Knox is a software trigger and can be reset !

Status
Not open for further replies.
Search This thread
By:
Advanced…
X

xda_q8

Member
Feb 18, 2010
23
63
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app
 
  • Like
Reactions: Hexbug, XpL0SiVe, kerrywez and 57 others
S

strongyin1977

Senior Member
Apr 21, 2011
94
18
xda_q8 said:
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app
Click to expand...
Click to collapse

thanks for your good news! only 10 mins can reset the Knox! Hope to see the method later....
 
P

phantom5

Guest
I have to say...After checking my "new" device (the other had a hardware-defect in the earphone plug), I checked my saved backup files(Imei, csc, etc.) ...

It was my old device, the knox counter was just reset to 0x0...(and the 3,5mm plug replaced)


Service Center: Vodafone-Shop
 
R

Raphy511

Senior Member
Jan 19, 2011
147
33
Reims
e3d said:
I have to say...After checking my "new" device (the other had a hardware-defect in the earphone plug), I checked my saved backup files(Imei, csc, etc.) ...

It was my old device, the knox counter was just reset to 0x0...(and the 3,5mm plug replaced)


Service Center: Vodafone-Shop
Click to expand...
Click to collapse

Nice to see that phone carriers has the tool that can reset the counter!
 
  • Like
Reactions: ugant58
icenight89

icenight89

Senior Member
Dec 18, 2010
2,727
778
What would be really good is if we could come how get a raw dump of the bootloader with knox tripped and after a reset...
 
N

nags92

Senior Member
Feb 13, 2013
207
35
Google Pixel 6 Pro
If you think about it, it does sound plausible...the fact they are upgrading their older models to knox which i would guess might not have the supported hardware for eFuses would mean its software related ? i know chainfire said they use e-fuses but its just an idea though.

Shame there is no one on the inside from one of the samsung repair centers
 
  • Like
Reactions: Shaftamle
H

hallydamaster

Senior Member
Aug 27, 2010
515
151
Copenhagen, Denmark
nags92 said:
If you think about it, it does sound plausible...the fact they are upgrading their older models to knox which i would guess might not have the supported hardware for eFuses would mean its software related ? i know chainfire said they use e-fuses but its just an idea though.

Shame there is no one on the inside from one of the samsung repair centers
Click to expand...
Click to collapse

It doesn't mean it's not an efuse even though they can get SGS3 "upgraded" to support KNOX. Apparently the Qualcomm chips already has a lot of efuse registers they can make use of. That just mean that the efuses are already there, and the upgrade is going to make use of the registers.
 
  • Like
Reactions: Shaftamle and decrescend0
mwazeer

mwazeer

Senior Member
May 23, 2011
547
132
Kuwait
Samsung Galaxy S23 Ultra
xda_q8 said:
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app
Click to expand...
Click to collapse

Mabrooook....

Sent from my SM-N9005 using XDA Premium 4 mobile app
 
RavenY2K3

RavenY2K3

Senior Member
Nov 13, 2006
1,459
439
Surely you've got some "shady friends" (everybody has at least one) that will just hold the guy up for ransom.... in the case the reset tool..... haha ;)

Disclaimer: This is a JOKE!, by no means do I want Interpol hunting my ass down for terrorism ;)

Sent from my GT-N5100 using Tapatalk 4
 
  • Like
Reactions: Rx8Driver and Djmccoy
Dan-SRi

Dan-SRi

Senior Member
Aug 16, 2010
246
63
Dorset
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...
 
  • Like
Reactions: ani257, koskhandeh, FeNo2 and 28 others
O

overkillZ

Senior Member
Jul 14, 2013
110
87
malmö
Dan-SRi said:
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...
Click to expand...
Click to collapse

or before somone hacks the bl and can make there own "holy software" cough..cough chainfire..cough..
 
  • Like
Reactions: mikks, koskhandeh, ckneller and 10 others
K

Khizar

Senior Member
Feb 28, 2012
8,295
9,834
Dan-SRi said:
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...
Click to expand...
Click to collapse
yall dont have access to that tool? any possibilty that you guy might be able to leak that tool in the future?

vinokirk said:
Pics or it didn't happen
Click to expand...
Click to collapse
even pic wont prove anything.. you will have to take his work for it, if you dont believe him for all we know he never sent his phone to sammy and never rooted his phone thats why his knox binary counter is still 0x0
 
  • Like
Reactions: cd993
Status
Not open for further replies.

Similar threads

djnoicatse
[Bounty] [05/20/2014]Reset KNOX counter to 0x0 (UPDATE: 3k +)
Replies
3K
Views
2M
Wattsensi
Wattsensi
TheMasterR
[ROOT][apk]{TowelRoot}[4.4.2] Does not trip KNOX and does not touch bootloader
Replies
249
Views
494K
J
JJEgan
_alexndr
★ [ROOT][N9005] ★ Rooting 4.4.2 FNF4 & NEWER stock firmwares ★ (KNOX 0x0) ★
Replies
596
Views
314K
rayman95
rayman95
joytest
SUCCESS !!! Knox 0x0 with Mobile Odin Pro 3.85 !!!
Replies
895
Views
229K
J
JJEgan
Mwyann
[HOWTO] Flash a custom ROM/zip and keep Knox cool
Replies
294
Views
136K
K
Koysii

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 67
    Chainfire
    Chainfire
    There are multiple things at play here. There is definitely mention of eFuses in the bootloader, close to the KNOX related code. That is why I first suspected eFuses may be involved. It could well be KNOX bootloaders use eFuses if available and uses a software counter if not (like the original flash counters). It may of course also be the case that it's indeed just a few bits somewhere that get flipped (possibly inside an encrypted section).

    The big difficulty here is that the KNOX counter is only settable once. So it is very difficult to pin down where this value is stored, if even in a user-accessable place, which doesn't need to be the case at all. Remember that on Exynos4 devices it was an engineering mistake that even made us find the counter the first time (and then the cat was out of the bag). Anyway, you'd need an exact flash dump of before and after, then maybe it would be easier to pin down.

    The next problem however becomes write protections. One reason I stopped working with Triangle Away on the Note 3, is that certain areas of the flash memory are write protected. These protections are set inside the bootloader (== protected code) and cannot be unset, they cover the sections containing the flash counter data. Even if we knew where the data was stored and how (assuming it's not an eFuse), we'd still have to beat those write protections. These protections were also used in the Exynos S4, which is why there is no Triangle Away for that specific device. I'm not completely sure if all the devices that are getting KNOX support this hardware feature, but I believe so - it's fairly common.

    Mind you, I know a theoretical exploit that may beat the write protection, but I have not worked it out in practise (not even attempted), as it'll be lengthy, device model specific, difficult, and probably dangerous. As long as those write protections are there, we can't reset the status, but as long as we don't know where or how the KNOX data is stored, it is of no use trying to crack the write protections. That is, even assuming that data we want is even accessable from kernel and/or userland, which doesn't have to be the case at all.

    RIFF boxes and ORT connectors have raw access to the flash, by the way, that's why it would be trivial to do with that equipment if you know where the data is at. Of course, you can also use a RIFF box to downgrade bootloaders due to said access. When we were hacking the original Samsung Galaxy Tab's locked bootloaders that's exactly how we tested things :)
    View
    60
    X
    xda_q8
    Hi all,

    First of all pardon me for my poor English.

    Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

    The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

    The surprised thing is that they have fixed my mobile within 10 minutes.
    After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
    The bootloader back to MJ1 so they downgraded the bootloader !!.
    IMEI and serial no. never changed !!.
    And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





    Sent from my SM-N9005 using XDA Premium 4 mobile app
    View
    43
    Y
    yashade2001
    @Chainfire I have good news. I found a way for reseting counter on new KNOX devices. So you know KNOX' s information is stored in an emmc symlink file. Some people says it is storing in mmcblk0boot0, some people says that is same with mmcblk0 and some people can't find mmcblk0boot0. Actually I have not got a KNOX enabled device but I have testers for KNOX counter reset tool ( Making for S4 currently ). One of my tester opened that symlink ( He's not my tester now and I don't know which symlink is that. ) and edited with a hex editor and he saw a flag which shows counter status ( Hex value ). He edited that to 0x0 and rebooted the device. We saw 0x0 in bootloader screen. But when we rebooted the device it gone to back. So I know there is a hardware protection ( Special thanks to @gokhanmoral ). I think harware protection is provided by eFuse chip. So there are two ways for reseting counter.

    1) Rewrite kernel and undefine the eFuse chip. eFuse chip is defined in the kernel. Then there should be no hardware protection and we can edit that emmc symlink to reset counter. Shortly, we can modify bootloader.

    2) Modify an Odin flashable tar as you want. But you need Samsung's special key to sign. If you sign that with Samsung's special key, counter will not be changed. But it's hard to get Samsung's special key. We can find it in an official flashable tar. It's not impossible but it's near to the impossible I think. You should be Samsung's CEO for doing this.

    I'm going to make an app for doing first way automatically.

    Cheers. Waiting for your answer.
    View
    31
    Dan-SRi
    Dan-SRi
    For what its worth:

    I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

    So im guessing its only a matter of time before someone gets hold of this holy software...
    View
    21
    B
    BrunoWestone
    So many opinions...

    Hey guys i'm back with news.

    Sorry for taking so long but i have been very busy also with HTC (Pain in the ass)

    So KNOX !!!!!!

    1- IT CAN BE RESETED

    2- NO NEED FOR HARDWARE KEY IF PROGRAMMED DIRECTLY VIA JTAG

    3- NOTING IS IMPOSSIBLE.

    4- WE SHOULD ALL CONCENTRATE IS DISCUSS SOLUTIONS, NOT IF SAMSUNG SERVICES CENTERS DENY WARANTY OR NOT.

    The knox security verification starts in the primary bootloader at 0x000319C0 where you can see the following routine:

    41 20 62 6F 6F 74 20 6D 65 61 73 75 72 65 6D 65 6E 74 5D 20 3A 20 4F 6C 64 2F 6E 6F 6E 2D 43 4C 20 64 65 76 69 63 65 20 2D 20 4B 4E 4F 58 20 77 61 72 72 61 6E 74 79 20 76 6F 69 64 0A 00 00 00 0A 6B 65 72 6E 65 6C 20 20 40 20 25 78 20 28 25 64 20 62 79 74 65 73 29 0A 00 00 00 72 61 6D 64 69 73 6B 20 40 20 25 78 20 28 25 64 20 62 79 74 65 73 29 0A 00 00 00 00 6D 65 6D 3D 31 30 30 4D 20 63 6F 6E 73 6F 6C 65 3D 6E 75 6C 6C 00 00 00 63 6F 6E 73 6F 6C 65 3D 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 74 74 79 48 53 4C 30 2C 31 31 35 32 30 30 2C 6E 38 25 73 00 20 73 65 63 5F 6C 6F 67 3D 30 78 25 78 40 30 78 25 78 00 00 20 73 65 63 5F 64 62 67 3D 30 78 25 78 40 30 78 25 78 00 00 20 73 65 63 5F 64 65 62 75 67 2E 72 65 73 65 74 5F 72 65 61 73 6F 6E 3D 30 78 25 78 00 00 00 00…. [TIMA boot measurement] : kernel secure check fail..SECURE FAIL: KERNEL.[TIMA boot measurement] : Old/non-CL device - KNOX warranty void.....kernel @ %x (%d bytes)....ramdisk @ %x (%d bytes).....mem=100M console=null...console=....console=ttyHSL0,115200,n8%s. sec_log=0x%[email protected]%x.. sec_dbg=0x%[email protected]%x.. sec_debug.reset_reason=0x%x.... lcd_attached=%d

    and at 0003E9C0…

    ...AST_UPLOAD..set current.....check_boot_mode = key Down[%d], Up[%d] .....Set debuglevel = 0x%x...Set cp debuglevel = 0x%x....SET PVS MODE = 0xFAFA...is_reboot_case =%d..cable_status = %d...set lpm_mode....cable booting, but cable isn't present..power-down!.....enter normal booting mode...AST_POWERON.....enter download mode.....enter ramdump mode..vibrator started....vibrator stopped....KNOX KERNEL LOCK: 0x%x..KNOX WARRANTY VOID: 0x%x....QUALCOMM SECUREBOOT: ENABLE.QUALCOMM SECUREBOOT: T32 ENABLE.QUALCOMM SECUREBOOT: DISABLE....QUALCOMM SECUREBOOT: NON-SECURE BINARY..CSB-CONFIG-LSB: 0x30....QUALCOMM SECUREBOOT: NONE...reboot_mode = 0x%x, boot_mode = %d, por = 0x%x..error in emmc_recovery_init.....ERROR: Could not do normal boot. Reverting t

    After the system preform a checksum compare between the Primary Bootloader, Secundary bootloader and main kernel, the primary bootloader displays the warranty bit as we can see were: x%x..KNOX WARRANTY VOID: 0x% Where % is a variable.

    So far i know if we change the % to 0 don't solve anything, because as soon as the phone reboot itself, all the procedure start again and the bit sets itself to the var again.

    Some say this will never have a solution to crack and i believe it, but it doesn't mean we can't find another way to deal with this.

    IF WE CANNOT RESET THE COUNTER, THERE IS ONLY ONE VIABLE WAY TO GET RID OF THIS KNOX voided:

    WE HAVE TO FIND A WAY TO "CONVENCE THE PHONE" THAT HE STILL IS A 4.2.2 XXUAMDE WITH A NON-KNOX BOOTLOADER, (THE KERNEL AND SEANDROID WILL DISPLAY PANIC !!!) AND THEN FLASH THe PHONE WITH THE LATEST 4.3 KNOX ACTIVATED.

    DOING THAT, IF THE PHONE BOOTLOADER IS ON 4.2.2 NOT ACTIVATED KNOX, THE PHONE WILL RE-WRITE ALL THE NEW PARTITIONS AND CREATE ALL NEW KNOX CONTAINERS FROM SCRATCH AND IN THE END WE SHOULL HAVE A SAMMY WITH KNOX 0X0



    Any help from you on how to do that will be good.
    View

New posts