I never had the time (and the devices) to properly research this but there are a few things that other people might want to test (or already know the answers) and I think it might come very handy to the Note 3 community. There is a somehow similar thread for the S4 community here.
0) SUCCESS WITH KNOX / DOWNGRADING ON N900 !!!
On N900 (Exynos) there is now a solution (unfortunately for the moment only for Exynos models) - a special firmware leaked originally here:
http://sxtpdevelopers.com/samsung-note-3-knox-fix-qualcomm/
(it looks like a firmware reset/update for the EMMC, which results in the erase of the RPMB where Knox flag and downgrade restrictions are stored).
In this thread details on some of the people testing it can be found in those posts:
http://xdaforums.com/showthread.php?p=52329946#post52329946
http://xdaforums.com/showthread.php?p=52408318#post52408318
If the original site is taken down by Samsung you need to search after a file called BL_HA3GZS_CLEAR_WARRANTY_BIT.tar - the one I saw was 2334801 bytes in length (might be shown as a 2.23MB download in some chinese sites). There might be a problem finding it since Samsung might go after anybody hosting and distributing it.
1) Just rooting should not trip knox
The problem with rooting that makes knox 0x1 - originally Root De La Vega was developed for the AT&T very locked structure, and as such it was doing the rooting in a pretty convoluted way. However on other Note 3 versions the knox warranty flag is very clearly linked to just kernel and recovery, and not to system itself. In other words it SHOULD be possible (even after MJ3) to root and keep knox 0x0 on devices that are not "bootloader locked" by not touching kernel and recovery and only touching system - that is probably NOT going to work on AT&T (N900A) but it seems to work on N900W8 and IMHO it could also work on N9005 (and possibly N9000, but I know much less about that). If you want more proof look into the posts about N900W8 + different version (of more or less) stock-based ROMs (like xnote, but stock kernel and recovery).
So the bottom line on this is to verify on a knox 0x0 device with firmware MJ3 (or newer) that just writing a pre-rooted system would be allowed in download mode and would keep knox 0x0. And we would need a more clear confirmation for both N900W8 and N9005 (or any other models) - of course with some description of what was written and how
EDIT: some W8 users have provided extra details and so far it looks it might be more the bootloader itself and not so much in how/what is written, but more information is needed.
EDIT2: there is a thread with that kind of talk here:
http://xdaforums.com/showthread.php?t=2627996
2) We should really test the "portability" of various bootloaders since this could solve a lot of things
First - here are two external (non-xda) pages with some very good development information regarding "bootloader hacking":
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
On bootloader-confused devices (for instance Hong-Kong versions that got the KitKat bootloader from Polish/XEO KK and have to wait for Hong-Kong KitKat, or any device that seems to be bricked in the bootloader) it might be also interesting (for somebody VERY daring - remember that it could brick your phone even worse) to try to write the bootloader files (all 5 of them?) from the N900W8 and see if those are accepted (since once that would be the case downgrading would also become a possibility).
EDIT: the N900W8 is also reported (see here) to let you have a custom recovery and not trip knox, which is kind of weird but maybe this is the knox breakthrough that we were expecting
3) More info on STRAP flags (those listed in download mode)
STRAP flags - there are a number of places where the values listed in download mode are discussed, for instance:
http://xdaforums.com/showthread.php?t=2567165
It seems that the values for S T R A and P flags could be versions of the 5 main bootloader-related files used in Qualcomm-based Note 3 devices, most likely:
S - SBL1
T - TZ
R - RPM
A - ABOOT
P - SDI (?)
My EU N9005 (I believe with MI7 or so bootloader) was something like S1, T1, R1, A1, P1 and also SECUREBOOT: ENABLE (CSB) (as it can be seen in the thread above) but is now P2 (which is very strange since I had all automatic and security updates disabled, but might be related to the fact that at some point I activated the reactivation flag linked to the Samsung account - disabling it does not return P back to 1 so this might not be it).
Also if you look around the values seem to be somehow consistent - with post-MJ3 bootloader most flags become 2 and with KitKat bootloader at least the A flag becomes 3.
It remains to be seen if this is the case and if it is any way relevant to hacking the bootloader system or knox (or is just for debug purposes - like when we see people with A3 complaining that they can't return to stock MJ7 or MK2).
4) More info on "microSD debricking and if this could let us re-write different bootloader files (and maybe we should encourage people to have their "debricking image" made in advance "just in case")
When the bootloader files become "bad" and you can not go in download mode (but probably sbl1 is still valid) it is still possible to recover things by forcing the boot process from microSD. That seems to require no extra hardware on Qualcomm models and one small contact for Exynos devices (where that is even documented in Samsung original documents like 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf).
There is a thread on this at:
http://xdaforums.com/showthread.php?t=2625332
5) More info on how Samsung CAN reset knox
There are already two threads with something more than 5-6 first-hand reports from people that went with a Note 3 knox 0x1 into service and left with the same device (and motherboard and IMEI and in some cases all their programs and even their normal/old firmware) but with knox 0x0!
One thread in T-Mobile Note 3 forum:
http://xdaforums.com/showthread.php?t=2637718
And a much larger one in International Note 3 forum:
http://xdaforums.com/showthread.php?t=2504258
There is also already a "hardware+software solution" (expensive, aimed at specialized phone shops that also do phone unlocking and similar stuff) which claims to be able to reset the knox flag on Exynos devices:
http://forum.gsmhosting.com/vbb/f67...olution-solution-repair-rebuild-emmc-1769456/
http://forum.gsmhosting.com/vbb/f67...bit-0-solution-inside-first-ih-world-1776265/
http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/
6) Pre-production bootloaders before knox?
Here is an interesting thread apparently about a N9005 with no knox:
http://xdaforums.com/showthread.php?t=2657631
0) SUCCESS WITH KNOX / DOWNGRADING ON N900 !!!
On N900 (Exynos) there is now a solution (unfortunately for the moment only for Exynos models) - a special firmware leaked originally here:
http://sxtpdevelopers.com/samsung-note-3-knox-fix-qualcomm/
(it looks like a firmware reset/update for the EMMC, which results in the erase of the RPMB where Knox flag and downgrade restrictions are stored).
In this thread details on some of the people testing it can be found in those posts:
http://xdaforums.com/showthread.php?p=52329946#post52329946
http://xdaforums.com/showthread.php?p=52408318#post52408318
If the original site is taken down by Samsung you need to search after a file called BL_HA3GZS_CLEAR_WARRANTY_BIT.tar - the one I saw was 2334801 bytes in length (might be shown as a 2.23MB download in some chinese sites). There might be a problem finding it since Samsung might go after anybody hosting and distributing it.
1) Just rooting should not trip knox
The problem with rooting that makes knox 0x1 - originally Root De La Vega was developed for the AT&T very locked structure, and as such it was doing the rooting in a pretty convoluted way. However on other Note 3 versions the knox warranty flag is very clearly linked to just kernel and recovery, and not to system itself. In other words it SHOULD be possible (even after MJ3) to root and keep knox 0x0 on devices that are not "bootloader locked" by not touching kernel and recovery and only touching system - that is probably NOT going to work on AT&T (N900A) but it seems to work on N900W8 and IMHO it could also work on N9005 (and possibly N9000, but I know much less about that). If you want more proof look into the posts about N900W8 + different version (of more or less) stock-based ROMs (like xnote, but stock kernel and recovery).
So the bottom line on this is to verify on a knox 0x0 device with firmware MJ3 (or newer) that just writing a pre-rooted system would be allowed in download mode and would keep knox 0x0. And we would need a more clear confirmation for both N900W8 and N9005 (or any other models) - of course with some description of what was written and how
EDIT: some W8 users have provided extra details and so far it looks it might be more the bootloader itself and not so much in how/what is written, but more information is needed.
EDIT2: there is a thread with that kind of talk here:
http://xdaforums.com/showthread.php?t=2627996
2) We should really test the "portability" of various bootloaders since this could solve a lot of things
First - here are two external (non-xda) pages with some very good development information regarding "bootloader hacking":
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
On bootloader-confused devices (for instance Hong-Kong versions that got the KitKat bootloader from Polish/XEO KK and have to wait for Hong-Kong KitKat, or any device that seems to be bricked in the bootloader) it might be also interesting (for somebody VERY daring - remember that it could brick your phone even worse) to try to write the bootloader files (all 5 of them?) from the N900W8 and see if those are accepted (since once that would be the case downgrading would also become a possibility).
EDIT: the N900W8 is also reported (see here) to let you have a custom recovery and not trip knox, which is kind of weird but maybe this is the knox breakthrough that we were expecting
3) More info on STRAP flags (those listed in download mode)
STRAP flags - there are a number of places where the values listed in download mode are discussed, for instance:
http://xdaforums.com/showthread.php?t=2567165
It seems that the values for S T R A and P flags could be versions of the 5 main bootloader-related files used in Qualcomm-based Note 3 devices, most likely:
S - SBL1
T - TZ
R - RPM
A - ABOOT
P - SDI (?)
My EU N9005 (I believe with MI7 or so bootloader) was something like S1, T1, R1, A1, P1 and also SECUREBOOT: ENABLE (CSB) (as it can be seen in the thread above) but is now P2 (which is very strange since I had all automatic and security updates disabled, but might be related to the fact that at some point I activated the reactivation flag linked to the Samsung account - disabling it does not return P back to 1 so this might not be it).
Also if you look around the values seem to be somehow consistent - with post-MJ3 bootloader most flags become 2 and with KitKat bootloader at least the A flag becomes 3.
It remains to be seen if this is the case and if it is any way relevant to hacking the bootloader system or knox (or is just for debug purposes - like when we see people with A3 complaining that they can't return to stock MJ7 or MK2).
4) More info on "microSD debricking and if this could let us re-write different bootloader files (and maybe we should encourage people to have their "debricking image" made in advance "just in case")
When the bootloader files become "bad" and you can not go in download mode (but probably sbl1 is still valid) it is still possible to recover things by forcing the boot process from microSD. That seems to require no extra hardware on Qualcomm models and one small contact for Exynos devices (where that is even documented in Samsung original documents like 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf).
There is a thread on this at:
http://xdaforums.com/showthread.php?t=2625332
5) More info on how Samsung CAN reset knox
There are already two threads with something more than 5-6 first-hand reports from people that went with a Note 3 knox 0x1 into service and left with the same device (and motherboard and IMEI and in some cases all their programs and even their normal/old firmware) but with knox 0x0!
One thread in T-Mobile Note 3 forum:
http://xdaforums.com/showthread.php?t=2637718
And a much larger one in International Note 3 forum:
http://xdaforums.com/showthread.php?t=2504258
There is also already a "hardware+software solution" (expensive, aimed at specialized phone shops that also do phone unlocking and similar stuff) which claims to be able to reset the knox flag on Exynos devices:
http://forum.gsmhosting.com/vbb/f67...olution-solution-repair-rebuild-emmc-1769456/
http://forum.gsmhosting.com/vbb/f67...bit-0-solution-inside-first-ih-world-1776265/
http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/
6) Pre-production bootloaders before knox?
Here is an interesting thread apparently about a N9005 with no knox:
http://xdaforums.com/showthread.php?t=2657631
Last edited: