A few things on knox / rooting and bootloaders that need more testing / development

Search This thread
By:
Advanced…
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
I never had the time (and the devices) to properly research this but there are a few things that other people might want to test (or already know the answers) and I think it might come very handy to the Note 3 community. There is a somehow similar thread for the S4 community here.




0) SUCCESS WITH KNOX / DOWNGRADING ON N900 !!!

On N900 (Exynos) there is now a solution (unfortunately for the moment only for Exynos models) - a special firmware leaked originally here:

http://sxtpdevelopers.com/samsung-note-3-knox-fix-qualcomm/

(it looks like a firmware reset/update for the EMMC, which results in the erase of the RPMB where Knox flag and downgrade restrictions are stored).

In this thread details on some of the people testing it can be found in those posts:

http://xdaforums.com/showthread.php?p=52329946#post52329946

http://xdaforums.com/showthread.php?p=52408318#post52408318

If the original site is taken down by Samsung you need to search after a file called BL_HA3GZS_CLEAR_WARRANTY_BIT.tar - the one I saw was 2334801 bytes in length (might be shown as a 2.23MB download in some chinese sites). There might be a problem finding it since Samsung might go after anybody hosting and distributing it.


1) Just rooting should not trip knox

The problem with rooting that makes knox 0x1 - originally Root De La Vega was developed for the AT&T very locked structure, and as such it was doing the rooting in a pretty convoluted way. However on other Note 3 versions the knox warranty flag is very clearly linked to just kernel and recovery, and not to system itself. In other words it SHOULD be possible (even after MJ3) to root and keep knox 0x0 on devices that are not "bootloader locked" by not touching kernel and recovery and only touching system - that is probably NOT going to work on AT&T (N900A) but it seems to work on N900W8 and IMHO it could also work on N9005 (and possibly N9000, but I know much less about that). If you want more proof look into the posts about N900W8 + different version (of more or less) stock-based ROMs (like xnote, but stock kernel and recovery).

So the bottom line on this is to verify on a knox 0x0 device with firmware MJ3 (or newer) that just writing a pre-rooted system would be allowed in download mode and would keep knox 0x0. And we would need a more clear confirmation for both N900W8 and N9005 (or any other models) - of course with some description of what was written and how ;)

EDIT: some W8 users have provided extra details and so far it looks it might be more the bootloader itself and not so much in how/what is written, but more information is needed.
EDIT2: there is a thread with that kind of talk here:
http://xdaforums.com/showthread.php?t=2627996



2) We should really test the "portability" of various bootloaders since this could solve a lot of things

First - here are two external (non-xda) pages with some very good development information regarding "bootloader hacking":

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

On bootloader-confused devices (for instance Hong-Kong versions that got the KitKat bootloader from Polish/XEO KK and have to wait for Hong-Kong KitKat, or any device that seems to be bricked in the bootloader) it might be also interesting (for somebody VERY daring - remember that it could brick your phone even worse) to try to write the bootloader files (all 5 of them?) from the N900W8 and see if those are accepted (since once that would be the case downgrading would also become a possibility).

EDIT: the N900W8 is also reported (see here) to let you have a custom recovery and not trip knox, which is kind of weird but maybe this is the knox breakthrough that we were expecting :)



3) More info on STRAP flags (those listed in download mode)

STRAP flags - there are a number of places where the values listed in download mode are discussed, for instance:

http://xdaforums.com/showthread.php?t=2567165

It seems that the values for S T R A and P flags could be versions of the 5 main bootloader-related files used in Qualcomm-based Note 3 devices, most likely:

S - SBL1

T - TZ

R - RPM

A - ABOOT

P - SDI (?)


My EU N9005 (I believe with MI7 or so bootloader) was something like S1, T1, R1, A1, P1 and also SECUREBOOT: ENABLE (CSB) (as it can be seen in the thread above) but is now P2 (which is very strange since I had all automatic and security updates disabled, but might be related to the fact that at some point I activated the reactivation flag linked to the Samsung account - disabling it does not return P back to 1 so this might not be it).

Also if you look around the values seem to be somehow consistent - with post-MJ3 bootloader most flags become 2 and with KitKat bootloader at least the A flag becomes 3.

It remains to be seen if this is the case and if it is any way relevant to hacking the bootloader system or knox (or is just for debug purposes - like when we see people with A3 complaining that they can't return to stock MJ7 or MK2).


4) More info on "microSD debricking and if this could let us re-write different bootloader files (and maybe we should encourage people to have their "debricking image" made in advance "just in case")

When the bootloader files become "bad" and you can not go in download mode (but probably sbl1 is still valid) it is still possible to recover things by forcing the boot process from microSD. That seems to require no extra hardware on Qualcomm models and one small contact for Exynos devices (where that is even documented in Samsung original documents like 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf).

There is a thread on this at:

http://xdaforums.com/showthread.php?t=2625332



5) More info on how Samsung CAN reset knox

There are already two threads with something more than 5-6 first-hand reports from people that went with a Note 3 knox 0x1 into service and left with the same device (and motherboard and IMEI and in some cases all their programs and even their normal/old firmware) but with knox 0x0!

One thread in T-Mobile Note 3 forum:

http://xdaforums.com/showthread.php?t=2637718

And a much larger one in International Note 3 forum:

http://xdaforums.com/showthread.php?t=2504258

There is also already a "hardware+software solution" (expensive, aimed at specialized phone shops that also do phone unlocking and similar stuff) which claims to be able to reset the knox flag on Exynos devices:

http://forum.gsmhosting.com/vbb/f67...olution-solution-repair-rebuild-emmc-1769456/
http://forum.gsmhosting.com/vbb/f67...bit-0-solution-inside-first-ih-world-1776265/
http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/




6) Pre-production bootloaders before knox?

Here is an interesting thread apparently about a N9005 with no knox:

http://xdaforums.com/showthread.php?t=2657631
 
Last edited:
  • Like
Reactions: adfree, amadorsg1, gee2012 and 22 others
D

DDRFAN

Senior Member
Oct 10, 2009
209
14
Toronto
I'm not too sure if this is helpful, but with the introduction of Kitkat, the SM-N900W8 has been able to flash a custom rom/kernel and recovery without tripping Knox. I am really not sure how this is possible, but my phone is living proof of it. To my understanding we are still using the old bootloader.
 
CNexus

CNexus

Senior Member
May 17, 2012
9,010
14,000
~/android
Google Pixel 7
Just a note @xclub_101...you cannot write older/different bootloaders using the debrick method. gTan64 and I originally pioneered that method on the Sprint S3, and it was then ported to the other qualcomm S3's, and eventually to other Samsung devices.

It does not work. The phone will only boot with a debrick sdcard when the bootloader written to the sdcard has the same version as the corrupt one on the device emmc.

And even if an older bootloader sdcard COULD boot the device, it wouldn't matter because you would still need to Odin flash a non-corrupt bootloader to the device after using the sdcard, and it would still reject a non-Knox bootloader because of that.

So unfortunately that section is incorrect.
 
Last edited:
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
I can downgrade P1 to P0. It is device and carrier specific. I'm not sure what the P flag is for. RPM, SBL1, and TZ were only items modified when downgraded. All signed releases. Looking for any more information regarding these flags.
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
CNexus said:
Just a note @xclub_101...you cannot write older/different bootloaders using the debrick method. gTan64 and I originally pioneered that method on the Sprint S3, and it was then ported to the other qualcomm S3's, and eventually to other Samsung devices.

It does not work. The phone will only boot with a debrick sdcard when the bootloader written to the sdcard has the same version as the corrupt one on the device emmc.

And even if an older bootloader sdcard COULD boot the device, it wouldn't matter because you would still need to Odin flash a non-corrupt bootloader to the device after using the sdcard, and it would still reject a non-Knox bootloader because of that.

So unfortunately that section is incorrect.
Click to expand...
Click to collapse



That is somehow true, but IMHO if all relevant partitions are wiped on the internal flash (from SBL1 to ABOOT) then all those will be read from microSD and have the code and signatures from there, and the "Odin mode" itself will be the version from microSD.

And here we have a number of interesting paths:

- the signature/hash on SBL1 itself is similar among Note 3 versions - that would result on all steps up to and including ABOOT being valid, so the "special Odin mode" will be entered; if the signature/hash on SBL1 is NOT similar between Note 3 families (or even before and after a major bootloader version) not even the "special Odin mode" will be started;

- if "special Odin mode" is started we can see another fork - if the "downgrade limitations" are part of the microSD code itself then you will be able to write any single firmware you were able to write when the internal SBL1/ABOOT was at the same version as the microSD SBL1/ABOOT - in other words you will be able to downgrade as far back as the microSD SBL1/ABOOT will let you!

- however there are some reports that the "downgrade restrictions" are actually stored in the internal flash in the "invisible/protected" regions there - and can be reset with special JTAG-like hardware:

http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/

Even in that last case there would still be a small chance that the "downgrade restrictions" might be skipped when booting from microSD since the internal flash could be considered at that point "less reliable" (or hopefully somebody at Samsung forgot to read that extra info on this special path - we can all hope :rolleyes: )

So yes, I would still like to see more detailed tests on it with detailed reports on what is failing at what point! And especially on the microSD with the N900W8 "happy bootloader" or even with some much earlier "early development bootloader" (I have seen something like that mentioned somewhere)!
 
  • Like
Reactions: can0brains
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
ryanbg said:
I can downgrade P1 to P0. It is device and carrier specific. I'm not sure what the P flag is for. RPM, SBL1, and TZ were only items modified when downgraded. All signed releases. Looking for any more information regarding these flags.
Click to expand...
Click to collapse

That was on the Verizon N900V? Does that allow you to do direct downgrades or you still need some tricks? Was it still booting with the downgraded versions?
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
xclub_101 said:
That was on the Verizon N900V? Does that allow you to do direct downgrades or you still need some tricks? Was it still booting with the downgraded versions?
Click to expand...
Click to collapse

Downgrading is limited to the flag fuse counter values. On MJE, I can downgrade to MI9 boot image and recovery. I was able to downgrade to some pre-release engineering SBL1, RPM, and TZ because they're signed and fuse counter is only 1 for those 3. It's very benign and basic to downgrade. Just use heimdall and try downgrading an individual image. If I figure out what P is, I'll be able to test if I can flash anything related to that flag. For some reason, I can downgrade to MI9 boot and recovery, but not the system.img. I'm just starting to learn a lot about the flags/fuse counters after dissecting aboot further. If you've got any more specific questions, feel free to PM me :)
 
I

iamsuperuser

Senior Member
Aug 15, 2011
699
166
37
Hyderabad
Xiaomi Poco F1
For the past 2 weeks I've been following the topics on Knox reset on XDA. There is so much discussion but Samsung is not at all helping.

So I was thinking we can do something like Sony Phones

On Sony Phones the trim area i.e. TA.img is backed up to restore later to claim warranty, but this should be done only before the phone is ever unlocked.
So are there any files like TA.img on Note 3 we can backup while the Knox is still 0×0 , So that if and when there is a method to reset Knox we can be ready.

If we can do this, we can go ahead and root or mod our Note 3s

So is this possible ?
 
FeralFire

FeralFire

Senior Member
Jan 18, 2012
510
232
iamsuperuser said:
For the past 2 weeks I've been following the topics on Knox reset on XDA. There is so much discussion but Samsung is not at all helping.

So I was thinking we can do something like Sony Phones

On Sony Phones the trim area i.e. TA.img is backed up to restore later to claim warranty, but this should be done only before the phone is ever unlocked.
So are there any files like TA.img on Note 3 we can backup while the Knox is still 0×0 , So that if and when there is a method to reset Knox we can be ready.

If we can do this, we can go ahead and root or mod our Note 3s

So is this possible ?
Click to expand...
Click to collapse


I don't think that will be possible because knox flag is an e-fuse and not a software counter.
I may be wrong, though.
 
A

AndroidNoob22

Senior Member
Sep 16, 2013
132
37
Hyderabad
FeralFire said:
I don't think that will be possible because knox flag is an e-fuse and not a software counter.
I may be wrong, though.
Click to expand...
Click to collapse

I somehow might agree to you but there's one thing about Knox which is not understandable by any means, Knox was officially introduced in Note 3 (Android 4.3) however other samsung devices had never had any hint of Knox hardware or software wise so while the official android 4.3 started rolling for other devices ie galaxy s4, note 2 etc they also got Knox and once they're tripped they cannot be reseted however I belive this should not be the case as those devices never had such thing as Knox specifically in terms of hardware and this trick has been surely done by samsung software wise and the only way to reset Knox as f now is known by samsung as few people have reported they got their Knox reset from samsung service centers, so this is kind of strange and I still believe Knox can have something to be done with software n not hardware, though I aint sure about it.........
 
S

siraltus

Senior Member
Jan 26, 2010
1,997
1,734
AndroidNoob22 said:
I somehow might agree to you but there's one thing about Knox which is not understandable by any means, Knox was officially introduced in Note 3 (Android 4.3) however other samsung devices had never had any hint of Knox hardware or software wise so while the official android 4.3 started rolling for other devices ie galaxy s4, note 2 etc they also got Knox and once they're tripped they cannot be reseted however I belive this should not be the case as those devices never had such thing as Knox specifically in terms of hardware and this trick has been surely done by samsung software wise and the only way to reset Knox as f now is known by samsung as few people have reported they got their Knox reset from samsung service centers, so this is kind of strange and I still believe Knox can have something to be done with software n not hardware, though I aint sure about it.........
Click to expand...
Click to collapse

It's implemented differently on different devices. From what I've read here and on other forums, this is why:

On Note 3 Snapdragon models, the warranty bits for the kernel and recovery are actual e-fuses stored in the QFUSE block of the Snapdragon MCU (SoC), so they're "hardware" and thus permanent. EDIT: Apparently it's not permanent, as many Snapdragon owners had the Knox flag reset during service.

On Note 3 Exynos models, they're stored in the RMPB partition on the eMMC and resettable via JTAG, as they're more or less "software," which is how it's likely implemented on the older pre-Knox devices. This is also why some European Note 3 owners got their broken Note 3s back from Samsung with the Knox flag reset back to 0x0. This isn't possible on the Snapdragon models.
 
Last edited:
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
siraltus said:
It's implemented differently on different devices. From what I've read here and on other forums, this is why:

On Note 3 Snapdragon models, the warranty bits for the kernel and recovery are actual e-fuses stored in the QFUSE block of the Snapdragon MCU (SoC), so they're "hardware" and thus permanent.

On Note 3 Exynos models, they're stored in the RMPB partition on the eMMC and resettable via JTAG, as they're more or less "software," which is how it's likely implemented on the older pre-Knox devices. This is also why some European Note 3 owners got their broken Note 3s back from Samsung with the Knox flag reset back to 0x0. This isn't possible on the Snapdragon models.
Click to expand...
Click to collapse

The part on Exynos models is probably right since now there is a device that claims to do that - see my link in the first post.

The part with Qualcomm models is not 100% so - there are TONS of reports from people with Qualcomm models (not only N9005 in EU but also ALL T-Mobile models) that had their knox fixed on the same motherboard (and in most cases with ALL their customized software left in place). See also my links in the first post.
 
S

siraltus

Senior Member
Jan 26, 2010
1,997
1,734
xclub_101 said:
The part on Exynos models is probably right since now there is a device that claims to do that - see my link in the first post.

The part with Qualcomm models is not 100% so - there are TONS of reports from people with Qualcomm models (not only N9005 in EU but also ALL T-Mobile models) that had their knox fixed on the same motherboard (and in most cases with ALL their customized software left in place). See also my links in the first post.
Click to expand...
Click to collapse

Oh, really? Awesome then, I had no idea. There is hope for us Snapdragon owners after all.
 
radicalisto

radicalisto

Senior Member
Nov 13, 2013
3,729
1,511
York
My motherboard was replaced, that's the only way KNOX can be reset according to the UK service centre I used.
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
P flag appears to be tied to SBL1. Was able to downgrade SBL1 by itself via Heimdall. Not sure how and why. More research needs to be done.
 
  • Like
Reactions: OnedeeTentee
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
ryanbg said:
P flag appears to be tied to SBL1. Was able to downgrade SBL1 by itself via Heimdall. Not sure how and why. More research needs to be done.
Click to expand...
Click to collapse

I don't believe that is true. I have compared my flags with other stock btu with the same bootloader and firmware all my flags other than that my P flag is still 0

Also OP needs to recheck the sources regarding knox reset these are for warranty bit on the s4 (android 4.2.2 and below) the supposed claim of knox reset only resets the flash counter. Similar to what triangle away has done in the past

Sent from my SM-N9005 using xda app-developers app
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
st3chn0 said:
Also OP needs to recheck the sources regarding knox reset these are for warranty bit on the s4 (android 4.2.2 and below) the supposed claim of knox reset only resets the flash counter. Similar to what triangle away has done in the past
Click to expand...
Click to collapse

I don't understand what you are saying, you claim that the two threads below are for S4?

One thread in T-Mobile Note 3 forum:
http://xdaforums.com/showthread.php?t=2637718
And a much larger one in International Note 3 forum:
http://xdaforums.com/showthread.php?t=2504258
 
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
st3chn0 said:
Sorry I meant the links pointing towards gsmhosting. Those are perfectly fine
...
Click to expand...
Click to collapse

Those are 3 links since I also wanted to keep some of the "history" on how that was discovered/announced, but the 3rd link is from the guy that actually sells the box and from what I see is saying:

"What this mean ? After replacing or WIPING eMMC and burning old bootloader on device with (KNOX Warranty: 0x01 ) You will get device with unknoxed boot and KNOX Warranty bit 0x0"

And then there is a long list of Exynos devices that are supported, including

Samsung SM-N900 Galaxy Note 3
Samsung SM-N9000Q Galaxy Note 3

and then a separate (and partial) list of the Snapdragon models that are NOT supported.

I have not tested the box personally and that is why I wrote from the very beginning in my original post "claims to be able to reset the knox flag on Exynos devices".

And to finish with that box and the claims they still make on Snapdragon - if they get (in a very controlled and non-destructive) way to remove the downgrading restrictions from the bootloader I think it might still be an interesting achievement - since that way you could revert any device with knox 0x0 to MI7, root and then go to whatever 4.3 or 4.4 you want. But of course that even in that scenario you need that box :) And on the longer term IMHO that same box might be able to reset knox on Snapdragon - yes, part of knox is in the qfuses but the final flag seems to be computed from that and some part in RPMB (which explains how Samsung resets that flags) - the really difficult part will be to find the way how the above is computed!
 
Last edited:
You must log in or register to reply here.

Similar threads

Da_G
Knox/Kernel/Bootloader Development SM-900A
Replies
47
Views
41K
fire3element
fire3element
hsbadr
[KERNEL] [KEXEC] Kernel EXECution for locked devices [N900V] [WIP]
Replies
128
Views
63K
RuggedHunter
RuggedHunter
C
How do you compile a boot.img from a kernel source?
Replies
4
Views
15K
S
sansari123
FeralFire
Trying to solve the Hong Kong N9005 woes using PIT
Replies
12
Views
24K
attari13
attari13
S
Research on finding root exploit for N900V 4.4.4 (NJ6)
Replies
6
Views
4K
yenkoPR
yenkoPR

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 102
    R
    ruchirtrehan
    (Knox had been triggered on the the tested device already), This has been tested & working on Note 3 N900/Exynos on KitKat ND1 firmware which was on official status without root but Knox triggered, The file was flashed using Odin and after flashing I went into download mode and to my surprise Knox was been reset from 0x1 to 0 but the device status had turned custom (was official before flashing the Knox reset), however I will re-flash the firmware and see if Knox remains 0 and device status turns to official, also there are some different stuff in download mode which I hadn't ever seen before like EMMC PIN, Binary Sboot Version and all. I'll be attaching the screenshots for the same kindly find in attachments.

    Edit/Update 1 : After re-flashing the firmware stuff like EMMC PIN and Binary Sboot Version has disappeared Current Binary has turned to official and the Knox has remained to 0 however System Status still appears to be Custom...

    Edit/Update 2 : (Refers to previous updates regarding System Status being Custom and not turning to Official.) After trying to flash the firmware several times nothing really worked (nothing to do with Knox and Current Binary only referred to System Status being Custom) hence I went to stock recovery and wiped Data/Factory Reset and Cache Partition and then re-flashed the firmware (ND1 KitKat) and VOILA! Binary/System Status are now Official and now Knox is 0, seems a great success for the Exynos users, I also do have an snapdragon version so will be looking forward to it, screenshots attached....

    Edit/Update 3 : The steps for resetting Knox (Exynos Note 3 ONLY!) :

    1 - Download the bootloader.zip and extract bootloader from it (find in attachments)

    2 - Open Odin and put device in download mode.

    3 - Select AP/PDA (depending on Odin version you have) and select the bootloader (which was downloaded during step 1) don't select any other option in odin except F reset time and auto reboot (are selected by default).

    4 - After the file is flashed go to download mode and check if the Knox has turned back to 0.

    5 - Flash official firmware from sammobile and after flashing is done let the device reboot and boot up to device set-up screen, don't proceed the set-up for setting up device and turn of it off.

    6 - Reboot to stock recovery (power + vol up + home) and wipe data/cache and flash the firmware again, once flashing the firmware is completed enter download mode and check if current binary and system status has turned to official if not follow steps number 5 and 6 again.

    And that's pretty much it ;), you have successfully been able to reset Knox and regain warranty by this.

    PS : I had done all this steps on ND1 firmware, and this will not keep root access, to root Knox has to be tripped or keep Knox 0 but Current Binary or System Status will be custom wit Knox being 0. Also to note this might get (patched) in future updates (bootloaders) if we look at Samsung's history of patching stuff :p, though not sure about it...

    This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the bootloader for (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

    Edit/Update 4 : Downgrading Note 3 N900/N9000/Exynos from 4.4.2 to 4,3 has been successful, check out this post by me to be updated on steps regarding the same.

    I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.
    View
    28
    R
    ryanbg
    WARNING:
    This is very dangerous. I have been able to reproduce and recover every time, but there is a HUGE inherent risk of permabricking. I am able to manually put my device into QHSUSB_BULK mode by overwriting SDI/DBI with SBL1. The screen will go black immediately, and your device will be recognized as a QHSUSB_BULK device. You can recover by making a 256MB (arbitrary number, has to be over like 128MB) unbrick image. This can be made by pulling the first 256MB from mmcblk0. Then flash to SD card using DD or Win32DiskImager. Do this before flashing SBL1 to DBI/SDI. Pop it in and it should boot right back normally, so ODIN and flash SDI again to fix. This can be useful for various purposes, of which the right people are already aware.
    View
    26
    R
    ruchirtrehan
    xclub_101 said:
    Quick question to have a more complete view on where things are - I do not have the N900 and I know little about it so the question might already not be a problem there but it certainly is on N9005 - can you also downgrade the firmware after you write the knox-reset piece?
    Click to expand...
    Click to collapse

    I'll test it!

    Edit/Update 1 : Wowzer guys, I have some good news for you all, I have been successfully able to downgrade from 4.4.2 to 4.3 without any issues, The firmware I downgraded to is MI3 and Knox is not present in download mode will post steps soon and guide you through steps for a safe downgrade, PS : this is only for SM-N900/N9000/Exynos for now, screenshots attached..

    Edit/Update 2 : Steps to Downgrade (Note 3 Exynos only!)

    1 - Download the bootloader.zip and extract then flash in Odin. (Find in attachments) (don't select any other option in odin except F reset time and auto reboot) (are selected by default).

    2 - Download any 4.3 JellyBean Firmware from sammobile.

    3 - After flashing the bootlaoder reboot into stock recovery (power+ home+ vol up) and wipe data/factory reset and cache partition

    4 - Turn off the device and reboot into download mode and flash the 4.3 Firmware in Odin.

    5 - After flashing completed let the device boot till boot screen and pull out the battery and turn it off then turn it on again and reboot into recovery (power+ home+ vol up) and wipe data/factory reset and cache partition once again and reboot and let the device boot up.

    That's pretty much it, you've safely downgraded to Android 4.3 from 4.4

    This is only for Note 3 Exynos!

    I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.
    View
    25
    X
    xclub_101
    I never had the time (and the devices) to properly research this but there are a few things that other people might want to test (or already know the answers) and I think it might come very handy to the Note 3 community. There is a somehow similar thread for the S4 community here.




    0) SUCCESS WITH KNOX / DOWNGRADING ON N900 !!!

    On N900 (Exynos) there is now a solution (unfortunately for the moment only for Exynos models) - a special firmware leaked originally here:

    http://sxtpdevelopers.com/samsung-note-3-knox-fix-qualcomm/

    (it looks like a firmware reset/update for the EMMC, which results in the erase of the RPMB where Knox flag and downgrade restrictions are stored).

    In this thread details on some of the people testing it can be found in those posts:

    http://xdaforums.com/showthread.php?p=52329946#post52329946

    http://xdaforums.com/showthread.php?p=52408318#post52408318

    If the original site is taken down by Samsung you need to search after a file called BL_HA3GZS_CLEAR_WARRANTY_BIT.tar - the one I saw was 2334801 bytes in length (might be shown as a 2.23MB download in some chinese sites). There might be a problem finding it since Samsung might go after anybody hosting and distributing it.


    1) Just rooting should not trip knox

    The problem with rooting that makes knox 0x1 - originally Root De La Vega was developed for the AT&T very locked structure, and as such it was doing the rooting in a pretty convoluted way. However on other Note 3 versions the knox warranty flag is very clearly linked to just kernel and recovery, and not to system itself. In other words it SHOULD be possible (even after MJ3) to root and keep knox 0x0 on devices that are not "bootloader locked" by not touching kernel and recovery and only touching system - that is probably NOT going to work on AT&T (N900A) but it seems to work on N900W8 and IMHO it could also work on N9005 (and possibly N9000, but I know much less about that). If you want more proof look into the posts about N900W8 + different version (of more or less) stock-based ROMs (like xnote, but stock kernel and recovery).

    So the bottom line on this is to verify on a knox 0x0 device with firmware MJ3 (or newer) that just writing a pre-rooted system would be allowed in download mode and would keep knox 0x0. And we would need a more clear confirmation for both N900W8 and N9005 (or any other models) - of course with some description of what was written and how ;)

    EDIT: some W8 users have provided extra details and so far it looks it might be more the bootloader itself and not so much in how/what is written, but more information is needed.
    EDIT2: there is a thread with that kind of talk here:
    http://xdaforums.com/showthread.php?t=2627996



    2) We should really test the "portability" of various bootloaders since this could solve a lot of things

    First - here are two external (non-xda) pages with some very good development information regarding "bootloader hacking":

    http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

    http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

    On bootloader-confused devices (for instance Hong-Kong versions that got the KitKat bootloader from Polish/XEO KK and have to wait for Hong-Kong KitKat, or any device that seems to be bricked in the bootloader) it might be also interesting (for somebody VERY daring - remember that it could brick your phone even worse) to try to write the bootloader files (all 5 of them?) from the N900W8 and see if those are accepted (since once that would be the case downgrading would also become a possibility).

    EDIT: the N900W8 is also reported (see here) to let you have a custom recovery and not trip knox, which is kind of weird but maybe this is the knox breakthrough that we were expecting :)



    3) More info on STRAP flags (those listed in download mode)

    STRAP flags - there are a number of places where the values listed in download mode are discussed, for instance:

    http://xdaforums.com/showthread.php?t=2567165

    It seems that the values for S T R A and P flags could be versions of the 5 main bootloader-related files used in Qualcomm-based Note 3 devices, most likely:

    S - SBL1

    T - TZ

    R - RPM

    A - ABOOT

    P - SDI (?)


    My EU N9005 (I believe with MI7 or so bootloader) was something like S1, T1, R1, A1, P1 and also SECUREBOOT: ENABLE (CSB) (as it can be seen in the thread above) but is now P2 (which is very strange since I had all automatic and security updates disabled, but might be related to the fact that at some point I activated the reactivation flag linked to the Samsung account - disabling it does not return P back to 1 so this might not be it).

    Also if you look around the values seem to be somehow consistent - with post-MJ3 bootloader most flags become 2 and with KitKat bootloader at least the A flag becomes 3.

    It remains to be seen if this is the case and if it is any way relevant to hacking the bootloader system or knox (or is just for debug purposes - like when we see people with A3 complaining that they can't return to stock MJ7 or MK2).


    4) More info on "microSD debricking and if this could let us re-write different bootloader files (and maybe we should encourage people to have their "debricking image" made in advance "just in case")

    When the bootloader files become "bad" and you can not go in download mode (but probably sbl1 is still valid) it is still possible to recover things by forcing the boot process from microSD. That seems to require no extra hardware on Qualcomm models and one small contact for Exynos devices (where that is even documented in Samsung original documents like 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf).

    There is a thread on this at:

    http://xdaforums.com/showthread.php?t=2625332



    5) More info on how Samsung CAN reset knox

    There are already two threads with something more than 5-6 first-hand reports from people that went with a Note 3 knox 0x1 into service and left with the same device (and motherboard and IMEI and in some cases all their programs and even their normal/old firmware) but with knox 0x0!

    One thread in T-Mobile Note 3 forum:

    http://xdaforums.com/showthread.php?t=2637718

    And a much larger one in International Note 3 forum:

    http://xdaforums.com/showthread.php?t=2504258

    There is also already a "hardware+software solution" (expensive, aimed at specialized phone shops that also do phone unlocking and similar stuff) which claims to be able to reset the knox flag on Exynos devices:

    http://forum.gsmhosting.com/vbb/f67...olution-solution-repair-rebuild-emmc-1769456/
    http://forum.gsmhosting.com/vbb/f67...bit-0-solution-inside-first-ih-world-1776265/
    http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/




    6) Pre-production bootloaders before knox?

    Here is an interesting thread apparently about a N9005 with no knox:

    http://xdaforums.com/showthread.php?t=2657631
    View
    23
    R
    ryanbg
    RaluSiCris said:
    it can be made a how to in order to be useful for all of us? It would be really appreciated.
    Thanks

    Sent from my SM-N9005 using xda app-developers app
    Click to expand...
    Click to collapse

    If you don't know how it can be useful, this is probably not the best place for you to be posting.
    View

New posts