FORUMS
Remove All Ads from XDA

A few things on knox / rooting and bootloaders that need more testing / development

1,240 posts
Thanks Meter: 359
 
By xclub_101, Senior Member on 9th February 2014, 04:08 PM
Post Reply Email Thread
27th April 2014, 10:31 PM |#71  
E:V:A's Avatar
Inactive Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,216
 
More
Looong shot number two. (Qualcomm)

This is regarding a quasi-SW hack.

I think it would be extremely useful if someone could start charting out the exact chain of events, leading up to a qfuse write. I'd like to see a chart, kind of what we had for the SecureBoot2 stuff in the 8960... But I'm totally not up-to-date on the current Knox research status, so perhaps this has been done already?

Anyway, the idea is as follows. If at any point the Knox detection mechanism is using code from the modem Hexagon processor, I can almost bet my behind that there could be a hidden proprietary function in the Modem code, that could disable Knox flag. Knowing Qualcomm has their 80 MB blobs of Hexagon RTOS code, this would be some crazy feat to accomplish, but certainly not impossible. (Most of it is redundant anyway, often having ~3 copies of modem binaries, for example.) So if this is possible, I would assume there could be some hidden AT commands accessible from modem terminal shell that temporarily disables Knox fuse.

Where to look? We would need to reverse all the AT command functions using IDA Pro and the Hexagon plugins, and look for code that is related to Qfuse burning. (There is probably a lot of this code, since the recent discovery show that many RF variables are now also using qfuses.) That's why we need to make the chart above...

But given the low RoE (Return of Effort), I actually do not recommend spending too much time on this, unless Knox is starting to cause real trouble to people.
The Following 11 Users Say Thank You to E:V:A For This Useful Post: [ View ] Gift E:V:A Ad-Free
28th April 2014, 07:18 AM |#72  
Surge1223's Avatar
Recognized Contributor
Flag Iowa
Thanks Meter: 7,373
 
Donate to Me
More
Quote:
Originally Posted by E:V:A

Looong shot number two. (Qualcomm)

This is regarding a quasi-SW hack.

I think it would be extremely useful if someone could start charting out the exact chain of events, leading up to a qfuse write. I'd like to see a chart, kind of what we had for the SecureBoot2 stuff in the 8960... But I'm totally not up-to-date on the current Knox research status, so perhaps this has been done already?

Anyway, the idea is as follows. If at any point the Knox detection mechanism is using code from the modem Hexagon processor, I can almost bet my behind that there could be a hidden proprietary function in the Modem code, that could disable Knox flag. Knowing Qualcomm has their 80 MB blobs of Hexagon RTOS code, this would be some crazy feat to accomplish, but certainly not impossible. (Most of it is redundant anyway, often having ~3 copies of modem binaries, for example.) So if this is possible, I would assume there could be some hidden AT commands accessible from modem terminal shell that temporarily disables Knox fuse.

Where to look? We would need to reverse all the AT command functions using IDA Pro and the Hexagon plugins, and look for code that is related to Qfuse burning. (There is probably a lot of this code, since the recent discovery show that many RF variables are now also using qfuses.) That's why we need to make the chart above...

But given the low RoE (Return of Effort), I actually do not recommend spending too much time on this, unless Knox is starting to cause real trouble to people.

I looked into the command to set the knox flag/fuse/warranty bit and the underlying function. And you may be right about hexagon since hlos has the strings in it that say "device is tampered!" etc...and a secure monitor call to set the warranty void flag goes to an address in tz memory. I think itd take a while to figure out the who, what, where, just by examining assembly without a kernel, TrustZone, or hexagom vulnerability...plus its a mix of arm/thumb/random blobs.

Sent from my SCH-I545 using XDA Premium 4 mobile app
The Following 7 Users Say Thank You to Surge1223 For This Useful Post: [ View ] Gift Surge1223 Ad-Free
30th April 2014, 01:20 AM |#73  
david515's Avatar
Junior Member
Flag Ames
Thanks Meter: 14
 
More
I found this and wondered if this may hlp
Quote:
Originally Posted by Surge1223

I looked into the command to set the knox flag/fuse/warranty bit and the underlying function. And you may be right about hexagon since hlos has the strings in it that say "device is tampered!" etc...and a secure monitor call to set the warranty void flag goes to an address in tz memory. I think itd take a while to figure out the who, what, where, just by examining assembly without a kernel, TrustZone, or hexagom vulnerability...plus its a mix of arm/thumb/random blobs.

Sent from my SCH-I545 using XDA Premium 4 mobile app


I found this link on a knox reset .I don't know if this is reliable as of yet? but interesting if it is for real.
http://sxtpdevelopers.com/samsung-no...-fix-qualcomm/
The Following 5 Users Say Thank You to david515 For This Useful Post: [ View ] Gift david515 Ad-Free
30th April 2014, 02:38 AM |#74  
Member
Thanks Meter: 70
 
More
Quote:
Originally Posted by david515

I found this link on a knox reset .I don't know if this is reliable as of yet? but interesting if it is for real.
http://sxtpdevelopers.com/samsung-no...-fix-qualcomm/

took the plunge and tried flashing just the param.bin no harm was done to my device how ever knox is still 0x1
30th April 2014, 10:21 AM |#75  
Junior Member
Thanks Meter: 5
 
More
This is on their site:

Quote:

so next is Quallcomm…

1st May 2014, 09:50 AM |#76  
Senior Member
Flag Gurgaon
Thanks Meter: 1,265
 
Donate to Me
More
(Knox had been triggered on the the tested device already), This has been tested & working on Note 3 N900/Exynos on KitKat ND1 firmware which was on official status without root but Knox triggered, The file was flashed using Odin and after flashing I went into download mode and to my surprise Knox was been reset from 0x1 to 0 but the device status had turned custom (was official before flashing the Knox reset), however I will re-flash the firmware and see if Knox remains 0 and device status turns to official, also there are some different stuff in download mode which I hadn't ever seen before like EMMC PIN, Binary Sboot Version and all. I'll be attaching the screenshots for the same kindly find in attachments.

Edit/Update 1 : After re-flashing the firmware stuff like EMMC PIN and Binary Sboot Version has disappeared Current Binary has turned to official and the Knox has remained to 0 however System Status still appears to be Custom...

Edit/Update 2 : (Refers to previous updates regarding System Status being Custom and not turning to Official.) After trying to flash the firmware several times nothing really worked (nothing to do with Knox and Current Binary only referred to System Status being Custom) hence I went to stock recovery and wiped Data/Factory Reset and Cache Partition and then re-flashed the firmware (ND1 KitKat) and VOILA! Binary/System Status are now Official and now Knox is 0, seems a great success for the Exynos users, I also do have an snapdragon version so will be looking forward to it, screenshots attached....

Edit/Update 3 : The steps for resetting Knox (Exynos Note 3 ONLY!) :

1 - Download the bootloader.zip and extract bootloader from it (find in attachments)

2 - Open Odin and put device in download mode.

3 - Select AP/PDA (depending on Odin version you have) and select the bootloader (which was downloaded during step 1) don't select any other option in odin except F reset time and auto reboot (are selected by default).

4 - After the file is flashed go to download mode and check if the Knox has turned back to 0.

5 - Flash official firmware from sammobile and after flashing is done let the device reboot and boot up to device set-up screen, don't proceed the set-up for setting up device and turn of it off.

6 - Reboot to stock recovery (power + vol up + home) and wipe data/cache and flash the firmware again, once flashing the firmware is completed enter download mode and check if current binary and system status has turned to official if not follow steps number 5 and 6 again.

And that's pretty much it , you have successfully been able to reset Knox and regain warranty by this.

PS : I had done all this steps on ND1 firmware, and this will not keep root access, to root Knox has to be tripped or keep Knox 0 but Current Binary or System Status will be custom wit Knox being 0. Also to note this might get (patched) in future updates (bootloaders) if we look at Samsung's history of patching stuff , though not sure about it...

This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the bootloader for (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

Edit/Update 4 : Downgrading Note 3 N900/N9000/Exynos from 4.4.2 to 4,3 has been successful, check out this post by me to be updated on steps regarding the same.

I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.
Attached Thumbnails
Click image for larger version

Name:	IMG_20140501_131551.jpg
Views:	15021
Size:	250.1 KB
ID:	2719058   Click image for larger version

Name:	IMG_20140501_131553.jpg
Views:	14257
Size:	249.2 KB
ID:	2719059   Click image for larger version

Name:	IMG_20140501_140421.jpg
Views:	14162
Size:	248.2 KB
ID:	2719110  
Attached Files
File Type: zip Bootloader.zip - [Click for QR Code] (1.39 MB, 22746 views)
The Following 102 Users Say Thank You to RuchRha For This Useful Post: [ View ] Gift RuchRha Ad-Free
2nd May 2014, 08:39 PM |#77  
OP Senior Member
Thanks Meter: 359
 
More
Quote:
Originally Posted by RuchRha

...
This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the file for resetting Knox (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

Quick question to have a more complete view on where things are - I do not have the N900 and I know little about it so the question might already not be a problem there but it certainly is on N9005 - can you also downgrade the firmware after you write the knox-reset piece?
The Following User Says Thank You to xclub_101 For This Useful Post: [ View ] Gift xclub_101 Ad-Free
3rd May 2014, 03:46 AM |#78  
Senior Member
Flag Gurgaon
Thanks Meter: 1,265
 
Donate to Me
More
Quote:
Originally Posted by xclub_101

Quick question to have a more complete view on where things are - I do not have the N900 and I know little about it so the question might already not be a problem there but it certainly is on N9005 - can you also downgrade the firmware after you write the knox-reset piece?

That's a pretty interesting question, I hadn't really thought about it but I guess to give it a shot pretty soon, I am out of town atm so will try and do it asap and let you know if it could be possible to do so..
The Following 3 Users Say Thank You to RuchRha For This Useful Post: [ View ] Gift RuchRha Ad-Free
3rd May 2014, 11:15 AM |#79  
Senior Member
Flag Somewhere in Europe
Thanks Meter: 782
 
More
Hello @RuchRha--I saw you on another thread and tracked you down to this one--it has been reported that flashing Root using CF-Root, to a Canadian N900W8, was possible to do without compromising KNOX warranty counter-- do you know whether the same applies to SM N900 variant?

Apologies if this has been asked./answered but couldn't find reference to the answer.
3rd May 2014, 12:12 PM |#80  
smeet.somaiya's Avatar
Senior Member
Flag Mumbai
Thanks Meter: 590
 
More
Quote:
Originally Posted by RuchRha

That's a pretty interesting question, I hadn't really thought about it but I guess to give it a shot pretty soon, I am out of town atm so will try and do it asap and let you know if it could be possible to do so..

Attempting to downgrade is worth trying. If it succeeds it would be great. If it fails with "Firmware Upgrade encountered issue" no worries just flash stock recovery back and the phone would be up again.

Sent from my Galaxy S5 GT-N7100
3rd May 2014, 04:11 PM |#81  
Zibri's Avatar
Senior Member
Thanks Meter: 46
 
Donate to Me
More
Hmm I analyzed this. It contains an sboot.bin for exynos devices AND an EMMC1 firmware update file.
That is the key to knox reset.
The Following 5 Users Say Thank You to Zibri For This Useful Post: [ View ] Gift Zibri Ad-Free
Post Reply Subscribe to Thread

Tags
knox, root
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes