possible configuration for up to two boot partitions. RPMB is only accessible in SECURE WORLD. We need a TZ/Kernel exploit to either remove NAND Write Protection, or R/W to RPMB alone, which ioctl had been patched not too long ago to add R/W access to. It's purpose was for provisioning and passing along certain pieces and types of information. RPMB is accessed with a different type of 'data frame' than eMMC. I know a call is passed along to TZ via SMC to do things like set the warranty bit, R/W access for protected areas of memory, and just about everything we need. We will need a TrustZone app or kernel exploit. Kernel is most preferable. I'm also aware of a simple downgrade solution for the TrustZone via TZ. (It's complicated why this works, but no I can only do it to a certain extent based on bootloader flags fused number. ) Specifically for Note 3, but I'd bet they're identical processes. If an older version of TrustZone has a vulnerability, we can flash an older vulnerable version of TZ. This gives us a little wiggle room in finding an exploit. QSEECOM_SAMPLE_CLIENT in system/bin can be disassembled to find out what calls/commands are being made to TZ (on the N3, specific I believe) to PROVISION RPMB (Option 14, two sub options, Test and Production), and ERASE RPMB (Option 15.) If we put those pieces together, I think we'll be in business.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
88As you may already know, the latest Samsung firmwares came with a new secured bootloader. You can recognize it in download mode easily. It states: Knox warranty void: 0x0 or 0x1.
As for now, there is no way to reset that flag from 0x1 to 0x0.
Then I read in a comment of Chainfires post concerning that flag, that as long as you do not try to downgrade to a non secured bootloader, this flag will not change. He claims to have that information directly from Samsung.
https://plus.google.com/u/0/+Chainfire/posts
Jeffery Butler said:
Has anyone already experience with rooting an "untouched" S4 which has the secured bootloader and can confirm or decline that?
- - - - - - - - - -
Conclusions and Facts about KNOX-enabled firmwares (based on statements from chainfires post and it's comments above, ans based on this thread)
- Not possible to downgrade to KNOX-disabled firmwares/bootloaders (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see http://xdaforums.com/showthread.php?t=2444671, not confirmed)
- Even if you flash a KNOX-enabled firmware via odin (e.g. the latest fw) knox will be set to 0x1
- Flashing unsigned or modified images via odin will set knox to 0x1
- Samsung stated, resetting the flag is impossible
- KNOX is mandatory and can not be completely removed
- Warranty Void is no counter, it is a flag (0,1) it was never seen 0x2 or so
- Mirroring all partitions from a clean 0x0-Device to a 0x1-Device via JTAG produces an unfunctional device (reversible by restoring the 0x1 partitions on the phone)
- KNOX bootloader verifies signatures of kernels and recoveries. No custom ones possible without voiding the knox warranty
- Some experts think, an eFuse is involved. (http://en.wikipedia.org/wiki/EFUSE). An eFuse is mostly only incremential. Even unwriteable by low level tools or JTAG. But it is still not proven, that eFuse is used.
https://www.samsungknox.com/overview/technical-details33Hi guys, here is a copy of my conclusions i'm writing in another thread.
I'm going to post them here as well, it might help someone….
Hi guys.
I don't know if this helps or not but here are some of my conclusions on the subject:
I have a Jtag Box (Riff Box) and i tested several different things on several S4 With Knox 0x0 and 0x1.
1st Conclusion - Clone or Change the Boolean to 0x0 its not possible since the phone will put counter back to 0x1 again in the first full boot
2nd conclusion - There is a 3rd bootloader (kind of a bootloader) on this new firmware (latest 4.2.2 and on) that creates a secure container using the trust zone, and sandbox security keys and checksums communicating with the PBL (Primary bootloader) and SBL1 (Secondary Bootloader).
3rd conclusion - This container is created not on the first boot after the upgrade (as some say) but in the firmware upgrading process.
4th conclusion - The 3rd Bootloader is not read or write permitted not even with Jtag (At least i didn't found it after 3 full dumps in different phones)
5th conclusion - Once you upgrade to knox secure bootloader you can't downgrade to a un-knoxed bootloader because the security checksum between the 3 bootloader will fail and odin won't flash.
6th conclusion - This is far away the most advanced and secure operating system ever made by Men, but it as is faults. Last week the world found a huge bug in the knox containers that allows data to be exchanged from insecure boot mode to secured sandbox in knox app…
The theory :
The only way to reset knox counter is to "convince" the phone bootloader that it still's in 4.2.2 un-knoxed bootloader and flash a 4.3 knox firmware. This way, all the secure containers in trust zone and boot loaders checksums will be recreated, flags inclusive.
I tried unsuccessfully "kill" a knoxed bootloader with Jtag and recover it in a 4.2.2 un-knoxed one but Jtag won't write the new bootloader 'cause apparently this specific address (Bootloader address) is write protected ….
I hope this helps anyone, i'm done with this. I'm not a bootloader specialist and i'm pretty sure someone will find the way to reset this.
For now still Samsung 1 - 0 Rest of the World
I'm giving up on this but since i have a Jtag and 198 voided S4 in my office, i'll be available for testing anything on those.
Good luck researchers,
By the way, if it helps click thanks30Maybe only 1% root their android phones (I think its more but anyway) but these people have made xda community which have made Samsung and android what they are.
Dont forget that samsung leaked firmwares to us, the 1%, to test and improve any issue...
No custom, no xda, no android...Thats the power of 1%...
Sent from my GT-I9505 using Tapatalk 430Compilation
Hey folks. I don't know how much it's worth, but I've kept a notepad compilation of all the information and reasonable concepts that I've come across while digging through the better part of a thousand pages. I'm sure there have been developments and promising avenues that I've missed, but I hope these notes might save others some time in sourcing so many different posts and threads.
From everything I've read so far, it sounds to me like the KNOX Warranty bit actually behaves a bit differently on older devices than on newer devices when it's flagged. On the older devices, it sounds to me like the counter may trip before it burns out an eFuse and that it's only permanently burned out if a failed attempt to reset is made. On newer devices, however, it sounds like there are instances where the simple act of tripping the flag results in an immediate burn. What they all appear to have in common is the way in which KNOX protects itself. Multiple bootloader layers stacked with hardware protection, in order to prevent the flag from being reset at any single stage. (I could be unclear on that last bit, if I am please feel free to correct me.)
Anyhow, I've gone through a lot of material at this point and I'm afraid it's left my brain pretty well putty. Here's hoping this compilation helps someone reach that "Eureka!" moment.
--------------------------------
Knox Flag Notes:
How the Knox system works on Samsung devices:
Secure Boot is a security mechanism that prevents unauthorized boot loaders and kernels from being loaded during the startup process. Firmware images, such as operating systems and system components, cryptographically signed by known, trusted authorities, are considered authorized firmware. Secure Boot is a component that forms the first line of defense against malicious attacks on devices with KNOX.
Samsung KNOX uses systematic security checks to ensure that only valid kernels are used by the device. On the hardware level, the Primary Boot Loader confirms a PKI certificate to verify the integrity of the Secondary Boot Loader 1. Similarly, the Secondary Boot Loader 1 verifies the integrity of the Secondary Boot Loader 2, and the Secondary Boot Loader 2 verifies the integrity of the Android Boot Loader. The Android Boot Loader will only load a Samsung-authorized kernel with a Samsung certificate as its Root-of-Trust.
https://www.samsungknox.com/en/overview/technical-details
One reported solution, that I have not been able to verify or corroborate, is related to the S4 Mini:
Originally Posted by SandeepEmekar View Post
My S4 Mini's Knox Status was reset when I flashed different region firmware on it.
Confused with the status of this thing, "CSB-CONFIG-LSB: 0X30" . (page 45)
The reporting user has stated that his/her KNOX flag was 0x1 and returned to 0x0 upon flashing to a different region's firmware.
"Old was India Region then I switched to latest one of Brazil (I9192UBUBMK4_I9192ZTOBMK2_ZTO.zip)" (page 46)
http://xdaforums.com/showthread.php?t=2486346&page=45
The above has not been verified, to my knowledge, and someone else subsequently reported attempting a regional change from the UK to Madagascar or somesuch place and reported no change to the bit counter.
There is also information for removing the KNOX bootloader from the Note 2, though apparently this only works if the flag has not already been tripped from 0x0 to 0x1. If the flag has been tripped, this technique still works to remove KNOX and the flag's notification from the Download Mode; However, if the bootloader is restored to KNOX then the flag is once again displayed as 0x1.
http://xdaforums.com/showthread.php?t=2500823
There have been several reports of people having their phone serviced by an authorized technician, in which their device was repaired and returned within around 10 minutes. Accordingly, when the device was returned, their KNOX flag had been restored to 0x0. This suggests the possibility of a software fix, or at least the existence of a software/hardware fix that can be implemented by connecting the device to a specialized diagnostic and recovery computer (some reports claim it is a handheld device).
It should be mentioned that several of these reports state that this fix is possible on devices which are older than the Note 3, which it seems cannot be reset. This suggests the existence, and initial utilization, of an eFuse for the Note 3 but not for devices from earlier generations (which seem to still utilize eFuses but not in the initial tripping of the flag. These devices, reportedly, will only burn the eFuse if a failed or incorrect attempt at resetting the flag occurs).
This exception for the Note 3 is contradicted here, however:
http://xdaforums.com/showthread.php?t=2504258
One user has stated that he knows where the eFuse, which KNOX utilizes, physically resides:
Originally Posted by iankellogg View Post
THe knox flag is an EFUSE, you will NEVER be able to reset it back to 0. It is PHYSICALLY destroyed in the S800 chip and there is no way to change that fact. The best you can hope for custom bootloader that fakes the flag. But they will always be able to check the flag... The speculation is that KNOX is using an E-FUSE. chainfire has said everything he can tell its an e-fuse. The S800 has at least 1 E-FUSE register that I know of and I think maybe 4 total... So I was wrong about the number of Efuses (which qualcomm calls QFuses) THere are over 100 of these QFuses. THey can be used for pretty much anything the manufacture wants (from what I have read all manufactures use QFuses for disabling Debugging). All Qualcomm chips and pretty much any CPU or FPGA on the market has at least 1 EFuse. It is up to the company to determine how those are used. LG decided against using EFuse checks in their bootloader. Samsung decided it was the only way to make Knox secure.
http://xdaforums.com/showthread.php?t=2486346
There is also discussion which indicates that the KNOX flag and notification are stored either in the eMMC or in the RPMB.
http://xdaforums.com/showthread.php?t=2504258&page=29
There was some more in-depth discussion, which I've misplaced the link to, which described the process of replacing "mmcblk*" as having reset the flag's display to 0x0. The catch is that once the device goes through one full boot cycle, the flag consistently reverts to 0x1. This corroborates the discussions regarding both software and hardware redundancies.
aboot.mdn has also been implicated with the KNOX flag.
eMMC Specs:
http://www.jedec.org/sites/default/files/Victor_Tsai.pdf
QFuses in MSM8960, which may also be relevant to identifying the active efuses used by KNOX:
http://xdaforums.com/showpost.php?p=31622172&postcount=9
Another potential avenue was suggested in the Note 3 thread, as follows:
Originally Posted by yashade2001 View Post
@Chainfire I have good news. I found a way for reseting counter on new KNOX devices. So you know KNOX' s information is stored in an emmc symlink file. Some people says it is storing in mmcblk0boot0, some people says that is same with mmcblk0 and some people can't find mmcblk0boot0. Actually I have not got a KNOX enabled device but I have testers for KNOX counter reset tool ( Making for S4 currently ). One of my tester opened that symlink ( He's not my tester now and I don't know which symlink is that. ) and edited with a hex editor and he saw a flag which shows counter status ( Hex value ). He edited that to 0x0 and rebooted the device. We saw 0x0 in bootloader screen. But when we rebooted the device it gone to back. So I know there is a hardware protection ( Special thanks to @gokhanmoral ). I think harware protection provided by eFuse chip. So there are two ways for reseting counter.
1) Rewrite kernel and undefine the eFuse chip. eFuse chip is defined in the kernel. Then there should be no hardware protection and we can edit that emmc symlink to reset counter. Shortly, we can modify bootloader.
2) Modify an Odin flashable tar as you want. But you need Samsung's special key to sign. If you sign that with Samsung's special key, counter will not be changed. But it's hard to get Samsung's special key. We can find it in an official flashable tar. It's not impossible but it's near to the impossible I think.
I'm going to make an app for doing first way automatticly.
Cheers. Waiting for your answer.
http://xdaforums.com/showthread.php?p=47765738
I seem to recall the above person having said something about giving up the ghost, but I can't recall a direct link. At any rate, he may or may not have hit a dead-end in his efforts.
Then, there's the discussion on Chainfire's G+ page where someone says:
Andrew Williams02/nov/2013
+Chainfire, I think +Mathew Rennie is correct. My GT-i9505 came with an NZC carrier branded ROM. Using PC ODIN, I flashed a later pre-Knox BTU stock version and had this rooted with CF-Auto-Root. I later attempted flashing a Knox enabled BTU ROM with Mobile ODIN, but upon finishing flashing I had no wifi, calls didn't work, etc. Did a factory reset and then used PC ODIN to flash this same Knox enabled BTU ROM and everything was fixed and remained at 0x0. Obviously this is because Mobile ODIN doesn't flash the bootloader whereas PC ODIN does. The point of all this is that I'm at 0x0 on a BTU ROM when my GT-i9505 came with an NZC ROM. Maybe that's because the bootloader was updated to BTU prior to the Knox enabled ROM being flashed and since I flashed another BTU ROM (albeit Knox enabled), it remains at 0x0. I even just did an OTA update to XXUEMJ7 and still at 0x0. But...I'd really like to have root back!
https://plus.google.com/+Chainfire/posts/LCfF5A9fsTG?hl=it
Posted by ace_of_spades021
I asked some one who work at samsung agency about this and he told me they do it with BOX RIFF and ORT ......
http://xdaforums.com/showthread.php?t=2504258&page=7
Someone who appears to have changed the way the Warranty Bit displays on the Download screen:
http://xdaforums.com/showthread.php?t=2510867
Lastly, Chainfire's brilliantly informed analysis which mentions potential options for downgrading from KNOX bootloader (which would prove perfect if you've not already managed to trip the KNOX Warranty bit.
http://xdaforums.com/showthread.php?t=2504258&page=12
That page also has another informative post (which I also recall seeing somewhere along the way in this thread):
Originally Posted by .NetRolller 3D View Post
What we know so far:
-The Knox flag is physically stored in the eMMC, not in the SoC. Replacing the eMMC resets the flag.
-Some phones with Knox have Toshiba eMMCs supporting only eMMC v4.5, meaning, a standard eMMC 4.5 feature is being used (not a Samsung extension or something new to eMMC 5.0). This alone excludes an efuse - eMMC 4.5 doesn't have efuse support.
-Samsung can reset the flag using software only. This also rules out an efuse.
-Restoring a full eMMC backup (including boot and user partitions) doesn't clear the flag, even if done via JTAG or direct eMMC programming. So, the flag is not in the user or boot areas of the eMMC.
That leaves only the RPMB or the eMMC partition table.
--------------------------------27
Sorry for my absence and a late reply. There are things that are more important then Knox in my life.
Jeez... Where to start? I'm sorry that I have to go a bit "deep technically" but I think I need to explain my concerns and why you must act if you don't want
to have an integrated Knox-chip in your Samsung Galaxy S5.
Since I write long posts, get some coffee, and meanwhile try thislink, GeoIP Locator, and tell me if they where close or not? As an illustration.
About your assumptions
I have FULL warranty with a written permission that I can flash my phone 1337 times or trip my Knox from my cell provider. They don't care!
Only invalid if I happen to brick my phone because of software. They also asked me don't want me to mess with the modem (except for official upgrades)
so it doesn't mess up their network. My warranty is between me and my cell provider, not Samsung. That is something between them and Samsung if my
phone would get faulty hardware. I don't have to care about that. I will get a new phone. I can basically have CM on it and turn it in. Hell I can even have
IOS on it (and live in shame).
So I don't have any warranty "anger" but very strong concerns about my privacy and this time a huge attempt to invade it since I carry and have my phone
with me all day and night. Also, I don't think you really see the wide implications here and I don't think you really know SELinux.
SELinux it's pretty straight forward. You just have to write out rules, "directives" what to restrict or not. How much control you want to give the user of the
system.
But you are totally in the hands of those who write those rules and what they let you. *BSD has something similar with security levels. Will leave that out of this.
And the ones are Samsung. They write the rules, in more then one way here..
I didn't saw there is an option to turn off "updates" so I got an "SELinux update #16" on my Note 3 yesterday (plain vanilla, not rooted). Anyone else got it?
Can you tell me what was included in that one? Only if you work at Samsung.
It's REALLY good when it comes to mission critical computers that should not be tampered with, especially if exposed to the internet.
It's REALLY bad when you are enforced to have it in your own private phone since there is NOT A SINGLE REASON for what purpose you need it.
I saw the new nice updated webpage, with a little cure girl and all, they did a few days ago. Protection. So nice. Are you really so naive?
Isn't it YOUR choice to have a virus killer installed on your PC or is it Microsoft that should decide that for you? What more should they then decide?
This is not a criminal case. Innocent until proved?? Do you work at Samsung? If not, have you tried to talk to them about Knox at all?
Did they give they any info? At all?
If this was so innocent, why the secrecy? That you can hack it? You have a flag for it. Apparently it's so strong that they got governmental approval to use
it in USA. So it must be considered as something really hard to hack, right? And it is. I doubt that we will be able to crack it. Only if we find a weakness.
That is what they are waiting for. Us to try to circumvent it. They sit here and read it (Hello! Calling you tomorrow, btw!) so they can perfect it.
So no, in this case they are the ones that have to prove. This is not a criminal court-case. Even if it should be.
I took this from their on webpage (with that cute girl). It's from their own white-paper (highlighted the important things for your pleasure):
Secure Boot requires the device boot loader, kernel, and system software to be cryptographically signed
by a key verified by the hardware. Secure Boot uses X.509 certificates and public keys which are embedded
into the boot loader of the device. A secure hash of the certificates is fused into hardware Read-Only
Memory (ROM) at the time of manufacture. The Secure Boot loader will only continue if the authorized
secure signed binaries are present. Next, Secure Boot verifies the cryptographic signature of the Linux
kernel and system image before handing control to the OS.
So this has been planned. For a long time.
Take a look at X.509.
As you see it's a standard SSL-certificate (wonder if it's signed and how to get it and see the top signer).
Until today SSL has not cracked more then by brute force. There was some alarming scare a few months back, during Snowden that NSA might have
found a weakness in it and could crack it. But it was never verified and it's still considered as "safe".
This is the basis of all internet security today. So let's hope that NSA didn't succeed in that...
If it WOULD be hacked, the whole damn Internet security falls apart. Everything has to be rewritten. The implications of this would be enormous.
Off topic
I worked with Y2K. After that passed people said "Oh, see. That was a crying for wolfs". No it wasn't. If there wouldn't have been that HUGE investments,
new hardware, rewriting of code, millions of man (and women) hours spent it would have been bad. Really bad. We worked day and night in the end.
I saw all that. I worked with it. I consulted for several corps, like pharmaceutical etc. The nice is was that I'm a Unix specialist so I don't have to worry
until Y2047 when those clocks turn around (32-bit int, seconds since 1970-01-01). I hope I will still have time to be moved into The Matrix,
That is why Y2K didn't had more serious implications (except for an emergency shutdown of 6 nuclear reactors in Japan (that should have been
an wake up call to see over the security....). Developing countries had problems. Of course. But that drowned in the "It was a big scam". news.
Some "funny" things like a someone older then 100 year old started to get commercial for baby products.
A bit on topic
We have now a successor that will replace X.509 and that is AES.
It's much stronger then X.509. It's so strong that it is the approved standard to the highest classified documents "Top secret" in USA and basically all
over the world.
Today's CPU's (younger then 5-6 years) has a special instruction for calculating it (AES-NI). It doesn't slow down your machine much (think it takes just 5
or 6 clock cycles compared to 69 in the software implementation in the Linux kernel). Using Truecrypt? You should.
This is a magnitude stronger and it wouldn't surprise me is the Knox-chip will not replace scramble it with AES as well in the Galaxy S5.
Get to the point, dammit!
So what does it mean? Every phone has an UNIQUE certificate for each phone. Think they have a list corresponding to the serial number? You bet.
When you buy your phone, do you sign the paper for your "plan"/warranty with the phones serial number written out? Of course you do. You want your warranty.
But this means also that they can MATCH you and your phone. Serial -> You. Easy. Same with everything. No big deal, right?
It would not be if you didn't have Knox on it. This is the KEY here.
And you are WRONG. The system is indeed locked.
SELinux can do this (among other things)
- You have a MAC-implementation in the kernel. The rules can deny access to different parts of the kernel.
- You can hook on ANYTHING to it. It's a matter of config. That is their framework we see in the /system etc.
- It controls running programs, file systems, files, sockets, network interfaces etc.
- And it can run whatever application it wants, without disclosure to the user, hooked on 3rd party implementation with FULL network access.
If's sandboxing you in in user space, with limited access to system space, just like jalis but worse. You are locked out on SYSTEM level.
Basically you have total visualization of your machine and all you do is like being in a virtual machine.
Oh, look, how nice of NSA to help out: SEAndroid
They even implement it with Xen.
So you might think you are in your phone but you are in the Matrix. You are never in your phone.
And that means that you don't know what it's going on in your REAL phone. You don't know what your phone are sending for information since few can
afford their own base station and build a Faraday's cage to really see what it does.
They have you through your serial, and they can install what they want on your phone. Nice to target people, not? I'ts not only about general population
control anymore. It's about that they can know that YOU have this phone with unique id and who you are. They can start to track people, groups, whatever.
You can compare it with Windows. Windows desperately tries to contact to the 192.88.99.1 that is the standard "6to4 any cast" (RFC 3068), but from
there where? There are pages with people who try to figure out why "SYSTEM" really wants that and where it goes. Please, take a look yourself. Google.
Turn on Skype. It tries to make a tunnel through ICMP. A bit sneaky but I CAN see this because I have full access to my network.
But I don't have a base-station and I'm betting nor does you.
So where is my faulty logic? You have a phone that you are sandboxed in. You have no control because you are locked inside user space.
I'ts so strong the government in USA can use it. They have already a flag that warns if it's tampered with.
There is many unanswered questions about Knox and why doesn't Samsung disclose them if it's so innocent? To protect from tampering that you can't?
So if there will be no pressure and people will not get the finger out of their butts S5 will have a Knox-chip in it. That I'm 100% certain of.
Knox is way more the a bootloader that people tries to circumvent for their warranty situation, well, good for them. I see that part as insignificant
since Knox is a whole framework that nobody really knows what it does.
Read the white paper. Many pretty words but sift through the purpose to why you should have it, why it's enforced on your phone so desperately?
There is none.
And as soon as you trip it, the phone is NOT the same as it was before if I compare how it was before the Knox. It acts differently. I can't say what really,
but having experience, now 20+ years of Unix you get a "feel in your guts" that something is not as they should be. I can't (yet) put my finger too it but
it's a subtle change. Not the same phone. But probably it's because the thing I wrote. I'm not in my phone. I'm in a virtual space.
Now they rushed and released that i9506 that has replaced the i9505. You can get that anymore. With the new phone, that has so much more in common
with Note 3 that I think it's the same production line and that they fork quite late to the two platforms. I have not seen the inside of it so I can't check but
it can be a cost-saver or it can be that you don't have any other choice for a boot loader that isn't from the "pre-Knox".
Get a rocket phone but make it incompatible with any pre-Knoxed firmwares. Nice move, Samsung!
I haven't tried it yet, as said, a bit much IRL right now but I'm pretty sure that no bootloader that isn't "pre-Knox" will work on the '06 but that also, that
firmwares from Note 3 will boot. Are there some pre-Knox there?
You compare it with other companies. Where do they have the lockup?
You can unlock your HTC FULLY. You couldn't make an S-OFF in the HTC One X but you can that in the HTC One.
Sony has similar solutions.
Only Samsung goes the other way and close up. Possibility of a remotely controlled phone? 100%!
If you think it's ok that you have a phone that can run applications that you don't even see, don't know what it does, who it communicates with then it's fine
with me. I don't accept it, since I think it's sinister. I don't buy that Samsung want to protect me. If so, write a free virus killer instead.
Don't make my phone a virtual machine!
So yet again. I don't whine over warranty since that is not an issue. The issue is that your phone is totally controlled by a 3rd party at their discretion.
SELinux rules update #16
I'm curious. What did they "perfect" this time?
If you or anybody else doesn't have concerns after this I will stop writing about it, because it takes up my time and I will buy a HTC next year instead. But
is you all ARE concerned you have to start to voice that and spread it all over the user forums, not this special place, but the ones where the masses sit
and read. If not, Samsung Galaxy S5 will have a Knox-chip integrated. Maybe they even smack AES on it for fun.
Then we don't even have to start a forum about it. We can just link them over to some of those user ones....
- When Intel made it's unique ID on each CPU there was a huge outcry. They withdraw it.
- When Microsoft tried to do a chip called Palladium that would only allow certified programs to run there was a huge outcry. They withdraw that.
- When Samsung takes over your phone, can control it 100% or sell that control to some government you sit and talk about bootloaders and warranty....
So THINK for a moment. And hopefully act.
/Abs - Not possible to downgrade to KNOX-disabled firmwares/bootloaders (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see http://xdaforums.com/showthread.php?t=2444671, not confirmed)
