How the new GT-I9500 Binary Counter security works. - Galaxy S 4 Developer Discussion [Developers-Only]

I am writing this to provide further understanding on how Samsung is preventing tools such as Triangle Away from tricking the Service Centers employees into thinking that your phone only ever ran Samsung approved binaries/roms.
This protection is enabled on newer Exynos based devices such as the GT-I9500, the Qualcomm chipset based devices seem to have been spared from it at the moment, most likely because the eMMC hardware is different.
The GT-I9500 bootloader is now setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.
This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone)
While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.
Because this is set in the bootloader long before a kernel starts, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)
Seems like a lot of trouble just to be keeping a warranty intact.
I hope this post shed some more light on the matter, this may also give you an idea of what awaits in the future in terms of security on future handsets.

mathieulh said:
I am writing this to provide further understanding on how Samsung is preventing tools such as Triangle Away from tricking the Service Centers employees into thinking that your phone only ever ran Samsung approved binaries/roms.
This protection is enabled on newer Exynos based devices such as the GT-I9500, the Qualcomm chipset based devices seem to have been spared from it at the moment, most likely because the eMMC hardware is different.
The GT-I9500 bootloader is now setting the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on flag at boot.
This is an eMMC feature that effectively locks the partition to read only until the eMMC hardware is restarted (basically until you reboot your phone)
While the /sys/block/mmcblk0boot0/ro_lock_until_next_power_on is software triggered, the lock itself is enforced by the eMMC hardware, once it is set, there is no getting around it.
Because this is set in the bootloader long before a kernel starts, and therefore long before we get to run our own code, and that the partition is locked by the eMMC hardware afterward, the only way to write the counter back is to do it at the bootloader level before the flag gets set, this means either exploiting the bootloader or replacing it by an older (engineering) version that would not set that particular flag (however an older bootloader may not support future components of the phone as they get replaced in the future, such as a newer OLED panel for instance)
Seems like a lot of trouble just to be keeping a warranty intact.
I hope this post shed some more light on the matter, this may also give you an idea of what awaits in the future in terms of security on future handsets.
Click to expand...
Click to collapse
So are you saying there is no way that we can reset the counter going forward or are you saying That one of our Smart XDA Developers are going to crack it ?

matrix.bharath said:
So are you saying there is no way that we can reset the counter going forward or are you saying That one of our Smart XDA Developers are going to crack it ?
Click to expand...
Click to collapse
Nah, i saw too many complicated things get Cracked,Hacked... Moded... its only a matter of time
basicly a bootloader exploit is a solution but on the other hand its always too risky to flash them as not every I9500 is 100% identical to another some behave in a good way other make trouble depends on the chip.
still the best solution is to disable that mechanism protection so that the counter is never set. in one way you won't mind any custom ROM installation and you can be happy counter doesn't raise up the one thing is the users which are already running custom and have a binary lock these can't do a thing for now, the only issue here is the SU being place on the system partition triggers is, and basicly any app such as TriangleAway requires it so even if you think to restore stock and it works you can't reset counter since it needs root --> and again LOCK.

I wouldn't worry about it ...

> still the best solution is to disable that mechanism protection so that the counter is never set. in one way you won't mind any custom ROM installation and you can be happy counter doesn't raise up the one thing is the users which are already running custom and have a binary lock these can't do a thing for now, the only issue here is the SU being place on the system partition triggers is, and basicly any app such as TriangleAway requires it so even if you think to restore stock and it works you can't reset counter since it needs root --> and again LOCK.
well, not really correct. you can temproot system, using some android exploit.
you install stock after using triangleaway on rooted rom = counter is 0
if you temproot wthout kernel flash - counter is 0

So if I'm reading this correctly, there is no way at this stage to reset counter.
I have a faulty i9500 that I need to send back under warranty but I have flashed a custom ROM.
Does this mean I have a brand new S4 that is useless & no way to fix it?

KTM690 said:
So if I'm reading this correctly, there is no way at this stage to reset counter.
I have a faulty i9500 that I need to send back under warranty but I have flashed a custom ROM.
Does this mean I have a brand new S4 that is useless & no way to fix it?
Click to expand...
Click to collapse
Read post #4 ...
Sent from my GT-I9500

Gillion said:
Read post #4 ...
Sent from my GT-I9500
Click to expand...
Click to collapse
I did, but not sure what Chainfire meant by "I wouldn't worry about it ..."
Hopefully he means he will have a fix shortly

Hope, ChainFire could resolve :fingers-crossed:

KTM690 said:
I did, but not sure what Chainfire meant by "I wouldn't worry about it ..."
Hopefully he means he will have a fix shortly
Click to expand...
Click to collapse
If he said we don't need to worry everything is under control

Chainfire said:
I wouldn't worry about it ...
Click to expand...
Click to collapse
Please break the suspense .. is there a way ?

actually, i've posted similar article sometime ago:
http://forum.xda-developers.com/showthread.php?t=2290238
But since i've asked for workaround, moderators threw away my thread to Q/A section and made that topic orphaned >8-E
Engineering bootloader works fine and allows to write to boot block and reset the counter.
Not sure what Chainfire means. Is there a way to cycle power on eMMC to reset the flag? Otherwise, only engineering bootloader will allow to reset counter and flags.

I've got the feeling. This is the last ever Samsung phone I've bought I will happily move to other manufacturer now. No reason to love Samsung phones now. HUGE DISAPPOINTMENT.. Spent like $800 for this device and it has very very less REAL DEVELOPMENT ROOM.. No sources, crap architecture engineering, unfinished ROMS.. Nothing is good..
hardware is damn good but Samsung failed it

Rahulrulez said:
I've got the feeling. This is the last ever Samsung phone I've bought I will happily move to other manufacturer now. No reason to love Samsung phones now. HUGE DISAPPOINTMENT.. Spent like $800 for this device and it has very very less REAL DEVELOPMENT ROOM.. No sources, crap architecture engineering, unfinished ROMS.. Nothing is good..
hardware is damn good but Samsung failed it
Click to expand...
Click to collapse
To be honest, the same things happen on the htc one, if you want to unlock its bootloader, you forfeit its warranty. Nothing new here.
Sent from my GT-I9505 using xda premium

sorg said:
actually, i've posted similar article sometime ago:
http://forum.xda-developers.com/showthread.php?t=2290238
But since i've asked for workaround, moderators threw away my thread to Q/A section and made that topic orphaned >8-E
Engineering bootloader works fine and allows to write to boot block and reset the counter.
Not sure what Chainfire means. Is there a way to cycle power on eMMC to reset the flag? Otherwise, only engineering bootloader will allow to reset counter and flags.
Click to expand...
Click to collapse
Oh ! I never saw that thread before. I was just wondering back then why TA wouldn't work on the phone and started looking.
It's nice to see that someone else has researched this issue
To be quite honest with you though, I use the GT-I9505 as my daily driver.
Sent from my GT-I9500 using xda premium

Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device

sorg said:
Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device
Click to expand...
Click to collapse
Wowww Great.. Can you Give us some detailed setup i or Ash will Probably make a Tutorial Video of it with the right info, for now its all thanks to you.. can you also provide links to the above Custom Recovery Files etc. that are needed to get the above working?

matrix.bharath said:
Wowww Great.. Can you Give us some detailed setup i or Ash will Probably make a Tutorial Video of it with the right info, for now its all thanks to you.. can you also provide links to the above Custom Recovery Files etc. that are needed to get the above working?
Click to expand...
Click to collapse
That's rough walk-through, using some quick-made kernel and perform most steps in command line through adb in shell. I believe there are some kernels with mmcblk0boot0 are floating around. It needs to be polished and easier to repeat for generic user. I'm sure someone will make more user-friendly guide with all necessary files.

sorg said:
Honestly, i don't see a reason to always keep the counter at 0.
For the warranty purpose there is a way to revert everything back:
1) flash official firmware through Odin
2) flash custom recovery with accessible mmcblk0boot0.
3) backup whole mmcblk0boot0
4) flash engineering bootloader
6) in any hex editor: reset the counter and flags in mmcblk0boot0 dump.
7) in recovery: flash the mmcblk0boot0 with your zero-counter dump. Don't reboot yet!
8) in recovery: flash recovery partition with official recovery. Don't reboot yet!
9) perform the factory reset.
10) reboot.
Now you have innocent I9500 device
Click to expand...
Click to collapse
Great work sorg.
Any chance of a noobs guide to this?

Bytheway, is it possible to flash bootloader(sboot.bin) on cwm recovery?
I've tried to include bl in rom zip
Sent from my SHV-E300S using XDA Premium HD app

Related

[Q] Jig Fix Resistant AT&T SGII

I rooted my son's AT&T SGII, then flashed CyanogenMod 9 daily updated ROM and Google Market. Everything worked great, but by using CWM recovery the flash counter increased by 1 (then 2 on retry) and the splash screen has the GT-I9100 and warning triangle graphics. As this was expected, I didn't see any cause for alarm.
No cause because I have a micro USB Jig and expected to be able to use it to go into download mode in order to reset the counter and remove the warning triangle. BUT... It didn't work.
I know the jig is good because it still works on my personal I777; I even purposefully tripped the flash counter to check. No problem. Since both devices are identical models, both rev. 01, and are configured alike I cannot diagnose why the jig will not work on the second device.
The differences between the devices are time and place of purchase. I bought mine very soon after the original release date, in San Antonio, TX. My son bought his in D.C. earlier this month.
Can anyone tell me how the device purchased at a later date differs in either hardware or firmware from an earlier device? And if so, does that make the jig obsolete?
The flash counter code is contained in the secondary bootloader. It is possible that the secondary bootloader was flashed and updated to a version of the sbl that cripples the flash counter reset code. If that is the case, the only fix is to flash the original secondary bootloader back onto the phone. You can find the files in the Download Repository. See link in my signature. Please be sure that you understand the risks of flashing bootloaders if you choose to take this path.
creepyncrawly said:
The flash counter code is contained in the secondary bootloader. It is possible that the secondary bootloader was flashed and updated to a version of the sbl that cripples the flash counter reset code. If that is the case, the only fix is to flash the original secondary bootloader back onto the phone. You can find the files in the Download Repository. See link in my signature. Please be sure that you understand the risks of flashing bootloaders if you choose to take this path.
Click to expand...
Click to collapse
Creepyncrawly,
Thank you for the prompt reply and the suggested solution. I will do as you recommend and try to correct the secondary boot loader using the files in the download repository.
I have to admit I am puzzled, since I used exactly the same procedure to root and flash ROMs on both devices. The only difference in procedures was which daily update to CM9 I used to originally flash.
Once I complete the procedure I'll let you know how successful the fix proved to be.
I would check the package that you flashed to see what it contains. If it did indeed flash sbl.bin you will find that file in the package. Just open it up to see what it contains. I would do that before I flash the bootloader.
There is an app to reset the flash counter that works with ics based roms called triangle away in case you are interested.
http://forum.xda-developers.com/showthread.php?p=22463153#post22463153
Sent from my SGH-I777 using XDA Premium HD app
creepyncrawly said:
I would check the package that you flashed to see what it contains. If it did indeed flash sbl.bin you will find that file in the package. Just open it up to see what it contains. I would do that before I flash the bootloader.
Click to expand...
Click to collapse
creepyncrawly,
Did check the file to verify the sbl, but couldn't find anything that seemed pertinent. Due to time constraints (My son goes back to D.C. this morning) I went forward with flashing the tar in the download repository as you suggested.
All seems well; phone booted up as expected, and the startup screen displays the correct model number minus the warning triangle. I then rebooted into download and applied the jig to reset the 0din flash counter. Now just like new, with CM9 running strong.
Only troubling aspect is why there would be a difference in the results using the same configuration on two identical devices. I'll leave that for another day.
Thank you for your suggestion.
~ zancro
One if the updates from Samsung for the sgs 2 made jigs stop resetting the flash counter with an update to the secondary boot ladders. Reflashing the old bootloader should fix that. Funny that the fix is so easy isn't it?
Sent from my SGH-I777 using xda premium
A newly purchased GS2 might include updated bootloaders.
The UCKK6 leak included "jig-crippled" bootloaders.
The OTA didn't touch the bootloaders.
Factory-UCKK6 devices may contain the UCKK6 bootloaders.
TriangleAway will do the trick on ICS.

avoiding modified status and counter increase while keeping root

i recently rooted through the exynos bug and would like to keep root but avoid having the device status as modified or having the counter increase,
My main concern is avoiding problems if i need to use the warranty
I'd like to know if i can do any of the following while maintaining root , keeping the device unmodified and no counter increase:
1-update via Kies normally (to a version with the exynos bug fixed)
2-update via odin to a stock rom (with the exynos bug fixed)
3-update via mobile odin to a stock rom (i guess with mobile odin i can't have the exynos bug fixed via rom update)
thanks.
Why? If you are rooted you won't have warranty even if all the counters are zero
if the counters are zero (at least with the exynos bug) i can remove root easily, if necessary.
And if they're not, you can reset them at any time. I don't see the point for the hassle
temp9300 said:
i recently rooted through the exynos bug and would like to keep root but avoid having the device status as modified or having the counter increase,
My main concern is avoiding problems if i need to use the warranty
I'd like to know if i can do any of the following while maintaining root , keeping the device unmodified and no counter increase:
1-update via Kies normally (to a version with the exynos bug fixed)
2-update via odin to a stock rom (with the exynos bug fixed)
3-update via mobile odin to a stock rom (i guess with mobile odin i can't have the exynos bug fixed via rom update)
thanks.
Click to expand...
Click to collapse
I am not aware of any way to keep the status "unmodified" and keep root, as root will set it too modified anyway.
Glebun said:
Why? If you are rooted you won't have warranty even if all the counters are zero
Click to expand...
Click to collapse
depends where you are, in Europe you still have warranty with root.
chrismast said:
depends where you are, in Europe you still have warranty with root.
Click to expand...
Click to collapse
Got a source on that? The status will be "modified", pretty sure that voids the warranty
Use mobile odin and make a wipe data and cache
It will facotry reset your phone
But it changes your device status back to normal and keeps the root
Sent from my GT-I9300 using xda premium
if it's modified shouldn't there be something showing that when booting? like the yellow triangle? i have nothing like that since i got root using the exynos abuse bug.
It shows it in the download mode
Glebun said:
Got a source on that? The status will be "modified", pretty sure that voids the warranty
Click to expand...
Click to collapse
sure, Directive 1999/44/CE by the European Union or an easier to read summary
That's interesting but I think you'll have to be prepared to pay lawyer expenses and it might not be worth it.
My objective was to have root but be able to quickly and easy revert back to normal, guess it's not that easy, I'll always need some steps and a computer.
just found out that even if you unroot using the exynos abuse tool you might still keep your device status as modified.
can't use the standard update to 4.1.2, guess i'll have to try a full wipe next, maybe that will rever it back to normal.

[SM-N900*] CF-Auto-Root

PLEASE TEST IF YOU HAVE THE multitouch issue BEFORE ROOTING, AS ROOTING WILL VOID YOUR WARRANTY Read this post: http://forum.xda-developers.com/showpost.php?p=46293575&postcount=279. I have not had time to look into this myself unfortunately, as I'm travelling. Better safe than sorry.
Check your device model ! Settings -> About device -> Model number. See the third post for exact supported model numbers. If your device is a totally different model, it will not work (may even brick) !
CF-Root is the root for "rooting beginners" and those who want to keep as close to stock as possible. CF-Root is meant to be used in combination with stock Samsung firmwares, and be the quickest and easiest way for your first root.
Donate
CF-Root has been available for many devices (Galaxy S1, Galaxy Tab 7", Galaxy S2, Galaxy Note, Galaxy Nexus, Galaxy S3, and many more) and has clocked over 16 million downloads. This is not even counting custom ROMs that already include it. Don't be a leech, buy me a beer (and use the "Thanks" button!). Imagine if every CF-Root user has donated me $1...
What's installed
- SuperSU binary and APK
- Stock recovery
Installation and usage
Flash the CF-Auto-Root package as PDA in ODIN (details on how to do that are in next post), and your device should reboot into a modified recovery (signified by a large red Android logo) and it will install SuperSU for you and restore the stock recovery, and reboot back into Android.
If you don't get to the red Android logo, boot into recovery manually ("adb reboot recovery", or boot while holding Power+VolUp+Home).
Did you see the red Android logo during rooting, but SuperSU does not appear? This may sometimes occur due to left-over files and settings, however, you can usually install SuperSU from Google Play at this stage and it'll just work.
Flash counters and KNOX warranty
Using this root method sets current binary and system status to custom. Additionally, it will also trigger the KNOX warranty void status.
This device store the traditional flash counter. Nor is is possible with Triangle Away to reset the current binary status. You will need to flash a stock kernel and stock recovery to reset the binary status.
The KNOX warranty status change is permanent, and a service center may deny warranty based on this flag - even if the other flags are reset correctly. The KNOX flag being tripped may also prevent certain Samsung KNOX features from working (enterprise security features). If this is something you care about, use a root method not based on custom kernels or recoveries, like a modified system partition. These are possible, but I don't personally make them, so look around!
Why isn't this just called CF-Root
The traditional CF-Root's included a custom recovery (CWM, TWRP, etc) and were meant for devices that had a single kernel/recovery combination. CF-Auto-Root doesn't include a custom recovery and is meant for devices that have kernel and recovery separate (so you can manually install any custom recovery you wish). The Auto part comes from the fact that a large part of the process is automated (though it constantly needs adjusting)
Not included - Triangle Away
Unfortunately, Triangle Away cannot currently be used on this device to reset the binary status or KNOX warranty void. It can still usually reset the system status, but that is of limited use.
Not included - adbd Insecure TODO: STILL UNDER DEVELOPMENT. Hopefully I'll get this to work soon.
As this CF-Root does not include a custom kernel, adb shell does not have root access by default (you can still get it by typing su inside the shell), nor is adb remount supported, nor will adb push and adb pull work on system files. adbd Insecure can be used to remedy this situation. (No idea what this is about ? Don't worry about it !)
CF-Auto-Root homepage
http://autoroot.chainfire.eu/
CF-Auto-Root main thread
[CENTRAL] CF-Auto-Root
For requests for new roots and generic discussion - please keep device specific discussion in the thread you are viewing now.
Follow these instructions to the letter. Do not touch any buttons or checkboxes that are not listed below to touch!
- Download and unzip the CF-Auto-Root-....zip file (see posts below this one)
- If you end up with a recovery.img and cache.img file, you've extracted twice. You need to end up with a .tar.md5 file - don't extract that one
- (USB) Disconnect your phone from your computer
- Start Odin3-vX.X.exe
- Click the PDA button, and select CF-Auto-Root-....tar.md5
- Put your phone in download mode (turn off phone, then hold VolDown+Home+Power to boot - if it asks you to press a button to continue, press the listed button, or run adb reboot download command)
- (USB) Connect the phone to your computer
- Make sure Repartition is NOT checked
- Click the Start button
- Wait for Android to boot
- Done (if it took you more than 30 seconds, you need practise!)
NOTE: Sometimes the device does *not* boot into recovery mode and root your device. Just do the entire procedure again if this happens. If it still will not install root and such, make sure that in Odin "Auto Reboot" is not checked. Then after flashing, pull the battery, and boot with VolUp+Home+Power button to boot into recovery manually. This will start the install process.
New to Samsung? Unfamiliar with Odin? Think all the above is a hassle? Get used to it. It's very simple, and us Samsung folk use Odin (or Mobile ODIN ) for everything! It's so very very convenient once you get used to it. Notice the 30 second comment above? For experienced users, the entire process indeed takes only 30 seconds!
You may now optionally want to install and run Triangle Away to reset the flash counter.
Download
SM-N900 (International Exynos): CF-Auto-Root-ha3g-ha3gxx-smn900.zip
SM-N9005 (International Qualcomm): CF-Auto-Root-hlte-hltexx-smn9005.zip
(only works on 4.4 bootloaders, if you're still on 4.3 use the old version which you can find here: http://d-h.st/J32)
SM-N900T (T-Mobile US): CF-Auto-Root-hltetmo-hltetmo-smn900t.zip
SM-N900P (Sprint): CF-Auto-Root-hltespr-hltespr-smn900p.zip
SM-N900R4 (US Cellular): CF-Auto-Root-hlteusc-hlteusc-smn900r4.zip
SM-N900W8 (Canadia): CF-Auto-Root-hltecan-hlteub-smn900w8.zip
SM-N900S (Korea): CF-Auto-Root-hlteskt-hlteskt-smn900s.zip
SM-N9002 (China): CF-Auto-Root-hlte-h3gduoszn-smn9002.zip
SM-N9006 (China): CF-Auto-Root-hlte-h3gzc-smn9006.zip
SM-N9008 (China): CF-Auto-Root-hlte-h3gzm-smn9008.zip
SM-N9009 (China, untested): CF-Auto-Root-hlte-h3gduosctc-smn9009.zip
Untested versions: please let me know if they work!
Other models
T-Mobile US thread: http://forum.xda-developers.com/showthread.php?t=2467369
Sprint thread: http://forum.xda-developers.com/showthread.php?t=2469904
CF-Auto-Root is not yet available for all carrier-specific Note3's. Link me to stock firmwares for these devices as they appear, and I might be able to make a device-specific CF-Auto-Root.
What is happening Chainfire? The dev are working on some solution for the knox efuse? I am thinking about a software which can restore that flag or a software which skips triggering while rooting.. for this you guys need to sign the modified stuff which is hard. How you see the things at the moment? This is the only thing what is holding me back to buy the note 3 at the moment...
wooohooo... finally.. waiting for SM-n900 version
Waiting your great work for the Exynos model as well...
You asked for a stock firmware link here is one for N900 model: http://www.hotfile.com/dl/247435453/e638485/N900XXUBMI5_N900OJVBMI1_XFU.zip.html
Actually I need for N9000Q model but on Sammobile there were just N900 model, i hope those are same since both of them are for the same device (Exynos).
waiting sm-n9000Q root
Here is some mirrors for N900 stock firmware:
https://disk.yandex.ru/public/?hash=6S6f3t8/YXndZY264OWRBWExcagIsZ3qpLlgSQchtXE=
http://uploaded.net/file/heepon2s
http://hotfile.com/dl/248328141/19b7fd7/SER-N900XXUBMI5-20131001102120.zip.html
Many thanks man ????
Sent from my SM-N9005 using XDA Premium 4 mobile app
Thanks Chainfire, just in time for my N9005 arriving from Vodafone tomorrow
I hope someone could find a solution to reset Knox counter. I need root but also my warranty
Inviato dal mio SM-N9005 con Tapatalk 4
mouse100 said:
I hope someone could find a solution to reset Knox counter. I need root but also my warranty
Inviato dal mio SM-N9005 con Tapatalk 4
Click to expand...
Click to collapse
I was gonna hold off from rooting, but then just thought to myself, any time my previous Samsung phones have had a fault, like with the charging port, or head phone socket, I've just bought the part from eBay and fixed it myself. The only time it's gone back to Samsung was when my Note 2 had the sleep of death.
In which case, they would not be able to tell anything from it as the emmc screwed itself over. In light of this I probably will root it now the big guy @Chainfire has done his magic.
I'm currently still waiting for a response from Samsung about whether warranty on the hardware would still be void if the Knox counter read anything other than 0x0.
Sent from my SM-N9005 using Tapatalk 4
RavenY2K3 said:
I was gonna hold off from rooting, but then just thought to myself, any time my previous Samsung phones have had a fault, like with the charging port, or head phone socket, I've just bought the part from eBay and fixed it myself. The only time it's gone back to Samsung was when my Note 2 had the sleep of death.
In which case, they would not be able to tell anything from it as the emmc screwed itself over. In light of this I probably will root it now the big guy @Chainfire has done his magic.
I'm currently still waiting for a response from Samsung about whether warranty on the hardware would still be void if the Knox counter read anything other than 0x0.
Sent from my SM-N9005 using Tapatalk 4
Click to expand...
Click to collapse
No everyone is able to repair their own smartphone with hw parts, like you however please post samsung answer about warranty if Knox counter is voided. I think it's important for everyone to understand their policy about this.
Galaxy Note 3 | SM-9005 | Tapatalk
mouse100 said:
No everyone is able to repair their own smartphone with hw parts, like you however please post samsung answer about warranty if Knox counter is voided. I think it's important for everyone to understand their policy about this.
Galaxy Note 3 | SM-9005 | Tapatalk
Click to expand...
Click to collapse
Lol, it honestly isn't difficult in the slightest. Think of it as a jigsaw puzzle. Samsung's are one of the easiest manufacturer of devices to repair. "If" Sammy are so kind to respond to me, I'll be posting the reply as soon as it comes through.
Sent from my SM-N9005 using Tapatalk 4
RavenY2K3 said:
I was gonna hold off from rooting, but then just thought to myself, any time my previous Samsung phones have had a fault, like with the charging port, or head phone socket, I've just bought the part from eBay and fixed it myself. The only time it's gone back to Samsung was when my Note 2 had the sleep of death.
In which case, they would not be able to tell anything from it as the emmc screwed itself over. In light of this I probably will root it now the big guy @Chainfire has done his magic.
I'm currently still waiting for a response from Samsung about whether warranty on the hardware would still be void if the Knox counter read anything other than 0x0.
Sent from my SM-N9005 using Tapatalk 4
Click to expand...
Click to collapse
For me warranty still important. Because last time i use galaxy note 1, while change rom from cm10 to miui my note bricked. Then samsung replace my board to new one without pay anything
Sent from my SM-N900 using xda premium
monyozt said:
For me warranty still important. Because last time i use galaxy note 1, while change rom from cm10 to miui my note bricked. Then samsung replace my board to new one without pay anything
Sent from my SM-N900 using xda premium
Click to expand...
Click to collapse
That's what my point is about, sort of, if you brick your phone to the point where you get absolutely no output whatsoever, they wouldn't be able to tell what had happened anyway, and would have to change it.
Sent from my SM-N9005 using Tapatalk 4
Will this method work with my phone
Model SM -N9005
Baseband - N9005XXUBMI6
Build - JSS15J.N9005XXUBMI7
I got the phone through Vodafone and i believe it has thier own firmware on there as it had Vodafone bundled apps on it.
And can i just check all this about KNOX warranty... It doesnt stop the phone working in anyway at all..... all it does it void the warranty? can i still use KNOX?
Thanks Guys
Amazing thank u so much waitin for n900 version
Sent from my SM-N900 using Tapatalk 4
DTMHibbert10 said:
Will this method work with my phone
Model SM -N9005
Baseband - N9005XXUBMI6
Build - JSS15J.N9005XXUBMI7
I got the phone through Vodafone and i believe it has thier own firmware on there as it had Vodafone bundled apps on it.
And can i just check all this about KNOX warranty... It doesnt stop the phone working in anyway at all..... all it does it void the warranty? can i still use KNOX?
Thanks Guys
Click to expand...
Click to collapse
No, if you root you can also not use Knox anymore. May be never!
Thanks Dude! waiting for SM-n900 version
Envoyé avec Gnote 3 SM-N 900

Rooting 4.4.4

There's probably other threads on this somewhere, but how do you root a N3 with 4.4.4, from what I gather the newest updated fixed TowelRoot's crash exploit. Also can someone explain exactly the difference between voiding the warranty and the Knox Counter?
Thanks!
TheNewGuy14 said:
There's probably other threads on this somewhere, but how do you root a N3 with 4.4.4, from what I gather the newest updated fixed TowelRoot's crash exploit. Also can someone explain exactly the difference between voiding the warranty and the Knox Counter?
Thanks!
Click to expand...
Click to collapse
The sure-fire way of rooting is by using this method. That being said, this will trip your KNOX Counter.
Now, onto Voiding Warranty vs. Tripping KNOX Counter.
Official Samsung Warranty. This document is obviously written in a legalese manner. I am not a lawyer, but have read through the warranty very carefully and feel like I have a grasp on what it covers/doesn't cover.
In my opinion, the most critical part of the warranty (as it applies to our conversation) is the following:
This Limited Warranty does not cover: ...
(g) defects or damage resulting from improper testing, operation, maintenance, installation, service, or adjustment not furnished or approved by SAMSUNG, including but not limited to installation of unauthorized software and unauthorized root access, both of which shall void this limited warranty
Click to expand...
Click to collapse
This clearly states that rooting the phone will void your warranty. Please note that this is regardless of whether KNOX is tripped. Using Towelroot (on previous versions) to gain root access technically would void your warranty just as much as using other methods. The issue is whether Samsung knows about it. That's where KNOX comes in.
KNOX is primarily Samsungs way of knowing if you've modified the software on the phone (root access or some other tampering). At startup, KNOX checks for custom low-level operating system components (bootloader, recovery, kernal, etc.). If any of these are custom, it'll trip KNOX. TowelRoot had exploited a way to obtain root access without modifying any of those items, but as you mentioned, it no longer works in 4.4.4. As far as I'm aware, all other rooting methods include using ODIN to briefly modify one of the low-level operating system components, which invariably trips KNOX.
Now, back to the main point of your questions: will voiding the warranty (by obtaining root access) screw me over? The answer is: probably not. Samsung has been known to not really care about KNOX being tripped when servicing phones. This especially is true in cases where you are claiming someone not software related. From a common-sense perspective, having root access would in no way affect the performance of the power button, so if you're claiming issues with the power button, having a tripped KNOX shouldn't affect your claim status. Although, legally, they have covered this by saying the warranty is completely voided by having root access (not just the software part of the warranty).
I would recommend, however, that before sending any phone in, that you use ODIN to revert back to the stock android. KNOX will still be tripped, but it won't technically have root access anymore.
I hope this answers your questions.
-Topher
topherk said:
The sure-fire way of rooting is by using this method. That being said, this will trip your KNOX Counter.
Now, onto Voiding Warranty vs. Tripping KNOX Counter.
Official Samsung Warranty. This document is obviously written in a legalese manner. I am not a lawyer, but have read through the warranty very carefully and feel like I have a grasp on what it covers/doesn't cover.
In my opinion, the most critical part of the warranty (as it applies to our conversation) is the following:
This clearly states that rooting the phone will void your warranty. Please note that this is regardless of whether KNOX is tripped. Using Towelroot (on previous versions) to gain root access technically would void your warranty just as much as using other methods. The issue is whether Samsung knows about it. That's where KNOX comes in.
KNOX is primarily Samsungs way of knowing if you've modified the software on the phone (root access or some other tampering). At startup, KNOX checks for custom low-level operating system components (bootloader, recovery, kernal, etc.). If any of these are custom, it'll trip KNOX. TowelRoot had exploited a way to obtain root access without modifying any of those items, but as you mentioned, it no longer works in 4.4.4. As far as I'm aware, all other rooting methods include using ODIN to briefly modify one of the low-level operating system components, which invariably trips KNOX.
Now, back to the main point of your questions: will voiding the warranty (by obtaining root access) screw me over? The answer is: probably not. Samsung has been known to not really care about KNOX being tripped when servicing phones. This especially is true in cases where you are claiming someone not software related. From a common-sense perspective, having root access would in no way affect the performance of the power button, so if you're claiming issues with the power button, having a tripped KNOX shouldn't affect your claim status. Although, legally, they have covered this by saying the warranty is completely voided by having root access (not just the software part of the warranty).
I would recommend, however, that before sending any phone in, that you use ODIN to revert back to the stock android. KNOX will still be tripped, but it won't technically have root access anymore.
I hope this answers your questions.
-Topher
Click to expand...
Click to collapse
Thank you! It does, so essentially rooting period will void the warranty (as seen in the legal jargon) whether you trip the counter or not, and you can always restore it to stock if you need to turn it back in. I was wondering the same thing, we took my gf's S4 in yesterday, and all they did was run a Sprint diagnostic and then replace the hardware, not sure if they even checked to see what she was running (although it is stock).
Any other threads you recommend, I'm still fairly new to it, been reading up on it since I had the Transformer that wouldn't update to Froyo ha, but back then there was too much coding involved, I didn't want a bricked phone because I forgot a "/" in the code somewhere. Almost everyone I know uses Cyanogenmod, also what's the deal with Titanium Backup and Safestrap?
TheNewGuy14 said:
Any other threads you recommend, I'm still fairly new to it, been reading up on it since I had the Transformer that wouldn't update to Froyo ha, but back then there was too much coding involved, I didn't want a bricked phone because I forgot a "/" in the code somewhere. Almost everyone I know uses Cyanogenmod, also what's the deal with Titanium Backup and Safestrap?
Click to expand...
Click to collapse
Thankfully, it's not nearly as easy to brick a Note 3 (at least compared to the S3... man it was tough helping people with that phone, so many bricks!).
It's considered bad form to link specific ROMs in a Q&A thread, since each ROM is catered to a different demographic (and some people might get in a huff if you neglect their favorite ROM). What I will do, however, is let you know the steps I've taken whenever I root and install a new ROM.
I'll explain how to install a custom ROM and some common things to think about/check prior to installing anything:
Installing a Custom ROM
Step 1 - Gather Information
First off, you need to know what version of Android your phone currently is running. This is easily done by looking in the Settings Menu -> General -> About Device.
The Main things we are looking at on this screen are Software Version, Model Number, Android Version, and Baseband Version. I'll explain these (to the best of my knowledge) below:
Software Version:
This is the "type" of Android that you're running. Rather than quoting the entire name, we typically only refer to the last 3 characters (MJ4, NAB, NC5, etc.). Stock Note 3 devices will (most-likely) be running one of 3 different versions of TouchWiz (TW):
MJ4 - This is the last Jellybean version of TW for the Sprint Note 3​NAB - This is the first KitKat TW version for the Sprint Note 3​NC5 - This is the second KitKat TW version for the Sprint Note 3​NH7 - This is the latest KitKat TW version for the Sprint Note 3​
The reason that we are concerned with the Software Version is that between the MJ4 and NAB versions, there were major changes. So if you're running MJ4, you will have to do additional steps before flashing a custom ROM based on a newer version. And if you're on NAB or NC5, you will not be able to go back to MJ4, so beware what you're flashing.
For the most part, if you're on NH7, you can flash either a NH7 or NC5 custom ROM, but just read the ROM's FAQ to see if there are any issues with doing so.
Model Number:
Most people don't worry about this, but I always do when looking at a new ROM. The Sprint Note 3 is different from the Verizon Note 3, which is also different from the International Note 3. It's always best to double-check that the ROM you're trying to install is truly meant for your device. This simple check will prevent a LOT of potential issues you'll get when installing a ROM.
Android Version:
This is just an additional check to the Software Version. Always best to know.
Baseband Version:
The Baseband is, unless I'm mistaken, the "kernal" for the phone's cellular and 4G radios. Sometimes upgrading (or downgrading) the Baseband can help with signal strength and reception. Some users have noted that they got better reception on older Baseband versions. I haven't personally looked into it and the reports from other users seem somewhat anecdotal, but it's good to know which Baseband you're on.
The Baseband is independent from the ROM version, so you can run an older Baseband (MJ4 or NAB) on a newer ROM (NC5), and vice-versa.
The last bit of information you need to know is the Bootloader Version. The way to find this information is to reboot your device. When you see the text on the screen, you should look for the Bootloader Version. It'll be a long string of characters, but you're only looking for the last 3 (MJ4, NAB, or NC5).
Once you have all the above information, you should be ready to start the fun process of preparing your phone to flash your first ROM.
Step 2 - Backup your Media
First thing: Backup all of your media to your computer. If there's pictures/music/videos/recordings you don't want to lose, back them up. It's just good practice. Don't lose all your cat pictures because you flashed something and it somehow erased your internal storage. I tend to keep everything of importance on the External Storage, but there are times where even external storage can be wiped, so it's best to back up everything to a PC.
Step 3 - Upgrade your Phone to the latest Stock ROM (NH7)
This only is a MUST applies if you're running an older version and want to install a NH7 ROM. Most continually-developed ROMs are either NC5 or NH7 now, so the first things first: Update your phone to NH7.
Go over to micmar's thread and download the One-Click File. It will remove Root, but don't worry, because when you install a new ROM, it will automatically include root access.
Follow the instructions in his thread and your phone will now be fully upgraded.
At this point, your "About Device" should show the following:
Software Version: N900PVPUCNH7
Android Version: 4.4.4
Baseband Version: N900PVPUCNH7
Reboot your phone and let it sit for a minute so it can get it's bearings.
Step 4 - Install a Custom Recovery
So far, we've been flashing everything in ODIN. Now, we're going to use ODIN one last time to flash a custom recovery, so that you can flash custom ROMs without the need of a computer.
The most-commonly used Custom Recovery is TWRP (XDA Link). You'll want to use the latest version, 2.8.0.
Flash this in ODIN. You should use the "PDA" or the "AP" Slot.
Reboot your phone to make sure it works correctly.
Step 5 - Make a Nandroid Backup of your device
If you don't know what a Nandroid backup is, don't worry. It's basically just taking your phone as is and making a backup of it. In case you make a mistake or flash a bad download of a ROM, this allows you to restore your system. I always keep my backups on the External Storage (microSD Card), so in case I have to wipe my internal storage, it's not a big deal. You can also copy the files over to your PC, just to be more paranoind about your nandroid backups (rhyming is fun!).
You do this by restarting into Recovery (power down device, hold down home button and volume up while powering on phone).
Once in TWRP, go to "backup." Make sure the storage selected is "external storage." This screen will have various options of what to backup. I typically choose everything except external storage. Typically, backups range from 1-2 Gigs.
For me, backups typically take 5-10 minutes to do. In my opinion, this is totally worth it, since I can always restore a backup with no issues.
Step 6 - Install a Custom ROM
Once you choose your custom ROM from the Development Section, follow the instructions on the original post to install it. I'll give a general outline of what I do whenever installing a new ROM, but sometimes a custom ROM will have specific instructions, so you want to make sure to read the posts carefully.
Generic Instructions for Installing a ROM:
Download ROM and check the md5
Internet being spotty in my area, I always check the md5 to make sure that the file downloaded correctly. You can check the md5 using this windows program or using a file explorer on your phone like ES File Explorer. I always copy the ROM zip file to my external SDcard.
Reboot to Recovery
Wipe Data, System, Cache, and Dalvik Cache
This is called a "Clean Wipe," meaning it will wipe out your installed Apps and the data associated with them. Some people will claim that "Dirty Flashing" (i.e. not wiping the above) is OK, but I've seen too many apps Force Closing (FC-ing) when dirty flashing. Also, if you dirty-flash and encounter an issue with a ROM, the first piece of advice is to do a clean install. Might as well do that initially and hopefully not run into any issues.
Install the Custom ROM
Pretty straight-forward on how to do this... just click "Install" and then browse to the place your copied the ROM zip file.
Reboot your phone and run through the typical initial start-up information (google account, etc).
Once you get your phone set up the way you like (apps, accounts, wifi passwords, etc), I'd make another Nandroid backup, just so you have one where it's setup with everything you need. This will make any issues less painful, since you'd restore a backup that's already setup.
Step 7 - Further Considerations
If you ever want to try a new ROM, all you have to do is repeat step 6. Beware, though, people easily become flashaholics when they first figure this stuff out.
If you were paying attention to my "Generic Instructions" when installing a ROM, you'd notice that every time you do a Clean Install of a ROM, you lose all your apps... All of your Angry Birds 3-Star levels are gone!
Well, there are ways to get prevent losing that data... One is by "Dirty Flashing" (Not wiping the "system" or "data" partitions before flashing a ROM in TWRP). This is common practice among users here on XDA, but is typically frowned upon by ROM devs. I've noticed that a good number of issues on ROM threads stem from people Dirty Flashing. It typically causes more problems than it solves.
The other way of backup up and restoring app data (prior to wiping) is by using Titanium Backup. I could write up a long post on how to use Titanium Backup (TiBu), but the main things to remember are the following:
White line items are fine to be restored (both Data and Apps).
Restoring Yellow line items is typically OK (Data only).
Restoring system apps or data (red line items in TiBu) is typically a bad idea.
I've been using TiBu for the past 2-3 years and it's typically worked like a charm. Sometimes, when there's a major Android Update (like from JellyBean to KitKat), it can become broken, but the Developer is really responsive and gets it to work within a few weeks. If you upgrade to PRO, you can schedule automatic app backups (I backup all my user apps every night at 3am). You can also restore apps/data from Nandroid Backups (which is great if you do a Nandroid backup but had forgotten to update your TiBu backups).
In Summary
Whew, that was a lot to write... I'm a Structural Engineer, not a Software Engineer, so I don't know the technical side of things like bootloaders or basebands, but hopefully none of the information I provided was false.
Anyways, let me know if you have any problems with the install. I appreciate any feedback!
Topherk,
Thanks for the reply, and sorry about the bad Juju for mentioning a specific ROM. In other news, I am probably going to re-read your article step by step, and it really puts things in perspective. I have that same build, and I also have Sprint like the video, which I didn't know that the carrier made such a big difference. I'm glad I asked before I started! I will keep you updated on what I decide to do, appreciate the help!
TheNewGuy14
:good:
*new question*
I don't remember where I read this, and I found the option on my phone. If I uninstall KNOX will that eliminate the counter, and other minor issues with KNOX?
TheNewGuy14 said:
I don't remember where I read this, and I found the option on my phone. If I uninstall KNOX will that eliminate the counter, and other minor issues with KNOX?
Click to expand...
Click to collapse
No worries about the mention of CyanogenMod (I myself am running a ROM based off of it)... I was talking from the perspective of someone giving advice. If I give you advice towards a specific ROM or two (or even a list of ROMs), it could be considered a slight towards the excluded ones.
As far as I'm aware, there are two aspects of KNOX: The low-level trigger and the system app. The low-level trigger works like I described in my previous post. I honestly don't know how the system app works, but I believe it only affects Enterprise users whose corporations require secure phones (and have their own systems in place which interact with KNOX). I beleive it was Samsung's way of trying to secure some of Blackberry's business-class users. I may be way off on this, but that's what I understand about KNOX.
Cheers!
-Topher
I think you're right they want to maintain they are the most secure phone.
Check out their official statement for Towelroot, although I can't post the link because I'm still a n00b quick Google search will bring it up though.
Sent from my SM-N900P using XDA Free mobile app
TheNewGuy14 said:
There's probably other threads on this somewhere, but how do you root a N3 with 4.4.4, from what I gather the newest updated fixed TowelRoot's crash exploit. Also can someone explain exactly the difference between voiding the warranty and the Knox Counter?
Thanks!
Click to expand...
Click to collapse
Yes, if you root 4.4.4 NH7 at this time with the available rooting formats, you will trip Samsung's KNOX Counter, and void the device's warranty with Samsung. So, are you going to send the device directly back to Samsung ? No, you are going to take it to a sprint service center, or ship it in to sprint. Sprint handles the warranty ? KNOX is a program that creates secure encrypted containerization of DATA so it can be sent to another location. Check this out http://forum.xda-developers.com/note-3-sprint/general/samsung-note-3-rom-flashin-basics-t2896440 Enjoy !!!
TheNewGuy14 said:
There's probably other threads on this somewhere, but how do you root a N3 with 4.4.4, from what I gather the newest updated fixed TowelRoot's crash exploit. Also can someone explain exactly the difference between voiding the warranty and the Knox Counter?
Thanks!
Click to expand...
Click to collapse
Hey OP, I have rooted my N3 using CF-Auto Root on NH7 without any problems.
It should be a walk in the park, and yes you will trip knox, but It's all good.
Now proceed with your rooting

Could I use the leaked Samsung platform key to hack my own phone?

Please be kind if this is a stupid question - I'm very new to this and learning fast.
Would it be possible to add a signature to aromafm or to a lock pattern removal script, using the leaked Samsung platform certificate (as recently reported), and if so would that allow it to be sideloaded to stock recovery in a Galaxy S9?
I recently had to add a pattern lock - which I somehow managed to immediately forget. Even though it was a simple pattern specifically chosen to fall naturally under the hand so that I wouldn't forget it... I've tried so many variations that it's now making me wait 24 hours between attempts. It also turns out that data that I thought was backing up externally was actually only going to internal storage, so I really don't want to do a factory reset without trying absolutely everything else first.
Galaxy S9
Not rooted
Bootloader is locked
USB debugging is enabled
ADB can see the phone but it's not authorised
ADB sideload does work - but of course any scripts need the Samsung signature.
The phone is not registered with Samsung, so I can't unlock it through my Samsung account.
I realise it's clutching at straws but would the leaked platform key be a way in?
missmilla said:
Please be kind if this is a stupid question - I'm very new to this and learning fast.
Would it be possible to add a signature to aromafm or to a lock pattern removal script, using the leaked Samsung platform certificate (as recently reported), and if so would that allow it to be sideloaded to stock recovery in a Galaxy S9?
I recently had to add a pattern lock - which I somehow managed to immediately forget. Even though it was a simple pattern specifically chosen to fall naturally under the hand so that I wouldn't forget it... I've tried so many variations that it's now making me wait 24 hours between attempts. It also turns out that data that I thought was backing up externally was actually only going to internal storage, so I really don't want to do a factory reset without trying absolutely everything else first.
Galaxy S9
Not rooted
Bootloader is locked
USB debugging is enabled
ADB can see the phone but it's not authorised
ADB sideload does work - but of course any scripts need the Samsung signature.
The phone is not registered with Samsung, so I can't unlock it through my Samsung account.
I realise it's clutching at straws but would the leaked platform key be a way in?
Click to expand...
Click to collapse
While XDA prides itself on being hacker friendly, we shy away from anything that could result in legal liability, which is why we do not permit the sharing of any proprietary material, even if it's already in the public domain.
So in a nutshell....I imagine that if one did have a valid key, and signed an update package using that key, they could potentially use it to exploit their device, such as changing the props to allow bootloader unlocking, thereby permitting custom recoveries. Samsung as far as I know does not protect the system image with Verified Boot, so it is possible to modify /system without incurring a boot failure.
All that being said, the point is pretty moot, because as I pointed out we do not allow sharing anything that is licensed intellectual property, so any discussions on the topic would have to be rather...vague.
V0latyle said:
While XDA prides itself on being hacker friendly, we shy away from anything that could result in legal liability, which is why we do not permit the sharing of any proprietary material, even if it's already in the public domain.
So in a nutshell....I imagine that if one did have a valid key, and signed an update package using that key, they could potentially use it to exploit their device, such as changing the props to allow bootloader unlocking, thereby permitting custom recoveries. Samsung as far as I know does not protect the system image with Verified Boot, so it is possible to modify /system without incurring a boot failure.
All that being said, the point is pretty moot, because as I pointed out we do not allow sharing anything that is licensed intellectual property, so any discussions on the topic would have to be rather...vague.
Click to expand...
Click to collapse
Thank you, that's really helpful. I was thinking more whether simply adding a signature to a script would let that script be used directly with stock recovery, rather than unlocking the bootloader to flash a custom recovery (which I suspect would be beyond me), but it sounds as though in theory it might be worth a try. At this stage I probably have nothing left to lose as I'll have to to a full reset anyway if I can't find anonther way in.
missmilla said:
Thank you, that's really helpful. I was thinking more whether simply adding a signature to a script would let that script be used directly with stock recovery, rather than unlocking the bootloader to flash a custom recovery (which I suspect would be beyond me), but it sounds as though in theory it might be worth a try. At this stage I probably have nothing left to lose as I'll have to to a full reset anyway if I can't find anonther way in.
Click to expand...
Click to collapse
I'm honestly no expert on this kind of thing, but if I'm correct in my assumption that Samsung does not protect the system image, then yes - you could, in theory, use the leaked key to sign an update package that could patch /system to gain root. This would require knowledge of exactly how Samsung signs their updates. However, if the system image is protected, this would cause a boot failure, as AVB would detect the modification.
But.
If the above were possible, then the best course of action would be to create a script that would set ro.oem_unlock_ability=1 and sys.get_unlock_ability=1, after which the user would immediately reboot to download mode and unlock the bootloader, because once you've unlocked the bootloader, you've removed a lot of restrictions - you can flash a custom recovery, flash a root patch, flash anything you damn well pleased.
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
V0latyle said:
I'm honestly no expert on this kind of thing, but if I'm correct in my assumption that Samsung does not protect the system image, then yes - you could, in theory, use the leaked key to sign an update package that could patch /system to gain root. This would require knowledge of exactly how Samsung signs their updates. However, if the system image is protected, this would cause a boot failure, as AVB would detect the modification.
But.
If the above were possible, then the best course of action would be to create a script that would set ro.oem_unlock_ability=1 and sys.get_unlock_ability=1, after which the user would immediately reboot to download mode and unlock the bootloader, because once you've unlocked the bootloader, you've removed a lot of restrictions - you can flash a custom recovery, flash a root patch, flash anything you damn well pleased.
Click to expand...
Click to collapse
Thank you, I will do some more digging around. Would unlocking the bootloader that way not wipe the data?
blackhawk said:
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
Click to expand...
Click to collapse
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
missmilla said:
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
Click to expand...
Click to collapse
If in the US try a Samsung Experience center at a Best buy.
I never set locks on my phones, bios's or use encryption on data backup drives because you are always the one most likely to be locked out, sometimes through no fault of your own
Digital data is fragile unless it's redundantly backed up.
blackhawk said:
I doubt it's that easy unless you have in depth detailed knowledge of the encryption system and precisely how it's implemented. It's designed to be hard to hack. As for the stolen Samsung data be careful what you download. You may end up with something extra like a partition worming rootkit(s). boom. That was too easy.
A data recovery specialist that works with Samsung's is your best shot if you really need the data. Around $800 seems to be a going rate, maybe less but expect to pay a couple hundred.
In the future redundantly backup critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC. Copy/paste only then verify the copy file size and that the backups are readable. Otherwise sooner or later you will lose data, money or both.
Click to expand...
Click to collapse
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
It's ludicrous that Samsung won't let you unlock a phone if you can prove it's your own.
blackhawk said:
If in the US try a Samsung Experience center at a Best buy.
I never set locks on my phones, bios's or use encryption on data backup drives because you are always the one most likely to be locked out, sometimes through no fault of your own
Digital data is fragile unless it's redundantly backed up.
Click to expand...
Click to collapse
Thank you. I'm in the UK but we do have a couple of Samsung Experience Centres here so I'll try asking. Oh I will definitely be making multiple, unencrypted backups from now on! I will also be rooting the phone and installing a custom recovery just in case.
If you start playing with the firmware bricking the device is always a real possibility especially if you don't follow the protocols correctly. I never had to flash any of my Samsung's in 12 years, all are still working today. I don't do OTA updates either, ever, the potential to brick them like that is higher with you having zero control.
Samsung would really love to sell you a new expensive phone...
Some lessons you end up learning the hard way. I lost a 30yo database that is irreplaceable
Learn from your mistakes and press on. It's a lot easier though to learn from other's mistakes.
missmilla said:
Thank you, I will do some more digging around. Would unlocking the bootloader that way not wipe the data?
Click to expand...
Click to collapse
Unlocking the bootloader will always require a data wipe.
missmilla said:
Do you think it would brick the phone if I tried and it didn't like it, or would it just give the signature verification error like it does now?
Actually, looking again, I think I might have misunderstood. I thought the certificates themselves had been published (so wouldn't have to download anything), but what's shown may just be a hash of the certificate and so wouldn't give me the actual key anyway... I'm finding it all rather confusing.
Click to expand...
Click to collapse
The stock recovery will refuse any packages that are not signed, or are signed with an unrecognized key. There's other measures in place as well.
blackhawk said:
If you start playing with the firmware bricking the device is always a real possibility especially if you don't follow the protocols correctly. I never had to flash any of my Samsung's in 12 years, all are still working today. I don't do OTA updates either, ever, the potential to brick them like that is higher with you having zero control.
Samsung would really love to sell you a new expensive phone...
Some lessons you end up learning the hard way. I lost a 30yo database that is irreplaceable
Learn from your mistakes and press on. It's a lot easier though to learn from other's mistakes.
Click to expand...
Click to collapse
Probably not something to be messing around with when I don't know what I'm doing then.
Ouch! No wonder you're so careful with backing up... as I will be too from now on. Lesson learned
V0latyle said:
Unlocking the bootloader will always require a data wipe.
The stock recovery will refuse any packages that are not signed, or are signed with an unrecognized key. There's other measures in place as well.
Click to expand...
Click to collapse
It's sounding like I'd probably better count my losses and leave it alone. And be more careful in future. All this has got me itching to try stuff out though. Possibly not on my one and only phone, but maybe if I can get a cheap second hand one to play with, or the S9 once I eventually upgrade - it sounds so much fun!
You can use the key to sideload an update, if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures, but the problem on this is where you can find the certificate? Nobody will tell you where you can find it because who has it remains silent and also communities do not allow this kind of sharing.
Skorpion96 said:
You can use the key to sideload an update, if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures, but the problem on this is where you can find the certificate? Nobody will tell you where you can find it because who has it remains silent and also communities do not allow this kind of sharing.
Click to expand...
Click to collapse
Thank you. Yeah, I thought I had seen someone publish the certificate, but I misunderstood. So wouldn't be able to get hold of it what with not being familiar with the dark web!
Skorpion96 said:
if I were you I'll try to flash a blank vbmeta and magisk boot so that you can bypass dm-verity and other measures
Click to expand...
Click to collapse
you can always flash blank vbmeta on low level (such as usbdl, edl or bootrom mode) but that's not how it works.
aIecxs said:
you can always flash blank vbmeta on low level (such as edl or bootrom mode) but that's not how it works.
Click to expand...
Click to collapse
Depends, if your device is made in USA you can't. I was only suggesting a way to bypass flashing restrictions hoping that bootloader lock don't block you. Normally bootloader lock blocks unsigned flashing but if you are able to bypass it during flash maybe you can boot unsigned firmware, I'm not sure though. To flash stuff you can use an exploit or escalate privileges with a signed app that updates a system one to become uid 1000 and after that you can do setenforce 0 or setenforce permissive to set kernel permissive
No no, locked bootloader prevents booting unsigned boot, vbmeta, etc (not flashing in first place)
@missmilla just realized you wanna break into your device? this was always possible for S9 (encrypted with default_password) but it's not easy
https://www.forensicfocus.com/news/samsung-exynos-support-in-oxygen-forensic-detective
aIecxs said:
@missmilla just realized you wanna break into your device? this was always possible for S9 (encrypted with default_password) but it's not easy
https://www.forensicfocus.com/news/samsung-exynos-support-in-oxygen-forensic-detective
Click to expand...
Click to collapse
Apparently the Qualcomm variants aren't suspectable to this hack. Only Exynos models are listed.

Categories

Resources