Knox is a software trigger and can be reset !

Status
Not open for further replies.
Search This thread

xda_q8

Member
Feb 18, 2010
23
63
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app
 

strongyin1977

Senior Member
Apr 21, 2011
94
18
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app

thanks for your good news! only 10 mins can reset the Knox! Hope to see the method later....
 
P

phantom5

Guest
I have to say...After checking my "new" device (the other had a hardware-defect in the earphone plug), I checked my saved backup files(Imei, csc, etc.) ...

It was my old device, the knox counter was just reset to 0x0...(and the 3,5mm plug replaced)


Service Center: Vodafone-Shop
 

Raphy511

Senior Member
Jan 19, 2011
147
32
Reims
I have to say...After checking my "new" device (the other had a hardware-defect in the earphone plug), I checked my saved backup files(Imei, csc, etc.) ...

It was my old device, the knox counter was just reset to 0x0...(and the 3,5mm plug replaced)


Service Center: Vodafone-Shop

Nice to see that phone carriers has the tool that can reset the counter!
 
  • Like
Reactions: ugant58

nags92

Senior Member
Feb 13, 2013
203
34
If you think about it, it does sound plausible...the fact they are upgrading their older models to knox which i would guess might not have the supported hardware for eFuses would mean its software related ? i know chainfire said they use e-fuses but its just an idea though.

Shame there is no one on the inside from one of the samsung repair centers
 
  • Like
Reactions: Shaftamle

hallydamaster

Senior Member
Aug 27, 2010
515
148
Copenhagen, Denmark
If you think about it, it does sound plausible...the fact they are upgrading their older models to knox which i would guess might not have the supported hardware for eFuses would mean its software related ? i know chainfire said they use e-fuses but its just an idea though.

Shame there is no one on the inside from one of the samsung repair centers

It doesn't mean it's not an efuse even though they can get SGS3 "upgraded" to support KNOX. Apparently the Qualcomm chips already has a lot of efuse registers they can make use of. That just mean that the efuses are already there, and the upgrade is going to make use of the registers.
 
Hi all,

First of all pardon me for my poor English.

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





Sent from my SM-N9005 using XDA Premium 4 mobile app

Mabrooook....

Sent from my SM-N9005 using XDA Premium 4 mobile app
 

RavenY2K3

Senior Member
Nov 13, 2006
1,459
438
Surely you've got some "shady friends" (everybody has at least one) that will just hold the guy up for ransom.... in the case the reset tool..... haha ;)

Disclaimer: This is a JOKE!, by no means do I want Interpol hunting my ass down for terrorism ;)

Sent from my GT-N5100 using Tapatalk 4
 

Dan-SRi

Senior Member
Aug 16, 2010
246
63
Dorset
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...
 

overkillZ

Senior Member
Jul 14, 2013
110
87
malmö
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...

or before somone hacks the bl and can make there own "holy software" cough..cough chainfire..cough..
 

Khizar

Senior Member
Feb 28, 2012
8,295
9,833
For what its worth:

I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

So im guessing its only a matter of time before someone gets hold of this holy software...
yall dont have access to that tool? any possibilty that you guy might be able to leak that tool in the future?

Pics or it didn't happen
even pic wont prove anything.. you will have to take his work for it, if you dont believe him for all we know he never sent his phone to sammy and never rooted his phone thats why his knox binary counter is still 0x0
 
  • Like
Reactions: cd993
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 67
    There are multiple things at play here. There is definitely mention of eFuses in the bootloader, close to the KNOX related code. That is why I first suspected eFuses may be involved. It could well be KNOX bootloaders use eFuses if available and uses a software counter if not (like the original flash counters). It may of course also be the case that it's indeed just a few bits somewhere that get flipped (possibly inside an encrypted section).

    The big difficulty here is that the KNOX counter is only settable once. So it is very difficult to pin down where this value is stored, if even in a user-accessable place, which doesn't need to be the case at all. Remember that on Exynos4 devices it was an engineering mistake that even made us find the counter the first time (and then the cat was out of the bag). Anyway, you'd need an exact flash dump of before and after, then maybe it would be easier to pin down.

    The next problem however becomes write protections. One reason I stopped working with Triangle Away on the Note 3, is that certain areas of the flash memory are write protected. These protections are set inside the bootloader (== protected code) and cannot be unset, they cover the sections containing the flash counter data. Even if we knew where the data was stored and how (assuming it's not an eFuse), we'd still have to beat those write protections. These protections were also used in the Exynos S4, which is why there is no Triangle Away for that specific device. I'm not completely sure if all the devices that are getting KNOX support this hardware feature, but I believe so - it's fairly common.

    Mind you, I know a theoretical exploit that may beat the write protection, but I have not worked it out in practise (not even attempted), as it'll be lengthy, device model specific, difficult, and probably dangerous. As long as those write protections are there, we can't reset the status, but as long as we don't know where or how the KNOX data is stored, it is of no use trying to crack the write protections. That is, even assuming that data we want is even accessable from kernel and/or userland, which doesn't have to be the case at all.

    RIFF boxes and ORT connectors have raw access to the flash, by the way, that's why it would be trivial to do with that equipment if you know where the data is at. Of course, you can also use a RIFF box to downgrade bootloaders due to said access. When we were hacking the original Samsung Galaxy Tab's locked bootloaders that's exactly how we tested things :)
    60
    Hi all,

    First of all pardon me for my poor English.

    Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

    The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

    The surprised thing is that they have fixed my mobile within 10 minutes.
    After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
    The bootloader back to MJ1 so they downgraded the bootloader !!.
    IMEI and serial no. never changed !!.
    And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.





    Sent from my SM-N9005 using XDA Premium 4 mobile app
    43
    @Chainfire I have good news. I found a way for reseting counter on new KNOX devices. So you know KNOX' s information is stored in an emmc symlink file. Some people says it is storing in mmcblk0boot0, some people says that is same with mmcblk0 and some people can't find mmcblk0boot0. Actually I have not got a KNOX enabled device but I have testers for KNOX counter reset tool ( Making for S4 currently ). One of my tester opened that symlink ( He's not my tester now and I don't know which symlink is that. ) and edited with a hex editor and he saw a flag which shows counter status ( Hex value ). He edited that to 0x0 and rebooted the device. We saw 0x0 in bootloader screen. But when we rebooted the device it gone to back. So I know there is a hardware protection ( Special thanks to @gokhanmoral ). I think harware protection is provided by eFuse chip. So there are two ways for reseting counter.

    1) Rewrite kernel and undefine the eFuse chip. eFuse chip is defined in the kernel. Then there should be no hardware protection and we can edit that emmc symlink to reset counter. Shortly, we can modify bootloader.

    2) Modify an Odin flashable tar as you want. But you need Samsung's special key to sign. If you sign that with Samsung's special key, counter will not be changed. But it's hard to get Samsung's special key. We can find it in an official flashable tar. It's not impossible but it's near to the impossible I think. You should be Samsung's CEO for doing this.

    I'm going to make an app for doing first way automatically.

    Cheers. Waiting for your answer.
    31
    For what its worth:

    I work for a UK network (Technical support) - we had Samsung come in today and i asked them about Knox, and queried the refurb being 0x0 or 0x1 and he basically said "samsung have a tool that will reset it back to 0x0".

    So im guessing its only a matter of time before someone gets hold of this holy software...
    21
    So many opinions...

    Hey guys i'm back with news.

    Sorry for taking so long but i have been very busy also with HTC (Pain in the ass)

    So KNOX !!!!!!

    1- IT CAN BE RESETED

    2- NO NEED FOR HARDWARE KEY IF PROGRAMMED DIRECTLY VIA JTAG

    3- NOTING IS IMPOSSIBLE.

    4- WE SHOULD ALL CONCENTRATE IS DISCUSS SOLUTIONS, NOT IF SAMSUNG SERVICES CENTERS DENY WARANTY OR NOT.

    The knox security verification starts in the primary bootloader at 0x000319C0 where you can see the following routine:

    41 20 62 6F 6F 74 20 6D 65 61 73 75 72 65 6D 65 6E 74 5D 20 3A 20 4F 6C 64 2F 6E 6F 6E 2D 43 4C 20 64 65 76 69 63 65 20 2D 20 4B 4E 4F 58 20 77 61 72 72 61 6E 74 79 20 76 6F 69 64 0A 00 00 00 0A 6B 65 72 6E 65 6C 20 20 40 20 25 78 20 28 25 64 20 62 79 74 65 73 29 0A 00 00 00 72 61 6D 64 69 73 6B 20 40 20 25 78 20 28 25 64 20 62 79 74 65 73 29 0A 00 00 00 00 6D 65 6D 3D 31 30 30 4D 20 63 6F 6E 73 6F 6C 65 3D 6E 75 6C 6C 00 00 00 63 6F 6E 73 6F 6C 65 3D 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 74 74 79 48 53 4C 30 2C 31 31 35 32 30 30 2C 6E 38 25 73 00 20 73 65 63 5F 6C 6F 67 3D 30 78 25 78 40 30 78 25 78 00 00 20 73 65 63 5F 64 62 67 3D 30 78 25 78 40 30 78 25 78 00 00 20 73 65 63 5F 64 65 62 75 67 2E 72 65 73 65 74 5F 72 65 61 73 6F 6E 3D 30 78 25 78 00 00 00 00…. [TIMA boot measurement] : kernel secure check fail..SECURE FAIL: KERNEL.[TIMA boot measurement] : Old/non-CL device - KNOX warranty void.....kernel @ %x (%d bytes)....ramdisk @ %x (%d bytes).....mem=100M console=null...console=....console=ttyHSL0,115200,n8%s. sec_log=0x%[email protected]%x.. sec_dbg=0x%[email protected]%x.. sec_debug.reset_reason=0x%x.... lcd_attached=%d

    and at 0003E9C0…

    ...AST_UPLOAD..set current.....check_boot_mode = key Down[%d], Up[%d] .....Set debuglevel = 0x%x...Set cp debuglevel = 0x%x....SET PVS MODE = 0xFAFA...is_reboot_case =%d..cable_status = %d...set lpm_mode....cable booting, but cable isn't present..power-down!.....enter normal booting mode...AST_POWERON.....enter download mode.....enter ramdump mode..vibrator started....vibrator stopped....KNOX KERNEL LOCK: 0x%x..KNOX WARRANTY VOID: 0x%x....QUALCOMM SECUREBOOT: ENABLE.QUALCOMM SECUREBOOT: T32 ENABLE.QUALCOMM SECUREBOOT: DISABLE....QUALCOMM SECUREBOOT: NON-SECURE BINARY..CSB-CONFIG-LSB: 0x30....QUALCOMM SECUREBOOT: NONE...reboot_mode = 0x%x, boot_mode = %d, por = 0x%x..error in emmc_recovery_init.....ERROR: Could not do normal boot. Reverting t

    After the system preform a checksum compare between the Primary Bootloader, Secundary bootloader and main kernel, the primary bootloader displays the warranty bit as we can see were: x%x..KNOX WARRANTY VOID: 0x% Where % is a variable.

    So far i know if we change the % to 0 don't solve anything, because as soon as the phone reboot itself, all the procedure start again and the bit sets itself to the var again.

    Some say this will never have a solution to crack and i believe it, but it doesn't mean we can't find another way to deal with this.

    IF WE CANNOT RESET THE COUNTER, THERE IS ONLY ONE VIABLE WAY TO GET RID OF THIS KNOX voided:

    WE HAVE TO FIND A WAY TO "CONVENCE THE PHONE" THAT HE STILL IS A 4.2.2 XXUAMDE WITH A NON-KNOX BOOTLOADER, (THE KERNEL AND SEANDROID WILL DISPLAY PANIC !!!) AND THEN FLASH THe PHONE WITH THE LATEST 4.3 KNOX ACTIVATED.

    DOING THAT, IF THE PHONE BOOTLOADER IS ON 4.2.2 NOT ACTIVATED KNOX, THE PHONE WILL RE-WRITE ALL THE NEW PARTITIONS AND CREATE ALL NEW KNOX CONTAINERS FROM SCRATCH AND IN THE END WE SHOULL HAVE A SAMMY WITH KNOX 0X0



    Any help from you on how to do that will be good.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone