For anyone interested in what CC mode is and how it changes the device behavior, you might find this interesting: https://www.niap-ccevs.org/st/index...ffa34fe6c-2FF928A8-FE41-7367-5EF4130BA9B6BE9D
Last edited:
I think you all will be interested in this report by @djrbliss which was presented at Black Hat USA 2014 last week. The vulnerability supposedly exists to unlock the Note 3 bootloader. Hopefully, Dan will share the magic (if he hasn't already) with someone who can help the Note 3 community finally get this beast unleashed.
http://i.imgur.com/TXKDpOI.png
Mods: Please delete if this is a repost. I couldn't find mention of this anywhere.
http://i.imgur.com/TXKDpOI.png
Mods: Please delete if this is a repost. I couldn't find mention of this anywhere.
Last edited:
Here's a direct quote from Dan Rosenberg's twitter "LG and Samsung devices cannot be bootloader unlocked via TrustZone, so please stop asking me about it."
Last edited:
Recently bought note 3 with update to ENG1 firmware.Thought of rooting my device and of course knox tripped to 1.Then tried to reset knox using the bootloader and method given in RuchRha's post (post #76 in this thread) and followed every steps given by him.
Apparently the knox did reset but the thing is the download mode still shows the screen given below.
Can anyone help regarding this?
@RuchRha I know this is for developers only but kindly guide me before deleting this post.
Apparently the knox did reset but the thing is the download mode still shows the screen given below.
Can anyone help regarding this?
@RuchRha I know this is for developers only but kindly guide me before deleting this post.
Attachments
You need to flash full 4 files rom after reset knox i think
Just need to flash ROM with Odin from sammobile firmwares, then wipe all data
The package I used was a single one .tar.md5 but I am not sure if it contains bootloader file too....can anyone confirm this?
EDIT:Acc. to phone info app,the bootloader is HA3GZS_TEST,so I think the UENG1 package doesn't contain the bootloader file.It may be the culprit.Can anybody give me the bootloader file which is compatible with the UENG1 build?
Did it bro...I used the UENG1 firmware file downloaded from sammobile,even the one used in post #76 i.e ND1 but to no avail.
Last edited:
@RuchRha can you please provide md5 check sum of bootloader file or can you provide tar.md5 bootloader file as it is important that no one should flash a corrupted or incomplete file by chance
Another thing is, if possible, can you please create a thread in general section about knox reset of N900, as people will be able to clear their questions in that thread
Another thing is, if possible, can you please create a thread in general section about knox reset of N900, as people will be able to clear their questions in that thread
So in regards to this.. looks promising. But i wish i even knew where to start. Can we finagle this to work for us somehow?
if you would bother to read 6 posts up, you would see your answer. that answer is a no :/
Actually there is a possibility that it would work for the Verizon and AT&T Note 3, especially if you have stayed away from updating. In his original paper he stated that the S5 was the only Samsung device that had the TrustZone exploit patched at the time he wrote published the paper. Since he wrote and published the paper all Samsung devices could have had a patch issued but if you're on an earlier version there is still a chance that the TrustZone exploit is still there to be used by an enterprising developer.
He was very specific on what devices were already patched so if the Note 3 was patched at the time he wrote the paper it would've been listed with the S5.
There is s problem though, it is thought that our eFuse is already blown so there would have to be another workaround for that if the TrustZone exploit works for our devices. I don't know how hard that'd be to get around though and it may be impossible...
The obvious downside is if there were a bootloader exploit published from using this information the exploit would ONLY work on devices that hasn't been updated yet.
There is also the fact that even if the TrustZone exploit has been patched on all Note 3's and there is no way to unlock them with the TrustZone exploit this still offers invaluable information and insights and may lead to the developers researching our devices bootloader unlocking finding another exploit that will work for our devices. This entire situation is a god send.
I'm curious if they patched the potential exploit on the NC4 boot loader (VZW). Obviously our leaked NC2 build I believe uses the same boot loader as MJE which is why we are able to downgrade to 4.3 if we want to so no issues there on that.
yeah, i just unofficially upgraded from NB4 JellyBean a few days ago so i could have a few more "rom" choices..I hope I dont regret that but apparently there is a way to regress that change.
Im mostly happy with what we have. But there is always the want for more. A shame to have such a great piece of hardware be crippled in this way. If the BL is ever cracked open it will be far past its prime I think...
Im mostly happy with what we have. But there is always the want for more. A shame to have such a great piece of hardware be crippled in this way. If the BL is ever cracked open it will be far past its prime I think...
I'm pretty sure his paper described a vulnerability, not an exploit. That vulnerability is present on all new qualcomm devices except what he specifically mentioned, and any device that's already been patched. He then demonstrated how to exploit this vulnerability on the moto X to unlock its bootloader. This vulnerability cannot be exploited in the same way on Samsung devices to unlock their bootloaders.
Last edited:
You are correct, what I should have said that he exploited a vulnerability found in the TrustZone of most modern Qualcomm devices to unlock the bootloader on the Moto X.
He found a vulnerability that he exploited to unlock the bootloader on the Moto X on stage and then turned around and sold the information on the vulnerability to Motorola. I can't blame him for selling the exploit after all the crap he has gotten (and hasn't gotten like the bounty on the G2) for helping out the community with rooting and unlocking their devices, he has to make money some way. Since he already looks for vulnerabilities to exploit on android devices this was a win-win for him, he got to do what he enjoys and he got to make money off of it whereas he has been screwed by the community when they were supposed to pay him the bounty for his exploits. He at least gave the community all of the information about the vulnerability so we could use it for our benefit.
Why can it not be used on Samsung devices to unlock their bootloader? I realize that every exploit will be different for each phone but the vulnerability should still be able to be used in a way that may allow us to unlock our bootloaders. The one thing I can see causing a problem will be the eFuse that is already blown. Somehow it will have to be ignored and I am unsure it that will be possible, i would think it would be possible to write a little code to ignore the eFuse (I wonder if Adam Outler had to do that with the VZW Note 2?) The problem would be enabling it and keeping the phone from starting the secure boot process. This TrustZone vulnerability may allow code to be injected that ignores the eFuse but that will be A LOT of work and in the end it really may not be possible because of that damned blown eFuse. I really wonder how Adam got past the eFuse problem on the Note 2 (I am just assuming it has a blown eFuse but it very well may not, I don't remember much about how the Note 2 exploit worked anymore). If it does have a blown eFuse like the Note 3 then it is possible that the same, or a similar, exploit could be used to get past the blown eFuse and unlock the bootloader. The way I understand it is that if the vulnerability wasn't patched on out phones from the beginning, which it supposedly wasn't patched, the eFuse is the only thing standing in the way of a bootloader unlock. Of course a very skilled developer would have to figure out how to exploit the TrustZone vulnerability in a way to allow the bootloader unlock but really it seems the only big the standing in the way is that blown eFuse.
I don't know as much as I would like to about bootloader unlocking (and would love to know more but there are so few sources to learn about bootloader unlocking) when they are locked from the OEM, as is the case with all or almost all VZW phones, so I could just be talking out of my ass. If I am talking out of my ass I would really love an explanation on why the TrustZone vulnerability that he found in most modern Qualcomm devices could not be used on the VZW Note 3. It is a Qualcomm device that was not patched to fix the vulnerability at the time the vulnerability was made known to the community from what i have been able to gather and while the latest updates most likely fixed this vulnerability I would think that, seeing as how most of us don't accept the OTAs, the vulnerability is still there on devices that haven't accepted a certain OTA. While that isn't a solution for people who have updated to the latest OTA it is at least a solution for some of us and would be GREAT if it does come to pass.
I am not holding my breath waiting on the VZW Note 2 bootloader to be unlocked, I realized that was a very unlikely possibility when I got the phone. This does seem to be a promising lead and I have some hopes that it may at least give us a little more control over our devices even if it doesn't lead to a full bootloader unlock.
So much misinformation here. There is no 'unlock' QFPROM 'fuse'. That's why Dan said it can't be simply unlocked. However, there is no information on Samsung's Odin and how it recognizes Developer devices vs. Production. There are multiple mechanisms and venues of attack via TrustZone aside from a simple unlock fuse. It's 100% possible, but we'd need a dump of QSEE in order to see how and where. This exploit is very difficult to exploit, and requires a significant amount of research.
Thank you for the response.
What I meant about the fuse was the way I understood how the Moto X unlock worked was that it had a fuse that had to be blown in order for it to show bootloader unlocked status and not check kernel signatures. There has been speculation that Samsung also uses these fuses but instead of blowing one to unlock the bootloader like with the Moto X the fuse is blown in Samsung devices to lock the bootloader therefore there could never be an unlock just by simply blowing the fuse. I do not know for sure is Samsung does use blown fuses to tell the software the bootloader is locked and to check the kernel signature against Samsung's official keys, it is just something that a few people have suspected about Samsung devices.
I also did not mean to come across like I thought, or knew, the exploit that Dan used to unlock the Moto X bootloader could be used on Samsung devices. I've understood from the start that using an exploit that relies of hardware wouldn't work on different devices made by different OEMs.
What I am trying to get across is that Dan gave us a vulnerability that we might possibly be able to use to create our own exploit to unlock our own bootloaders on various devices. I know it will be extremely difficult to do but this really seems like the best possibility for our bootloader to be unlocked since the Verizon Note 3 was released. Even if we cannot unlock our bootloaders by exploiting the vulnerability that Dan found this still has great potential.
How would one go about getting a QSEE dump?
As for Odin knowing the difference between developer devices and consumer devices, I wasn't aware that Odin could tell the difference between developer and consumer devices. If it can why would that matter?
What other venues of attack are there to unlock a bootloader by exploiting a TrustZone vulnerability aside from blowing a fuse like with the Moto X? What all is holding us back from creating an exploit to unlock our bootloader using one these multiple venues of attack?
How did Adam Outler and the team he worked with unlock the Verizon Note 2 bootloader? I thought they exploited a TrustZone vulnerability to gain bootloader unlocked status but it has been so long that I really can't remember. Is there anything they did with the Note 2 that could be used on the Note 3?
Sorry for all the questions, I just want a better grasp of the situation and to see if there is anything I can do to help.
The AP_ANTI_ROLLBACK fuse controls the S+T+R+A+P flags in ODIN, and this controls whether a revision is blacklisted or not via a monotonic counter in QFPROM (fuses.) There is a check on address 0xF9269EC whether the value is 0 or not. If the value is not 0, Odin recognizes the device as 'MODE: DEVELOPER". This same check also controls whether the device will boot an unsigned kernel or recovery. A spare fuse is also used for something, but I haven't identified what yet. There's also some goodies on the RPMB on the eMMC chip, which is secured with a symmetrical 32 byte key stored on the SoC and eMMC chip.
There's much more than that. This is a very complex and multi-system operation.
can you please advice me how to fix Knox on N9005.
Sent from my SM-N9005 using XDA Premium 4 mobile app
Sent from my SM-N9005 using XDA Premium 4 mobile app
Is there anything Note 3 owners can do that would help you in any way? I'd be willing to help you in any way I possibly could.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone