[Q] Knox Boot Loader Exploration On Samsung Galaxy S4 SPH-L720

Search This thread

perezmarka

Member
Nov 5, 2013
42
8
I started looking at this issue in another thread HERE. I started thinking about this and knew there were others with more info that might help.

Everyone says you can't downgrade the Knox Boot Loader once it's been loaded. I want to try and understand why/how we can modify the system to overcome that.

Here's what I know and I've done:

After MF9, the Knox Bootloader was included in the update. Unknownforce has a great thread that has the modems with or without the boot loader. What I did first was unzip the tar files for MF9 (with and without the boot loader.)

Both files have:
modem.bin
NON-HLOS.bin
rpm.mbn
tz.mbn

When I compare the files in both, they seem identical. Same creation date, same size, ect. They may or may not be the same? But the boot loader version has some extra files.

Boot Loader Version has these files:
aboot.mbn
sbl2.mbn
sbl3.mbn

Process of elimination indicates that these have the Knox Boot loader encoded in some way. The sbl files are placed in the root directory /firmware-mdm/image/ . Try as I might, I can't find aboot.mbn. I did a nandroid backup of my system, then I deleted sbl2.mbn and sbl3.mbn using ES File Explorer. When I rebooted the phone, the files were back in the directory.

Another thing I did was a nand erase and re-partition of my phone using Odin. (Don't attempt this unless you have the pit file! You can easily brick your phone. On second thought, don't attempt this at all. I just got lucky I was able to bring it back up. As it was my Data partition was corrupted because of this but I was able to fix it.) I think I did everything right in re-installing. I put a knox free boot loader and recover with Odin first. Then booted into recovery and installed a Knox free rom. Knox boot loader was still there. I was hoping re-partitioning would wipe everything out but it was a no go. Anyone else have experience in this?

Here's my questions:

If we delete those three files and can keep them from reloading, will Knox Boot Loader be disabled?

What partition is aboot.mbn located in or stored in the system? Can it be assessed with adb commands and renamed or deleted?

Where are the sbl files being reloaded from?

Does anyone know if the similar files are the exact same files? If not how do we replace them with non-boot loader versions if the system regenerates them at each boot?

Is there a way to do a nand erase and re-partitioning in order to get rid of the bootloader?

Thoughts?
 

gavron

Senior Member
Jan 9, 2005
120
41
My hard brick says aboot is in partition 6

Aboot is in partition 6. You can find this out by using a # heimdall print-pit command and
examining the output.

If you dd a different version of aboot.mbn atop that partition it will hard-brick the device,
meaning the screen won't come on and all it wants is a primitive USB serial connect
to some software I'm sure only Samsung has.

How do I know? I have three Dev S4s (VZW) and none of them will let me flash TWRP.
In order to try getting a "less locked aboot" I dd'd an older version (VRUAMDK) onto
that partition (mmcblk0p6). The device is now good to send back to Samsung or to
keep papers from flying -- unless someone knows the secret serial port protocol.

Sigh.

Ehud

I started looking at this issue in another thread HERE. I started thinking about this and knew there were others with more info that might help.

Everyone says you can't downgrade the Knox Boot Loader once it's been loaded. I want to try and understand why/how we can modify the system to overcome that.

Here's what I know and I've done:

After MF9, the Knox Bootloader was included in the update. Unknownforce has a great thread that has the modems with or without the boot loader. What I did first was unzip the tar files for MF9 (with and without the boot loader.)

Both files have:
modem.bin
NON-HLOS.bin
rpm.mbn
tz.mbn

When I compare the files in both, they seem identical. Same creation date, same size, ect. They may or may not be the same? But the boot loader version has some extra files.

Boot Loader Version has these files:
aboot.mbn
sbl2.mbn
sbl3.mbn

Process of elimination indicates that these have the Knox Boot loader encoded in some way. The sbl files are placed in the root directory /firmware-mdm/image/ . Try as I might, I can't find aboot.mbn. I did a nandroid backup of my system, then I deleted sbl2.mbn and sbl3.mbn using ES File Explorer. When I rebooted the phone, the files were back in the directory.

Another thing I did was a nand erase and re-partition of my phone using Odin. (Don't attempt this unless you have the pit file! You can easily brick your phone. On second thought, don't attempt this at all. I just got lucky I was able to bring it back up. As it was my Data partition was corrupted because of this but I was able to fix it.) I think I did everything right in re-installing. I put a knox free boot loader and recover with Odin first. Then booted into recovery and installed a Knox free rom. Knox boot loader was still there. I was hoping re-partitioning would wipe everything out but it was a no go. Anyone else have experience in this?

Here's my questions:

If we delete those three files and can keep them from reloading, will Knox Boot Loader be disabled?

What partition is aboot.mbn located in or stored in the system? Can it be assessed with adb commands and renamed or deleted?

Where are the sbl files being reloaded from?

Does anyone know if the similar files are the exact same files? If not how do we replace them with non-boot loader versions if the system regenerates them at each boot?

Is there a way to do a nand erase and re-partitioning in order to get rid of the bootloader?

Thoughts?
 

TheMoroccan

Member
Oct 12, 2013
20
2
/usr/w00t
perezmarka said:
I started looking at this issue in another thread HERE. I started thinking about this and knew there were others with more info that might help.

Everyone says you can't downgrade the Knox Boot Loader once it's been loaded. I want to try and understand why/how we can modify the system to overcome that.

Here's what I know and I've done:

After MF9, the Knox Bootloader was included in the update. Unknownforce has a great thread that has the modems with or without the boot loader. What I did first was unzip the tar files for MF9 (with and without the boot loader.)

Both files have:
modem.bin
NON-HLOS.bin
rpm.mbn
tz.mbn

When I compare the files in both, they seem identical. Same creation date, same size, ect. They may or may not be the same? But the boot loader version has some extra files.

Boot Loader Version has these files:
aboot.mbn
sbl2.mbn
sbl3.mbn

Process of elimination indicates that these have the Knox Boot loader encoded in some way. The sbl files are placed in the root directory /firmware-mdm/image/ . Try as I might, I can't find aboot.mbn. I did a nandroid backup of my system, then I deleted sbl2.mbn and sbl3.mbn using ES File Explorer. When I rebooted the phone, the files were back in the directory.

Another thing I did was a nand erase and re-partition of my phone using Odin. (Don't attempt this unless you have the pit file! You can easily brick your phone. On second thought, don't attempt this at all. I just got lucky I was able to bring it back up. As it was my Data partition was corrupted because of this but I was able to fix it.) I think I did everything right in re-installing. I put a knox free boot loader and recover with Odin first. Then booted into recovery and installed a Knox free rom. Knox boot loader was still there. I was hoping re-partitioning would wipe everything out but it was a no go. Anyone else have experience in this?

Here's my questions:

If we delete those three files and can keep them from reloading, will Knox Boot Loader be disabled?

What partition is aboot.mbn located in or stored in the system? Can it be assessed with adb commands and renamed or deleted?

Where are the sbl files being reloaded from?

Does anyone know if the similar files are the exact same files? If not how do we replace them with non-boot loader versions if the system regenerates them at each boot?

Is there a way to do a nand erase and re-partitioning in order to get rid of the bootloader?

Thoughts?

you can find aboot.mbn as aboot on /dev/blocks/...
 

schenzm

New member
Jul 22, 2016
1
0
Aboot is in partition 6. You can find this out by using a # heimdall print-pit command and
examining the output.

If you dd a different version of aboot.mbn atop that partition it will hard-brick the device,
meaning the screen won't come on and all it wants is a primitive USB serial connect
to some software I'm sure only Samsung has.

How do I know? I have three Dev S4s (VZW) and none of them will let me flash TWRP.
In order to try getting a "less locked aboot" I dd'd an older version (VRUAMDK) onto
that partition (mmcblk0p6). The device is now good to send back to Samsung or to
keep papers from flying -- unless someone knows the secret serial port protocol.

Sigh.

Ehud

I have also tried overwriting a pre-Knox aboot using DD and got the same result. I found a piece of software called QPST which is a Qualcomm developer tool, that can be used to reflash the bootloader and unbrick the phone. The only problem is you need a data file for your specific model, although this possibly can be extracted from a firmware (probably in boot.img). I haven't gotten to look inside those images yet, but that tool could possibly be able to flash an older bootloader...