Samsung EngineeringMode... eToken - Page 2 - GSM-Forum

adfree · 07-25-2023, 17:34

Code:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1639205566 (0x61b44abe)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = KR, L = Suwon city, OU = Samsung Mobile, CN = Samsung corporation
        Validity
            Not Before: Dec 11 06:52:46 2021 GMT
            Not After : Dec  6 06:52:46 2041 GMT
        Subject: C = VN, L = SEVT, O = Samsung Electronics Co. Ltd, OU = Mobile Communications Division, CN = EngineeringModeServerQ5hIIhaIP7w:Q5hIIhaIP7w, UID = PHN-P:20190309:520:EngineeringModeServerQ5hIIhaIP7w:Q5hIIhaIP7w
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b6:1e:4e:bc:a6:bf:88:6e:34:82:fe:ae:ad:98:
                    e8:db:06:c5:6c:6d:7c:f3:d8:41:45:e3:8b:d1:8a:
                    68:33:16:c0:1c:34:e4:42:ab:ca:5e:c1:01:97:87:
                    c5:bd:fd:d6:93:40:7f:e7:fe:6b:c6:6a:ae:2e:87:
                    e7:2b:4d:c0:c2:c4:33:70:25:6b:02:73:8e:61:a0:
                    37:2a:4a:a6:6f:4f:a2:aa:07:13:cc:5b:3b:81:4c:
                    d3:7e:29:60:99:9e:44:4f:96:9f:b4:95:5b:09:ad:
                    bb:e0:32:a7:4b:16:98:93:72:17:bf:ca:b6:11:c1:
                    7e:fa:5b:26:1b:05:ee:6d:27:e5:70:83:23:30:ec:
                    fd:25:92:a2:c0:69:16:74:2b:5c:4e:d2:19:8f:5a:
                    d8:54:65:60:8c:05:7b:a3:6a:b2:1b:66:4e:66:5b:
                    32:14:42:2b:50:d0:35:f4:74:1c:82:b8:57:54:ab:
                    ff:cd:6f:3f:17:eb:ec:a9:35:b4:70:8c:b8:7e:c5:
                    f0:5a:33:c6:72:3e:42:83:b7:6f:d7:94:f5:60:48:
                    30:0b:a0:36:ce:d8:9f:55:84:97:7c:12:8c:a4:0c:
                    e7:f0:87:a6:09:fe:c1:03:3f:c5:60:e2:16:dd:42:
                    05:3f:e7:95:6a:c4:9a:0f:fc:e9:14:79:b7:27:a9:
                    19:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                4D:C9:5C:5D:A3:15:C9:79:A5:34:A5:E9:80:13:23:10:CF:3D:8C:1E
            X509v3 Authority Key Identifier: 
                keyid:1A:38:49:59:2E:32:21:82:0C:77:26:0D:CA:11:AD:DD:9C:CA:43:7D

            Authority Information Access: 
                OCSP - URI:http://ocsp.samsung.com/security/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.samsung.com/security/rdevices.crl

    Signature Algorithm: sha256WithRSAEncryption
         68:15:dc:38:ff:7a:8c:ba:9f:c4:de:69:dc:ee:ed:30:74:70:
         b8:8e:e4:0a:7d:fe:9d:29:ea:d7:11:69:65:2a:d3:a3:93:0f:
         e9:cb:42:8e:d8:74:e4:a0:a2:35:45:7a:51:cc:ce:d5:ab:65:
         11:86:31:47:dc:7d:26:e3:2f:20:3e:d1:30:98:dd:da:ab:a0:
         cc:4b:5d:3b:cd:37:ca:d5:49:90:70:cb:25:e8:9f:c4:6a:92:
         5e:4d:65:a2:87:fc:eb:07:b2:50:a2:a6:44:9f:da:65:ed:c8:
         87:cc:a1:8c:ff:24:72:5e:22:b4:19:c8:0d:44:2f:f3:51:a0:
         6e:d4:b0:94:c5:50:66:ea:64:cc:33:68:c1:92:ba:60:8d:ab:
         33:89:e8:9f:7b:af:8d:51:8a:b5:4e:75:d5:24:16:c3:66:08:
         e8:dc:f8:98:17:74:24:4e:04:be:70:b2:7f:bb:2e:65:ad:ad:
         82:51:63:25:06:b9:dc:56:aa:4c:52:fb:e4:0a:d3:dd:36:ea:
         1a:8e:1b:ed:21:5a:b8:c5:1c:1f:59:1b:e3:01:f0:52:c1:5a:
         83:50:66:59:28:08:5a:cc:b5:ec:fd:7f:94:fb:40:4b:a9:a9:
         9f:75:65:1c:f9:c1:ea:05:80:d9:96:d2:ec:58:5e:17:a3:25:
         0a:ff:83:b8

Best Regards

adfree · 08-11-2023, 05:02

Memo to me...

Hmmm....

If i do Square Root... Result is this:

Code:

EFDF31C5EF7CE7A0B3C0CEB55DF0707158ABF84F47C4E80A0771B0AEB164FBCB4EC268EE140A9228A003764B2F967812FD947B8602B0E692EFA6394387D1326A1A730DCE7A2288B56169743280B58FBE375E11DFAF2D8D5E7759C4261BA57200311BF6EEDEF0C9C3F1CCC1F2898B9232BB4A87B9E5EF7E1E6C6F462B777A56E3

If i look at my older post...
Maybe p and q are very close together...

Maybe Primes are inside this area... between:

Code:

E0C2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and

Code:

EF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Hmmmmm...

Still dreaming...

Only as info.

Best Regards

adfree · 08-11-2023, 05:19

This is result of few RSA 2048 attempts with 64 bit Version of openssl...
Found in old Tizen crap SDK...

Maybe 2017 Version...

Before I used only 32 bit openssl under Windows...

64 bit Version is much faster...

Funny is...

Prime 1 starts ever with F...

And Prime 2 ever with E...

Only as Info...

Best regards

adfree · 09-23-2023, 01:31

Interesting feature of SM-A505FN

I have only Bootloader Version 9... so out of luck with Combination Firmware...
Similar to my luck with SM-G965F bit 17...

Anyway.

This is very cool IMHO on my SM-A505FN... never seen before...

Not every Fake DRK Cert bypass EngineeringMode CN check...

bad for me...

Code:

[1:      91. 31] pit_flash_binary: erase skip! (9)
[1:      91. 32] bl_install_token: rpmb is provisioned
[1:      91. 32] em_create_cmd_req : num_of_items 5
[1:      91. 32] em_cmd_print_command : [CMD] : [EM_CMD_INSTALL_TOKEN]
[1:      91. 32] em_token_do_init_em_core : sizeof(em_parsed_token) 173268
[1:      91. 32] em_token_do_init_em_core : sizeof(cmd_req) 144952
[1:      91. 32] em_token_do_init_em_core : init core mode does not exist
[1:      91. 32] em_cmd_check_pre_condition : init state is [COMPLETED]
[1:      91. 32] em_cmd_check_pre_condition : Success to get a key
[1:      91. 32] em_esi_check_rpmb : Do not support rpmb in bootloader
[1:      91. 32] em_esi_get_counter : Success counter verify
[1:      91. 32] em_token_install : sizeof(em_parsed_token) 173268
[1:      91. 32] em_token_install : sizeof(cmd_req) 144952
[1:      91. 32] em_token_install : sizeof(cmd_rsp) 82696
[1:      91. 32] verify_token_data : Matched Device DID and Token DID
[1:      91. 33] There is no CN in subject
[1:      91. 33] [EMC]Cert isn't EM cert
[1:      91. 33] verify_token_data : Failed to verify rsa_signature(ffffffff)
[1:      91. 33] em_token_install : Failed to verify token(0xf000000b)
[1:      91. 33] bl_install_token: no need to write Core data(0x0000000000000000)
[1:      91. 33] bl_install_token: no need to write ESI data(0x0000000000000000)
[1:      91. 33] bl_install_token: ret = 0xf000000b
Failed to verify token : (0xf000000b)
bl_install_token error

Here I have taken signed with Samsung EM Cert... for check why I am out of luck...

Code:

[1:      65.571] pit_flash_binary: erase skip! (9)
[1:      65.571] bl_install_token: rpmb is provisioned
[1:      65.571] em_create_cmd_req : num_of_items 5
[1:      65.571] em_cmd_print_command : [CMD] : [EM_CMD_INSTALL_TOKEN]
[1:      65.572] em_token_do_init_em_core : sizeof(em_parsed_token) 173268
[1:      65.572] em_token_do_init_em_core : sizeof(cmd_req) 144952
[1:      65.572] em_token_do_init_em_core : Mismatch did(123/456300000000000000000)
[1:      65.572] em_cmd_check_pre_condition : init state is [COMPLETED]
[1:      65.572] em_cmd_check_pre_condition : Success to get a key
[1:      65.572] em_esi_check_rpmb : Do not support rpmb in bootloader
[1:      65.572] em_esi_get_counter : Success counter verify
[1:      65.572] em_token_install : sizeof(em_parsed_token) 173268
[1:      65.572] em_token_install : sizeof(cmd_req) 144952
[1:      65.572] em_token_install : sizeof(cmd_rsp) 82696
[1:      65.572] verify_token_data : TokenDID 123, DID:456
[1:      65.572] verify_token_data : Not match TokenDID and DeviceDID
[1:      65.572] em_token_install : Failed to verify token(0xf0000020)
[1:      65.572] bl_install_token: no need to write Core data(0x0000000000000000)
[1:      65.572] bl_install_token: no need to write ESI data(0x0000000000000000)
[1:      65.572] bl_install_token: ret = 0xf0000020
DID isn't matched : (0xf0000020)
bl_install_token error

If I set Debug to:
HIGH

In menu:

Code:

*#9900#

I can jump direct from DL Mode to Upload Mode...

All other old crap I have... require booting of Kernel... before Upload Mode could work by holding:
Volume -
and
Power

The second cool thing of SM-A505FN is the DEVeloper EM Cert... with SHA1...

But... unsolved yet... if only work with ENG Binaries...

Only as Info.

Best Regards

adfree · 09-26-2023, 05:49

Modulus

Code:

C7BEEBC4712B4F7A211420CA8DC764E4...

This DEVeloper Cert is not in DRK chain...

SVR-D like Developer

---------------------------------
Can be found here also with Cert...
So IMHO more deviceS...

Code:

...\..._tee\exynos9610\00000000-0000-0000-0000-656e676d6f64
...\..._tee\exynos9820\00000000-0000-0000-0000-656e676d6f64

................................

In older SM-A5050FN Firmwares found... with Cert... newer without Cert... but still Modulus inside...

With Cert for instance:

Code:

A505FDDU1ASC8_fac\system.img
A505FDDU1ASC8_fac\system\system\tee\00000000-0000-0000-0000-656e676d6f64

I have no idea if only working with special ENG Firmware...

Only as info...

Best Regards

adfree · 10-16-2023, 04:24

Any idea what we can do with Knox text ?
MODE_KNOX_TEST (Allow Knox test mode)

Meanwhile I can confirm. v3 eToken can be flashed without USB cable to Galaxy Watch 4 (IMHO 5 sure and maybe 6 too).
With netOdin.

Example for Modes from Bootloader... here from my SM-A202F sboot.bin...
I can see in sboot.bin this:

Code:

ENG MODE : ENG ALLOWED
ENG MODE : CUSTOM ALLOWED
ENG MODE : KNOX TEST ALLOWED
ENG MODE : CP DEBUG ALLOWED
ENG MODE : FACTORY BIN ALLOWED
ENG MODE : DEBUG VBMETA ALLOWED
ENG MODE : ATCMD ALLOWED

I can now see 5 of 7... in Download Mode

Only as info...

Best Regards