A few things on knox / rooting and bootloaders that need more testing / development

Search This thread
By:
Advanced…
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
xclub_101 said:
Those are 3 links since I also wanted to keep some of the "history" on how that was discovered/announced, but the 3rd link is from the guy that actually sells the box and from what I see is saying:

"What this mean ? After replacing or WIPING eMMC and burning old bootloader on device with (KNOX Warranty: 0x01 ) You will get device with unknoxed boot and KNOX Warranty bit 0x0"

And then there is a long list of Exynos devices that are supported, including

Samsung SM-N900 Galaxy Note 3
Samsung SM-N9000Q Galaxy Note 3

and then a separate (and partial) list of the Snapdragon models that are NOT supported.

I have not tested the box personally and that is why I wrote from the very beginning in my original post "claims to be able to reset the knox flag on Exynos devices".

And to finish with that box and the claims they still make on Snapdragon - if they get (in a very controlled and non-destructive) way to remove the downgrading restrictions from the bootloader I think it might still be an interesting achievement - since that way you could revert any device with knox 0x0 to MI7, root and then go to whatever 4.3 or 4.4 you want. But of course that even in that scenario you need that box :)
Click to expand...
Click to collapse

if you follow through with the thread posts four links back to another one of links. I know he states that he has reset knox, had started making claims for knox reset bounty in the general forum.I had asked for evidence as everyone XDA should show, he had then posted a video which shows resetting the warranty bit on a 4.2.2 bootloader which has no links to knox. if you do a search in that thread im sure you would be able to find this.
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
st3chn0 said:
if you follow through with the thread posts four links back to another one of links. I know he states that he has reset knox, had started making claims for knox reset bounty in the general forum.I had asked for evidence as everyone XDA should show, he had then posted a video which shows resetting the warranty bit on a 4.2.2 bootloader which has no links to knox. if you do a search in that thread im sure you would be able to find this.
Click to expand...
Click to collapse

I think you are confusing what Babak initially said (who discovered the method and then also claimed it might work on Snapdragon and then admitted he was wrong) with the very final post (which as I write this is the topmost sticky) from NoName, the guy that sells the box. While for Babak it was a matter of "dev karma", for NoName is a matter of money. We'll probably soon know more.
 
Surge1223

Surge1223

Recognized Contributor
Nov 6, 2012
2,622
7,466
Florida
Google Pixel 6 Pro
Heres some info that might help you guys. I've also attached viewmem in case you guys don't already have it compiled. You can use it to further investigate. View attachment viewmem.zip

l4SgNfEl.png


Full-size image
 
Last edited:
  • Like
Reactions: Smitelight, siraltus, badler6545 and 1 other person
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
st3chn0 said:
I don't believe that is true. I have compared my flags with other stock btu with the same bootloader and firmware all my flags other than that my P flag is still 0

Also OP needs to recheck the sources regarding knox reset these are for warranty bit on the s4 (android 4.2.2 and below) the supposed claim of knox reset only resets the flash counter. Similar to what triangle away has done in the past

Sent from my SM-N9005 using xda app-developers app
Click to expand...
Click to collapse

I have another theory. The SBL1 I downgraded to was from an engineering build. It could be possible this is some sort of production/debugging flag? I know I can reproduce indefinitely the P1 flag to P0 with a simple SBL1 downgrade, but I'm not sure what the implications of this is, or why. I'm not sure what P is, but we can modify whatever it is since the rollback protection number is 0.
 
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
ryanbg said:
I have another theory. The SBL1 I downgraded to was from an engineering build. It could be possible this is some sort of production/debugging flag? I know I can reproduce indefinitely the P1 flag to P0 with a simple SBL1 downgrade, but I'm not sure what the implications of this is, or why. I'm not sure what P is, but we can modify whatever it is since the rollback protection number is 0.
Click to expand...
Click to collapse

Could be linked to SBL1 but I don't understand why my flag hasn't increased and I've done all updates ota. If I've had to reinstall I've used odin but I have never ticked the update bootloader option

Sent from my SM-N9005 using xda app-developers app
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
st3chn0 said:
Could be linked to SBL1 but I don't understand why my flag hasn't increased and I've done all updates ota. If I've had to reinstall I've used odin but I have never ticked the update bootloader option

Sent from my SM-N9005 using xda app-developers app
Click to expand...
Click to collapse

I know for a fact it's linked to SBL1. Flags are device independent, based on carrier updates. They use the flag counter for milestone updates to prevent rollback. Each carrier's device will be different. I know some S4's have P6, some European devices have P3. I've been analyzing SBL1 in IDA and I can't find the counter that rolls back P to 0. I know where the counters are kept in the image blobs, SBL1 might have two, with one being hidden. It could have something to do with PBL too.
 
Walter.White

Walter.White

Senior Member
Nov 28, 2013
1,275
2,062
ryanbg said:
I know for a fact it's linked to SBL1. Flags are device independent, based on carrier updates. They use the flag counter for milestone updates to prevent rollback. Each carrier's
Click to expand...
Click to collapse

Definitely true. For instance MI1 (4.3) & MI9 (4.3) had ALL flags ending in 1 but once they released MJ5 ALL flags changed to ending of 2. Then they released NB4 (4.3) about 2 days ago and ALL the flags still end in 2. Interestingly enough though the leaked MLG (4.4.2) didn't change any flags either... All of them still end in 2 so that's the reason why we can still downgrade back to MJ5 and not to MI9. I guess they don't change flags till the final release!?

Also I wonder if the flags are related to # of fuses blown or simply a counter stored somewhere on eMMC. If it's former than we might have a big problem.
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
Walter.White said:
Definitely true. For instance MI1 (4.3) & MI9 (4.3) had ALL flags ending in 1 but once they released MJ5 ALL flags changed to ending of 2. Then they released NB4 (4.3) about 2 days ago and ALL the flags still end in 2. Interestingly enough though the leaked MLG (4.4.2) didn't change any flags either... All of them still end in 2 so that's the reason why we can still downgrade back to MJ5 and not to MI9. I guess they don't change flags till the final release!?

Also I wonder if the flags are related to # of fuses blown or simply a counter stored somewhere on eMMC. If it's former than we might have a big problem.
Click to expand...
Click to collapse

We know where the flag values are kept inside of .mbn images like aboot and sbl1. I can even modify the flags, but the problem is that when I do, I break the hash so it won't flash. Device side, I know there are calls made to QFPROM, but as I demonstrated earlier, I can change the P flag, which makes me believe we can change any flag.
 
Walter.White

Walter.White

Senior Member
Nov 28, 2013
1,275
2,062
ryanbg said:
I can even modify the flags, but the problem is that when I do, I break the hash so it won't flash. Device side, I know there are calls made to QFPROM, but as I demonstrated earlier, I can change the P flag, which makes me believe we can change any flag.
Click to expand...
Click to collapse

I guess we need to figure out a way to bypass hash checking by patching the verification call for it or something. Or we need to find a disgruntled Samsung employee who will release the signing key.

I guess once S5 is released.. many more developers will start digging thru this and hopefully someone will crack it open.
 
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
Walter.White said:
Definitely true. For instance MI1 (4.3) & MI9 (4.3) had ALL flags ending in 1 but once they released MJ5 ALL flags changed to ending of 2. Then they released NB4 (4.3) about 2 days ago and ALL the flags still end in 2. Interestingly enough though the leaked MLG (4.4.2) didn't change any flags either... All of them still end in 2 so that's the reason why we can still downgrade back to MJ5 and not to MI9. I guess they don't change flags till the final release!?

Also I wonder if the flags are related to # of fuses blown or simply a counter stored somewhere on eMMC. If it's former than we might have a big problem.
Click to expand...
Click to collapse

After many updates my P flag still remains at 0 and I'm on mk2 that's why I believe it isn't

Sent from my SM-N9005 using xda app-developers app
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
st3chn0 said:
After many updates my P flag still remains at 0 and I'm on mk2 that's why I believe it isn't

Sent from my SM-N9005 using xda app-developers app
Click to expand...
Click to collapse

Again, every deice and carrier will have different flags. You say you're on MK2, which means you're probably on an S4. You could do a billion updates and still get P0 as long as your carrier chooses to leave it like that for each software update.
 
S

st3chn0

Senior Member
Jul 24, 2010
390
87
Leeds
ryanbg said:
Again, every deice and carrier will have different flags. You say you're on MK2, which means you're probably on an S4. You could do a billion updates and still get P0 as long as your carrier chooses to leave it like that for each software update.
Click to expand...
Click to collapse

just realised it has now changed to P2 since the last time i checked which was around 10 days since then, I havent changed anything
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
st3chn0 said:
just realised it has now changed to P2 since the last time i checked which was around 10 days since then, I havent changed anything
Click to expand...
Click to collapse


P is a more "special" flag - unlike S T R A (which change immediately after you update firmware), the P seems to also change without firmware update - since my post here:

http://xdaforums.com/showthread.php?t=2567165

I have not touched Odin or Mobile Odin Pro and yet P has changed from 1 to 2, the only system-related things that I did were:

- reactivation lock ON

- hide the custom status in Wanam Xposed.
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
xclub_101 said:
P is a more "special" flag - unlike S T R A (which change immediately after you update firmware), the P seems to also change without firmware update - since my post here:

http://xdaforums.com/showthread.php?t=2567165

I have not touched Odin or Mobile Odin Pro and yet P has changed from 1 to 2, the only system-related things that I did were:

- reactivation lock ON

- hide the custom status in Wanam Xposed.
Click to expand...
Click to collapse

I've seen that thread, I was also able to get SECURE BOOT: NONE on my device, but only lasted for a single reboot. I believe this is related to some sort of MMC error handling or corruption. I noticed my P flag went from 0 to 1 since you mentioned, but I can reset it indefinitely. I'm sitting here scratching my head...
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
ryanbg said:
I've seen that thread, I was also able to get SECURE BOOT: NONE on my device, but only lasted for a single reboot. I believe this is related to some sort of MMC error handling or corruption. I noticed my P flag went from 0 to 1 since you mentioned, but I can reset it indefinitely. I'm sitting here scratching my head...
Click to expand...
Click to collapse

So far I believe it is more productive to think of the S T R A P flags as "debug info" rather than the same kind of stuff as the knox flag.

There was also a very interesting thread here - it sounds like a "pre-production" Note 3 that had no knox:

http://xdaforums.com/showthread.php?t=2657631
 
  • Like
Reactions: dlradlt and ryanbg
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
S

siraltus

Senior Member
Jan 26, 2010
1,997
1,734
xclub_101 said:
So far I believe it is more productive to think of the S T R A P flags as "debug info" rather than the same kind of stuff as the knox flag.

There was also a very interesting thread here - it sounds like a "pre-production" Note 3 that had no knox:

http://xdaforums.com/showthread.php?t=2657631
Click to expand...
Click to collapse

I don't think it didn't have Knox, I ran that app on my two-weeks-old SM-900T with Knox 0x1 and it also said "Knox warranty bit not found." I think the app is just buggy and doesn't know how to look for the Knox warranty bit on all devices.
 
X

xclub_101

Senior Member
Oct 15, 2012
1,252
358
Samsung Galaxy S23 Ultra
siraltus said:
I don't think it didn't have Knox, I ran that app on my two-weeks-old SM-900T with Knox 0x1 and it also said "Knox warranty bit not found." I think the app is just buggy and doesn't know how to look for the Knox warranty bit on all devices.
Click to expand...
Click to collapse

The 900T might be out of the list of devices known, but EU N9005 should be well inside the list. Moreover the firmware version that the guy has is earlier than any EU N9005 firmware that I could find. Of course that does not prove anything, but would be interesting to double-check.
 
  • Like
Reactions: ryanbg
S

siraltus

Senior Member
Jan 26, 2010
1,997
1,734
xclub_101 said:
The 900T might be out of the list of devices known, but EU N9005 should be well inside the list. Moreover the firmware version that the guy has is earlier than any EU N9005 firmware that I could find. Of course that does not prove anything, but would be interesting to double-check.
Click to expand...
Click to collapse

Agree, I'm just saying that the app is kinda wonky.
 
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
I've done a bit of reverse engineering, and I've discovered two very important pieces of information.

1. TrustZone appears to not be device specific, you could most likely flash any N3 TZ and possibly even S4/N2, as long as it is signed properly.

2. It appears rollback information is stored in the rpmb. I found a string in TZ.mbn directly indicating so.

Here's my idea; Since the only way to communicate with TrustZone is via TEE (Trusted Execution Environment) or in our case QSEE (Qualcomm Trusted Execution Environment) which is a proprietary stack. The device driver for QSEE is /dev/qseecom. I'm doing some experimenting on whether it'll accept commands or data, but this looks to be the most promising route. If it were possible to rollback the counters to 0, which I know now to be rpmb based so we can most likely reset them, we could flash an old aboot that exists from MHV or MG3 (I might be able to insert the certificates MG3 since it is not signed, but it's 4.2.2 based.) I'm able to see much lower level debug and logging information thanks to @Surge1223. The files in /firmware/image and /system/etc/firmware are elf images of TZ HLOS applications. Another place to start investigating more thoroughly. I would not be surprised to find Knox related things too.

After an attempt of provisioning rpmb:
D/ (24162): TAL: TIMA_backend_open--int8_t TIMA_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: QCOM_backend_open--int8_t QCOM_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: tima-pkm--Attempting to load TZAPPS
D/QSEECOMAPI: (24162): QSEECom_get_handle sb_length = 0x104e80
E/QSEECOMAPI: (24162): Error::Failed to open /dev/qseecom device
E/ (24162): TIMA: tima-pkm--Unable to start TZ app; errno = 9
D/ (24162): TAL: TIMA_backend_open--int8_t TIMA_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: QCOM_backend_open--int8_t QCOM_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: tima-pkm--Attempting to load TZAPPS
D/QSEECOMAPI: (24162): QSEECom_get_handle sb_length = 0x104e80
E/QSEECOMAPI: (24162): Error::Failed to open /dev/qseecom device
E/ (24162): TIMA: tima-pkm--Unable to start TZ app; errno = 9
D/ (24162): TAL: TIMA_backend_open--int8_t TIMA_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: QCOM_backend_open--int8_t QCOM_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: tima-pkm--Attempting to load TZAPPS
D/QSEECOMAPI: (24162): QSEECom_get_handle sb_length = 0x104e80
E/QSEECOMAPI: (24162): Error::Failed to open /dev/qseecom device
E/ (24162): TIMA: tima-pkm--Unable to start TZ app; errno = 9
D/ (24162): TAL: TIMA_backend_open--int8_t TIMA_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: QCOM_backend_open--int8_t QCOM_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: tima-pkm--Attempting to load TZAPPS
D/QSEECOMAPI: (24162): QSEECom_get_handle sb_length = 0x104e80
E/QSEECOMAPI: (24162): Error::Failed to open /dev/qseecom device
E/ (24162): TIMA: tima-pkm--Unable to start TZ app; errno = 9
D/ (24162): TAL: TIMA_backend_open--int8_t TIMA_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: QCOM_backend_open--int8_t QCOM_backend_open(void**, appID, uint32_t, uint32_t)
D/ (24162): TIMA: tima-pkm--Attempting to load TZAPPS
D/QSEECOMAPI: (24162): QSEECom_get_handle sb_length = 0x104e80
E/QSEECOMAPI: (24162): Error::Failed to open /dev/qseecom device
E/ (24162): TIMA: tima-pkm--Unable to start TZ app; errno = 9
Click to expand...
Click to collapse

Hmm...


More information: RPMB Secure Boot PDF
 
Last edited:
  • Like
Reactions: chrisrotolo, siraltus and vash_stanped
You must log in or register to reply here.

Similar threads

Da_G
Knox/Kernel/Bootloader Development SM-900A
Replies
47
Views
41K
fire3element
fire3element
hsbadr
[KERNEL] [KEXEC] Kernel EXECution for locked devices [N900V] [WIP]
Replies
128
Views
63K
RuggedHunter
RuggedHunter
C
How do you compile a boot.img from a kernel source?
Replies
4
Views
15K
S
sansari123
FeralFire
Trying to solve the Hong Kong N9005 woes using PIT
Replies
12
Views
24K
attari13
attari13
S
Research on finding root exploit for N900V 4.4.4 (NJ6)
Replies
6
Views
4K
yenkoPR
yenkoPR

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 102
    R
    ruchirtrehan
    (Knox had been triggered on the the tested device already), This has been tested & working on Note 3 N900/Exynos on KitKat ND1 firmware which was on official status without root but Knox triggered, The file was flashed using Odin and after flashing I went into download mode and to my surprise Knox was been reset from 0x1 to 0 but the device status had turned custom (was official before flashing the Knox reset), however I will re-flash the firmware and see if Knox remains 0 and device status turns to official, also there are some different stuff in download mode which I hadn't ever seen before like EMMC PIN, Binary Sboot Version and all. I'll be attaching the screenshots for the same kindly find in attachments.

    Edit/Update 1 : After re-flashing the firmware stuff like EMMC PIN and Binary Sboot Version has disappeared Current Binary has turned to official and the Knox has remained to 0 however System Status still appears to be Custom...

    Edit/Update 2 : (Refers to previous updates regarding System Status being Custom and not turning to Official.) After trying to flash the firmware several times nothing really worked (nothing to do with Knox and Current Binary only referred to System Status being Custom) hence I went to stock recovery and wiped Data/Factory Reset and Cache Partition and then re-flashed the firmware (ND1 KitKat) and VOILA! Binary/System Status are now Official and now Knox is 0, seems a great success for the Exynos users, I also do have an snapdragon version so will be looking forward to it, screenshots attached....

    Edit/Update 3 : The steps for resetting Knox (Exynos Note 3 ONLY!) :

    1 - Download the bootloader.zip and extract bootloader from it (find in attachments)

    2 - Open Odin and put device in download mode.

    3 - Select AP/PDA (depending on Odin version you have) and select the bootloader (which was downloaded during step 1) don't select any other option in odin except F reset time and auto reboot (are selected by default).

    4 - After the file is flashed go to download mode and check if the Knox has turned back to 0.

    5 - Flash official firmware from sammobile and after flashing is done let the device reboot and boot up to device set-up screen, don't proceed the set-up for setting up device and turn of it off.

    6 - Reboot to stock recovery (power + vol up + home) and wipe data/cache and flash the firmware again, once flashing the firmware is completed enter download mode and check if current binary and system status has turned to official if not follow steps number 5 and 6 again.

    And that's pretty much it ;), you have successfully been able to reset Knox and regain warranty by this.

    PS : I had done all this steps on ND1 firmware, and this will not keep root access, to root Knox has to be tripped or keep Knox 0 but Current Binary or System Status will be custom wit Knox being 0. Also to note this might get (patched) in future updates (bootloaders) if we look at Samsung's history of patching stuff :p, though not sure about it...

    This will not work on any variant other than Exynos (Note 3) due to different processors and the boot system of both Exynos and Snapdragon. (the bootloader for (Exynos) contains Sboot which is only for the Exynos variant which cannot be used on Snapdragon as it uses Aboot). So this is by no way meant to work on SD variant or any other Samsung device ie S5/S4/Note 2 etc. and hence requested NOT TO USE IT on any other model than Exynos Note 3.

    Edit/Update 4 : Downgrading Note 3 N900/N9000/Exynos from 4.4.2 to 4,3 has been successful, check out this post by me to be updated on steps regarding the same.

    I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.
    View
    28
    R
    ryanbg
    WARNING:
    This is very dangerous. I have been able to reproduce and recover every time, but there is a HUGE inherent risk of permabricking. I am able to manually put my device into QHSUSB_BULK mode by overwriting SDI/DBI with SBL1. The screen will go black immediately, and your device will be recognized as a QHSUSB_BULK device. You can recover by making a 256MB (arbitrary number, has to be over like 128MB) unbrick image. This can be made by pulling the first 256MB from mmcblk0. Then flash to SD card using DD or Win32DiskImager. Do this before flashing SBL1 to DBI/SDI. Pop it in and it should boot right back normally, so ODIN and flash SDI again to fix. This can be useful for various purposes, of which the right people are already aware.
    View
    26
    R
    ruchirtrehan
    xclub_101 said:
    Quick question to have a more complete view on where things are - I do not have the N900 and I know little about it so the question might already not be a problem there but it certainly is on N9005 - can you also downgrade the firmware after you write the knox-reset piece?
    Click to expand...
    Click to collapse

    I'll test it!

    Edit/Update 1 : Wowzer guys, I have some good news for you all, I have been successfully able to downgrade from 4.4.2 to 4.3 without any issues, The firmware I downgraded to is MI3 and Knox is not present in download mode will post steps soon and guide you through steps for a safe downgrade, PS : this is only for SM-N900/N9000/Exynos for now, screenshots attached..

    Edit/Update 2 : Steps to Downgrade (Note 3 Exynos only!)

    1 - Download the bootloader.zip and extract then flash in Odin. (Find in attachments) (don't select any other option in odin except F reset time and auto reboot) (are selected by default).

    2 - Download any 4.3 JellyBean Firmware from sammobile.

    3 - After flashing the bootlaoder reboot into stock recovery (power+ home+ vol up) and wipe data/factory reset and cache partition

    4 - Turn off the device and reboot into download mode and flash the 4.3 Firmware in Odin.

    5 - After flashing completed let the device boot till boot screen and pull out the battery and turn it off then turn it on again and reboot into recovery (power+ home+ vol up) and wipe data/factory reset and cache partition once again and reboot and let the device boot up.

    That's pretty much it, you've safely downgraded to Android 4.3 from 4.4

    This is only for Note 3 Exynos!

    I'll be testing some work around's for the N9005 (Snapdragon) to reset Knox/Firmware Downgrade once I get that device as I have given mine to a friend, and have been saving money to buy a new or used N9005.
    View
    25
    X
    xclub_101
    I never had the time (and the devices) to properly research this but there are a few things that other people might want to test (or already know the answers) and I think it might come very handy to the Note 3 community. There is a somehow similar thread for the S4 community here.




    0) SUCCESS WITH KNOX / DOWNGRADING ON N900 !!!

    On N900 (Exynos) there is now a solution (unfortunately for the moment only for Exynos models) - a special firmware leaked originally here:

    http://sxtpdevelopers.com/samsung-note-3-knox-fix-qualcomm/

    (it looks like a firmware reset/update for the EMMC, which results in the erase of the RPMB where Knox flag and downgrade restrictions are stored).

    In this thread details on some of the people testing it can be found in those posts:

    http://xdaforums.com/showthread.php?p=52329946#post52329946

    http://xdaforums.com/showthread.php?p=52408318#post52408318

    If the original site is taken down by Samsung you need to search after a file called BL_HA3GZS_CLEAR_WARRANTY_BIT.tar - the one I saw was 2334801 bytes in length (might be shown as a 2.23MB download in some chinese sites). There might be a problem finding it since Samsung might go after anybody hosting and distributing it.


    1) Just rooting should not trip knox

    The problem with rooting that makes knox 0x1 - originally Root De La Vega was developed for the AT&T very locked structure, and as such it was doing the rooting in a pretty convoluted way. However on other Note 3 versions the knox warranty flag is very clearly linked to just kernel and recovery, and not to system itself. In other words it SHOULD be possible (even after MJ3) to root and keep knox 0x0 on devices that are not "bootloader locked" by not touching kernel and recovery and only touching system - that is probably NOT going to work on AT&T (N900A) but it seems to work on N900W8 and IMHO it could also work on N9005 (and possibly N9000, but I know much less about that). If you want more proof look into the posts about N900W8 + different version (of more or less) stock-based ROMs (like xnote, but stock kernel and recovery).

    So the bottom line on this is to verify on a knox 0x0 device with firmware MJ3 (or newer) that just writing a pre-rooted system would be allowed in download mode and would keep knox 0x0. And we would need a more clear confirmation for both N900W8 and N9005 (or any other models) - of course with some description of what was written and how ;)

    EDIT: some W8 users have provided extra details and so far it looks it might be more the bootloader itself and not so much in how/what is written, but more information is needed.
    EDIT2: there is a thread with that kind of talk here:
    http://xdaforums.com/showthread.php?t=2627996



    2) We should really test the "portability" of various bootloaders since this could solve a lot of things

    First - here are two external (non-xda) pages with some very good development information regarding "bootloader hacking":

    http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

    http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

    On bootloader-confused devices (for instance Hong-Kong versions that got the KitKat bootloader from Polish/XEO KK and have to wait for Hong-Kong KitKat, or any device that seems to be bricked in the bootloader) it might be also interesting (for somebody VERY daring - remember that it could brick your phone even worse) to try to write the bootloader files (all 5 of them?) from the N900W8 and see if those are accepted (since once that would be the case downgrading would also become a possibility).

    EDIT: the N900W8 is also reported (see here) to let you have a custom recovery and not trip knox, which is kind of weird but maybe this is the knox breakthrough that we were expecting :)



    3) More info on STRAP flags (those listed in download mode)

    STRAP flags - there are a number of places where the values listed in download mode are discussed, for instance:

    http://xdaforums.com/showthread.php?t=2567165

    It seems that the values for S T R A and P flags could be versions of the 5 main bootloader-related files used in Qualcomm-based Note 3 devices, most likely:

    S - SBL1

    T - TZ

    R - RPM

    A - ABOOT

    P - SDI (?)


    My EU N9005 (I believe with MI7 or so bootloader) was something like S1, T1, R1, A1, P1 and also SECUREBOOT: ENABLE (CSB) (as it can be seen in the thread above) but is now P2 (which is very strange since I had all automatic and security updates disabled, but might be related to the fact that at some point I activated the reactivation flag linked to the Samsung account - disabling it does not return P back to 1 so this might not be it).

    Also if you look around the values seem to be somehow consistent - with post-MJ3 bootloader most flags become 2 and with KitKat bootloader at least the A flag becomes 3.

    It remains to be seen if this is the case and if it is any way relevant to hacking the bootloader system or knox (or is just for debug purposes - like when we see people with A3 complaining that they can't return to stock MJ7 or MK2).


    4) More info on "microSD debricking and if this could let us re-write different bootloader files (and maybe we should encourage people to have their "debricking image" made in advance "just in case")

    When the bootloader files become "bad" and you can not go in download mode (but probably sbl1 is still valid) it is still possible to recover things by forcing the boot process from microSD. That seems to require no extra hardware on Qualcomm models and one small contact for Exynos devices (where that is even documented in Samsung original documents like 13-58_SM-N900_Boot_Recovery_Guide_rev1.0.pdf).

    There is a thread on this at:

    http://xdaforums.com/showthread.php?t=2625332



    5) More info on how Samsung CAN reset knox

    There are already two threads with something more than 5-6 first-hand reports from people that went with a Note 3 knox 0x1 into service and left with the same device (and motherboard and IMEI and in some cases all their programs and even their normal/old firmware) but with knox 0x0!

    One thread in T-Mobile Note 3 forum:

    http://xdaforums.com/showthread.php?t=2637718

    And a much larger one in International Note 3 forum:

    http://xdaforums.com/showthread.php?t=2504258

    There is also already a "hardware+software solution" (expensive, aimed at specialized phone shops that also do phone unlocking and similar stuff) which claims to be able to reset the knox flag on Exynos devices:

    http://forum.gsmhosting.com/vbb/f67...olution-solution-repair-rebuild-emmc-1769456/
    http://forum.gsmhosting.com/vbb/f67...bit-0-solution-inside-first-ih-world-1776265/
    http://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/




    6) Pre-production bootloaders before knox?

    Here is an interesting thread apparently about a N9005 with no knox:

    http://xdaforums.com/showthread.php?t=2657631
    View
    23
    R
    ryanbg
    RaluSiCris said:
    it can be made a how to in order to be useful for all of us? It would be really appreciated.
    Thanks

    Sent from my SM-N9005 using xda app-developers app
    Click to expand...
    Click to collapse

    If you don't know how it can be useful, this is probably not the best place for you to be posting.
    View

New posts