[ISSUE] Secure Folder not working on Galaxy S10 family (Android 10)

[KikMyaz]

Hi, I am using LSPosed with Zygisk on Android 10. KnoxPatch does not seem to be injecting into the correct modules - would you please look into this?

Please find attached the logs.

[salvogiangri]

Looks like your device's data partition is encrypted:

[ro.crypto.state]: [encrypted]
[ro.crypto.type]: [file]

On Android 11, if the device's data partition is encrypted, Secure Folder will fail to create since keymaster will refuse to generate the user key due to the trusted boot checks in the TA. It looks like it is the case as well on Android 10 by looking at your logs:

05-13 12:06:39.721   628   628 D vold    : createUserKey(151)
05-13 12:06:39.721   628   628 D FsCrypt : fscrypt_vold_create_user_key for 151 serial 151
05-13 12:06:39.721   628   628 D FsCrypt : create_and_install_user_keys 151
05-13 12:06:39.721   628   628 E FsCrypt : Preparing: /keydata/misc/vold/user_keys/ce/151
05-13 12:06:39.724   628   628 E FsCrypt : Preparing: /keyrefuge/misc/vold/user_keys/ce/151
05-13 12:06:39.724   628   628 D FsCrypt : Skipping non-key ..
05-13 12:06:39.725   628   628 D FsCrypt : Skipping non-key .
05-13 12:06:39.725   628   628 D KeyStorage: Already exists, destroying: /keydata/misc/vold/user_keys/temp
05-13 12:06:39.725   628   628 D vold    : /system/bin/secdiscard
05-13 12:06:39.725   628   628 D vold    :     --
05-13 12:06:39.725   628   628 D vold    :     /keydata/misc/vold/user_keys/temp/encrypted_key
05-13 12:06:39.725   628   628 D vold    :     /keydata/misc/vold/user_keys/temp/secdiscardable
05-13 12:06:39.744   628   628 D vold    : /system/bin/rm
05-13 12:06:39.744   628   628 D vold    :     -rf
05-13 12:06:39.744   628   628 D vold    :     /keydata/misc/vold/user_keys/temp
05-13 12:06:39.755   628   628 D KeyStorage: Inside KeyStorage.isKnoxKeyPath() - key_path : /keydata/misc/vold/user_keys/ce/151/current
05-13 12:06:39.755   628   628 D KeyStorage: Inside KeyStorage.isKnoxKeyPath() - user_de_path_length : 32
05-13 12:06:39.755   628   628 D KeyStorage: Inside KeyStorage.isKnoxKeyPath() - user_ce_path_length : 32
05-13 12:06:39.755   628   628 D KeyStorage: Input path is for Knox user
05-13 12:06:39.756   628   628 E KeyStorage: storeKey /keydata/misc/vold/user_keys/temp
05-13 12:06:39.792   628   628 I vold    : List of Keymaster HALs found:
05-13 12:06:39.792   628   628 I vold    : Keymaster HAL #1: Keymaster HAL: 4 from QTI SecurityLevel: STRONGBOX HAL: android.hardware.keymaster@4.0::IKeymasterDevice/strongbox
05-13 12:06:39.792   628   628 I vold    : Keymaster HAL #2: SKeymaster(Keymaster MDFPP) from SKeymaster team SecurityLevel: TRUSTED_ENVIRONMENT HAL: android.hardware.keymaster@4.0::IKeymasterDevice/default
05-13 12:06:39.792   628   628 I vold    : Using SKeymaster(Keymaster MDFPP) from SKeymaster team for encryption.  Security level: TRUSTED_ENVIRONMENT, HAL: android.hardware.keymaster@4.0::IKeymasterDevice/default
05-13 12:06:39.793   628   628 D KeyStorage: Knox protection required in generating keymaster key
05-13 12:06:39.793   628   628 D KeyStorage: Creating key that doesn't need auth token
05-13 12:06:39.793   704   704 W keymaster_tee: [WRN]start nwd_generate_key
05-13 12:06:39.796   704   704 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1148) TB is fail:0x1
05-13 12:06:39.796   704   704 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1159) WB is fail:0x1
05-13 12:06:39.796   704   704 D keymaster_swd: keymaster_swd [ERR] (km_check_trustboot_for_knox:411) tz_check_trust_boot_status fail
05-13 12:06:39.796   704   704 W keymaster_tee: [WRN]Cmd 2, err -45
05-13 12:06:39.796   704   704 W keymaster_tee: [WRN]nwd_generate_key ret -45
05-13 12:06:39.796   628   628 E vold    : generate_key failed, code -45
05-13 12:06:39.796   628   628 E KeyStorage: generateKeymasterKey failed
05-13 12:06:39.797  1044  2368 E StorageManagerService: 
05-13 12:06:39.797  1044  2368 E StorageManagerService: android.os.ServiceSpecificException:  (code 0)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.Parcel.createException(Parcel.java:2102)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.Parcel.readException(Parcel.java:2056)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.Parcel.readException(Parcel.java:2004)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.IVold$Stub$Proxy.createUserKey(IVold.java:3323)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at com.android.server.StorageManagerService.createUserKey(StorageManagerService.java:4049)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.storage.StorageManager.createUserKey(StorageManager.java:1515)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at com.android.server.pm.UserManagerService.createUserInternalUnchecked(UserManagerService.java:3347)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at com.android.server.pm.UserManagerService.createUserInternal(UserManagerService.java:3150)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at com.android.server.pm.UserManagerService.createProfileForUser(UserManagerService.java:3089)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.IUserManager$Stub.onTransact(IUserManager.java:637)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.Binder.execTransactInternal(Binder.java:1056)
05-13 12:06:39.797  1044  2368 E StorageManagerService:     at android.os.Binder.execTransact(Binder.java:1029)

I haven't been able to check it in my legacy device I used for testing (Galaxy S8+) since data encryption was disabled in my end. Unfortunately there's no workaround on this since the checks are in the TZ-side of things, the only way is to disable data encryption in your device by removing the crypto flags in the fstab files (more info in the AOSP documentation). I'll make sure the data crypto warning in the app is shown on all the Android versions below 12 rathen than only on Android 11.

[KikMyaz]

Thank you so much for the incredibly fast response!

I'm going to try removing "fileencryption=ice,quota,reservedsize=128M" and report back

[salvogiangri]

Thank you so much for the incredibly fast response!

I'm going to try removing "fileencryption=ice,quota,reservedsize=128M" and report back

Remove only "fileencryption=ice" and "inlinecrypt" in the "/data" entry of your "fstab.qcom" file in vendor, the other flags aren't crypto related.

[KikMyaz]

Oh dear good point! For some reason /system/vendor/etc/fstab.qcom (symlinked to /vendor/etc/fstab.qcom) seems to restore itself automatically upon reboot :( Any ideas?

[salvogiangri]

I can confirm Secure Folder works fine on my Galaxy S8+ with full stock firmware and data crypto in place:

The difference is this device has FDE and not FBE:

[ro.crypto.state]: [encrypted]
[ro.crypto.type]: [block]

[salvogiangri]

Oh dear good point! For some reason /system/vendor/etc/fstab.qcom (symlinked to /vendor/etc/fstab.qcom) seems to restore itself automatically upon reboot :( Any ideas?

Edit "/vendor/etc/fstab.qcom" directly, the "/system/vendor" folder is a symlink to the actual "/vendor" partition. Try also using a different app, I personally use MiXplorer. Please note disabling data crypto will require a factory data reset to remove FBE and being able to boot in the OS again, if you're interested in testing this out make sure to backup all your data/files before proceeding.

[KikMyaz]

https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-360039577713.htm

I can confirm Secure Folder works fine on my Galaxy S8+ with full stock firmware and data crypto in place:

The difference is this device has FDE and not FBE:

[ro.crypto.state]: [encrypted]
[ro.crypto.type]: [block]

Ah interesting https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-360039577713.htm - is there any way to disable FBE? (I also have TWRP if it's helpful)

[salvogiangri]

Ah interesting https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-360039577713.htm - is there any way to disable FBE? (I also have TWRP if it's helpful)

Your device should be "old enough" to support @corsicanu's multidisabler TWRP flashable zip (https://github.com/corsicanu/multidisabler-samsung/releases/latest), avoid using it in newer devices with dynamic partitions since it will not work.

[salvogiangri]

Commit 2002afe41ecfa301b37c39630538b7728045ae58 pushed, the crypto warning will now be shown on Android 11 and lower and only on FBE devices, will keep this issue open anyway and see if we can circumvent this in the future.

[KikMyaz]

Thanks! Just disabled FBE, but for some reason the issue persists. [ro.crypto.state]: [unsupported]

Any pointers?

[salvogiangri]

Thanks! Just disabled FBE, but for some reason the issue persists. [ro.crypto.state]: [unsupported]

Did you reboot your phone after installing the KnoxPatch app and enabling the module in LSPosed? I still see the keymaster error but this time it is caused by SdpManagerService:

05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1148) TB is fail:0x1
05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1159) WB is fail:0x1
05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (km_check_trustboot_for_knox:411) tz_check_trust_boot_status fail
05-13 14:34:49.427   685   685 W keymaster_tee: [WRN]Cmd 4, err -45
05-13 14:34:49.427   685   685 W keymaster_tee: [WRN]nwd_import_key ret -45
05-13 14:34:49.427  1113 17054 I keymaster_worker: importKey failed
05-13 14:34:49.427  1113 17054 E keymaster_worker: importKey() : Failed to import knox key (-45) : Not support fallback
05-13 14:34:49.428  1050  2270 W System.err: java.security.KeyStoreException: Failed to import secret key. Keystore error code: -45
05-13 14:34:49.428  1050  2270 W System.err:    at android.security.keystore.AndroidKeyStoreSpi.setSecretKeyEntry(AndroidKeyStoreSpi.java:882)
05-13 14:34:49.428  1050  2270 W System.err:    at android.security.keystore.AndroidKeyStoreSpi.engineSetEntry(AndroidKeyStoreSpi.java:1218)
05-13 14:34:49.428  1050  2270 W System.err:    at java.security.KeyStore.setEntry(KeyStore.java:1658)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.locksettings.SyntheticPasswordCrypto.installKnoxKey(SyntheticPasswordCrypto.java:447)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.locksettings.SyntheticPasswordCrypto.installKnoxKey(SyntheticPasswordCrypto.java:418)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.SdpManagerService$LocalService.isKnoxKeyInstallable(SdpManagerService.java:7617)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.UserManagerService.lambda$checkIntegrity$1(UserManagerService.java:686)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.-$$Lambda$UserManagerService$Vi1he31l1YntzoW2DphYBuoO19s.apply(Unknown Source:2)
05-13 14:34:49.428  1050  2270 W System.err:    at java.util.Optional.map(Optional.java:211)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.UserManagerService.checkIntegrity(UserManagerService.java:685)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.UserManagerService.createUserInternalUnchecked(UserManagerService.java:3327)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.UserManagerService.createUserInternal(UserManagerService.java:3150)
05-13 14:34:49.428  1050  2270 W System.err:    at com.android.server.pm.UserManagerService.createProfileForUser(UserManagerService.java:3089)
05-13 14:34:49.428  1050  2270 W System.err:    at android.os.IUserManager$Stub.onTransact(IUserManager.java:637)
05-13 14:34:49.428  1050  2270 W System.err:    at android.os.Binder.execTransactInternal(Binder.java:1056)
05-13 14:34:49.428  1050  2270 W System.err:    at android.os.Binder.execTransact(Binder.java:1029)

Might download your device firmware to see if something else needs to be patched.

[KikMyaz]

Thanks! Just disabled FBE, but for some reason the issue persists. [ro.crypto.state]: [unsupported]

Did you reboot your phone after installing the KnoxPatch app and enabling the module in LSPosed? I still see the keymaster error but this time it is caused by SdpManagerService:

05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1148) TB is fail:0x1
05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (tz_check_trust_boot_status:1159) WB is fail:0x1
05-13 14:34:49.427   685   685 D keymaster_swd: keymaster_swd [ERR] (km_check_trustboot_for_knox:411) tz_check_trust_boot_status fail
05-13 14:34:49.427   685   685 W keymaster_tee: [WRN]Cmd 4, err -45
05-13 14:34:49.427   685   685 W keymaster_tee: [WRN]nwd_import_key ret -45
05-13 14:34:49.427  1113 17054 I keymaster_worker: importKey failed
05-13 14:34:49.427  1113 17054 E keymaster_worker: importKey() : Failed to import knox key (-45) : Not support fallback
05-13 14:34:49.428  1050  2270 W System.err: java.security.KeyStoreException: Failed to import secret key. Keystore error code: -45
05-13 14:34:49.428  1050  2270 W System.err:  at android.security.keystore.AndroidKeyStoreSpi.setSecretKeyEntry(AndroidKeyStoreSpi.java:882)
05-13 14:34:49.428  1050  2270 W System.err:  at android.security.keystore.AndroidKeyStoreSpi.engineSetEntry(AndroidKeyStoreSpi.java:1218)
05-13 14:34:49.428  1050  2270 W System.err:  at java.security.KeyStore.setEntry(KeyStore.java:1658)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.locksettings.SyntheticPasswordCrypto.installKnoxKey(SyntheticPasswordCrypto.java:447)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.locksettings.SyntheticPasswordCrypto.installKnoxKey(SyntheticPasswordCrypto.java:418)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.SdpManagerService$LocalService.isKnoxKeyInstallable(SdpManagerService.java:7617)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.UserManagerService.lambda$checkIntegrity$1(UserManagerService.java:686)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.-$$Lambda$UserManagerService$Vi1he31l1YntzoW2DphYBuoO19s.apply(Unknown Source:2)
05-13 14:34:49.428  1050  2270 W System.err:  at java.util.Optional.map(Optional.java:211)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.UserManagerService.checkIntegrity(UserManagerService.java:685)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.UserManagerService.createUserInternalUnchecked(UserManagerService.java:3327)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.UserManagerService.createUserInternal(UserManagerService.java:3150)
05-13 14:34:49.428  1050  2270 W System.err:  at com.android.server.pm.UserManagerService.createProfileForUser(UserManagerService.java:3089)
05-13 14:34:49.428  1050  2270 W System.err:  at android.os.IUserManager$Stub.onTransact(IUserManager.java:637)
05-13 14:34:49.428  1050  2270 W System.err:  at android.os.Binder.execTransactInternal(Binder.java:1056)
05-13 14:34:49.428  1050  2270 W System.err:  at android.os.Binder.execTransact(Binder.java:1029)

Might download your device firmware to see if something else needs to be patched.

I have just rebooted again two more times but the issue remains. Activating Secure Folder in Settings still says "Couldn't create Secure Folder".

Any way I can help? It's the official firmware (G9700TGY4DTL2)

[salvogiangri]

Seems like an additional patch is required in your end, I'll send you a test apk asap.

[salvogiangri]

@KikMyaz give a try to this apk when possible. https://github.com/BlackMesa123/KnoxPatch/actions/runs/4967531570

[salvogiangri]

Thank you! I have just installed the latest artifact but I am still getting the same issue. Here are the logs,

Sorry for the late reply. I've been talking with some devs and it looks like this was a common issue for S10 devices due to something in vold/epm related to Knox (either SDP or DDAR). They've sent me the necessary files to replace, would be great if you could test those yourself (make a backup of your system partition first, then replace the files with the one attached here)

vold.zip

[KikMyaz]

Thank you! I have just installed the latest artifact but I am still getting the same issue. Here are the logs,

Sorry for the late reply. I've been talking with some devs and it looks like this was a common issue for S10 devices due to something in vold/epm related to Knox (either SDP or DDAR). They've sent me the necessary files to replace, would be great if you could test those yourself (make a backup of your system partition first, then replace the files with the one attached here)

vold.zip

Thank you for the reply! Just tried it out but it looks like it doesn't boot after replacing the files under /system (and setting permissions). It gets stuck on the device model splash screen for like 3 mins during boot, finally reaches the "SAMSUNG" splash screen, but as soon as what I'm assuming is the lockscreen loads the device restarts.

[KikMyaz]

I just booted into twrp and mounted system to double check I have replaced the files, here is the output beyond0qlte:/ # ls -al /system/bin/vold -rwxr-xr-x 1 root shell 1255328 2023-05-15 12:26 /system/bin/vold beyond0qlte:/ # ls -al /system/lib/libepm.so -rw-r--r-- 1 root root 207900 2023-05-15 12:26 /system/lib/libepm.so beyond0qlte:/ # ls -al /system/lib64/libepm.so -rw-r--r-- 1 root root 244352 2023-05-15 12:26 /system/lib64/libepm.so

[salvogiangri]

I just booted into twrp and mounted system to double check I have replaced the files

Did you set the correct secontext for the vold file with chcon u:object_r:vold_exec:s0 /system/bin/vold? Use ls -lZ to print it.

[KikMyaz]

I just booted into twrp and mounted system to double check I have replaced the files

Did you set the correct secontext for the vold file with chcon u:object_r:vold_exec:s0 /system/bin/vold? Use ls -lZ to print it.

Oh dear I forgot! Thanks so much - secure folder working perfectly now!

[salvogiangri]

Thank you for testing out, I'll see if I can figure out a way to implement this fix in the Enhancer module. You think you can test it once it is ready?

[KikMyaz]

Yeah absolutely I'd be more than happy to help!

Thank you very much for fixing the issue (a flashable zip might also be nice if we're not going to be replacing the files back)

[salvogiangri]

Yeah absolutely I'd be more than happy to help!

Can you check if the stock /system/bin/vold file works fine? I want to know if only the libepm files are required to fix SF.

[KikMyaz]

Can you check if the stock /system/bin/vold file works fine? I want to know if only the libepm files are required to fix SF.

Just tested different combinations of the exec and dylibs - here's my preliminary conclusion:

1. stock /system/bin/vold + modded /system/lib/libepm.so + modded /system/lib64/libepm.so -> stuck at splash screen during boot
2. modded /system/bin/vold + stock /system/lib/libepm.so + stock /system/lib64/libepm.so -> boots up with broken secure folder
3. modded /system/bin/vold + modded /system/lib/libepm.so + modded /system/lib64/libepm.so -> boots up with working secure folder

[KikMyaz]

Okay just double checked again - all 3 files are required for working secure folder :/

Here's a quick script to help with testing

adb push ./vold /tmp/; adb shell mkdir -p /sdcard/vold/bin /sdcard/vold/lib /sdcard/vold/lib64 cp --preserve=all /system/bin/vold /sdcard/vold/bin/vold cp --preserve=all /system/lib/libepm.so /sdcard/vold/lib/libepm.so cp --preserve=all /system/lib64/libepm.so /sdcard/vold/lib64/libepm.so cp /tmp/vold/bin/vold /system/bin/vold cp /tmp/vold/lib/libepm.so /system/lib/libepm.so cp /tmp/vold/lib64/libepm.so /system/lib64/libepm.so

[salvogiangri]

Can you check what happens with the original KnoxPatch v0.5.1 module and the vold/libepm files that fixes Secure Folder? Want to see if they do not require the additional patch I added in the module to fix your issue.

[salvogiangri]

@KikMyaz this CLI contains a test version of the KnoxPatch Enhancer Magisk module, it should fix Secure Folder in your end. https://github.com/BlackMesa123/KnoxPatch/actions/runs/5002208767

[KikMyaz]

Can you check what happens with the original KnoxPatch v0.5.1 module and the vold/libepm files that fixes Secure Folder? Want to see if they do not require the additional patch I added in the module to fix your issue.

Sure thing! The original KnoxPatch v0.5.1 module does not seem to work with stock vold files nor with modded ones. Only the latest build (artifact) works and it only works when used with the modded vold files.

[KikMyaz]

@KikMyaz this CLI contains a test version of the KnoxPatch Enhancer Magisk module, it should fix Secure Folder in your end. https://github.com/BlackMesa123/KnoxPatch/actions/runs/5002208767

Thanks! Yep the new Enhacer module works and replaces all files correctly (at least on my end) 👍

[salvogiangri]

Thanks! Yep the new Enhacer module works and replaces all files correctly (at least on my end) +1

Great to know! A new official release of the app is on the way. Thank you a lot for your time and patience, will rename this issue and probably open another one for the non-working SF with FBE since this was specific to your device.

[salvogiangri]

No, unfortunately enabling back data encryption will bring back the keymaster verify error in https://github.com/BlackMesa123/KnoxPatch/issues/23#issuecomment-1546627709.

[KikMyaz]

Ah I forgot! Yeah that makes sense - thanks so much!

[salvogiangri]

@KikMyaz Can you please test this Enhancer zip? I made a mistake while writing the script and the files weren't extracted correctly😅 https://github.com/BlackMesa123/KnoxPatch/actions/runs/5003577005

[salvogiangri]

Hmmm idk what changed but that may or may not have broken it neutral_face work profile's not activating after flashing that magisk module, but manually replacing the vold files does work (also the previous one might have been broken too since I just clocked I had prevented those files from being overwritten)

Any logs I could look at? Consider the module contains the same vold/libepm I sent you for testing, so strange...

[salvogiangri]

Sure! I'm like 99% sure installing the module broke my work profile (not entirely sure if having it already enabled makes a difference) but here are the logs - I'm guessing the files aren't being replaced properly for some reason?

Do you still have the log files by any chance? I wasn't able to download them since I was AFK.

[salvogiangri]

Gonna assume it's because keymaster isn't working as it should in your end:

05-17 20:01:00.479   689   689 W keymaster_tee: [WRN]begin req PARAMS: A32 B32 P1 
05-17 20:01:00.484   689   689 D keymaster_swd: keymaster_swd [ERR] (tz_check_oem:62) Device is compromized: fuse loc=5,status=0,sw_fuse_blown=1
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (km_check_key_os_version_patchlevels:194) key_os_version(160100) > _os_version(100000)
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (swd_key_deserialize_ekey:466) km_check_key_os_version_patchlevels failed
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (km_deserialize_key:276) Failed to deserialize key
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (swd_begin:417) Failed with error: 4294967
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [WRN] (swd_run_cb:249) swd_begin() returns -33
05-17 20:01:00.485   689   689 W keymaster_tee: [WRN]Cmd 8, err -33

Looks like you did downgrade your device or did something that is making the os version/security patches check to fail.

[salvogiangri]

Interesting! Would running a custom kernel trigger that? (for testing purposes I integrated a custom kernel in boot.img and flashed that) But curiously secure folder works if I replaced the files myself instead of using magisk

Yes, make sure your boot.img has the correct OS_VERSION and OS_PATCH_LEVEL value.

[salvogiangri]

Here are the logs LSPosed_2023-05-17T20_35_55.261.zip

I do still see the "km_check_key_os_version_patchlevels failed" error in logs, wonder what could be causing it. Regarding Secure Folder, could Magisk not be able to bind mount the new vold binary in time? I need to check this.

[salvogiangri]

Could the error be due to the modded system partition from manually replacing the void files?

At the moment it's modded system partition, stock kernel + with magisk flashed into boot partition and recovery partition, and a lightly modified product (CSC) partition. Would any of these trigger that error?

Also I do think it may be due to magisk coming up too late in the boot process

I doubt so, OS_VERSION and OS_PATCH_LEVEL are either read from the kernel image or from the system props, so your issue is probably there.

I might need to find another way to replace the vold binary in system if a Magisk module isn't enough. A good news is I might have found a way to fix Secure Folder on legacy FBE devices, though this also requires a custom vold binary🥲 (https://github.com/BlackMesa123/KnoxPatch/issues/26#issuecomment-1552882223)

[KikMyaz]

05-17 20:01:00.479   689   689 W keymaster_tee: [WRN]begin req PARAMS: A32 B32 P1 
05-17 20:01:00.484   689   689 D keymaster_swd: keymaster_swd [ERR] (tz_check_oem:62) Device is compromized: fuse loc=5,status=0,sw_fuse_blown=1
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (km_check_key_os_version_patchlevels:194) key_os_version(160100) > _os_version(100000)
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (swd_key_deserialize_ekey:466) km_check_key_os_version_patchlevels failed
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (km_deserialize_key:276) Failed to deserialize key
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [ERR] (swd_begin:417) Failed with error: 4294967
05-17 20:01:00.485   689   689 D keymaster_swd: keymaster_swd [WRN] (swd_run_cb:249) swd_begin() returns -33
05-17 20:01:00.485   689   689 W keymaster_tee: [WRN]Cmd 8, err -33

Apologies! Just clocked the keystore issue was my fault leaving incorrect header magic in custom boot image.

RE: https://github.com/BlackMesa123/KnoxPatch/issues/26

On a completely unrelated note, if you would like to downgrade with higher bootloader rev, this slightly dodgy method may work (provided you have snapdragon). It's just hex patching on the firmware and some people have reported success.

[salvogiangri]

On a completely unrelated note, if you would like to downgrade with higher bootloader rev, this slightly dodgy method may work (provided you have snapdragon). It's just hex patching on the firmware and some people have reported success.

Yes, curiously I discovered this some days before that thread was created... 🤔

This is the Samsung signature scheme you can find in their binaries:

- SignerRevision (16 bytes)
- QuickBuildId (16 bytes)
- VersionName (32 bytes)
- BuildTime (16 bytes)
- ModelName (32 bytes)
- SystemRPValue (16 bytes)
- KernelRPValue (16 bytes)
- BuildVariant (4 bytes)
- KillSwitchMagic (4 bytes)
- FactoryBuild (4 bytes)
- BinaryName (16 bytes)
- Reserved (84 bytes)

The values the bootloader checks are "SystemRPValue" and "KernelRPValue", not the "VersionName". The best thing to do is to zero out the signature in the binary you want to flash. Avoid BL and CP binaries since messing with those could lead to an hard brick, modify and flash only AP and CSC binaries. This should work on all the Samsung devices regardless from the SoC.

[KikMyaz]

Hi - sorry for having to necro this thread! I have just got some time to properly test this out repeatedly by starting out completely fresh with stock Android 10 rom.

Just wanted to report the latest enhancer module 0.3-fix from releases still doesn't seem to work properly after flashing with Magisk. I can confirm it was only until after I replaced the vold files individually in TWRP that it finally starts working. Not entirely sure if this is because the Magisk module is coming up too late during boot.

[salvogiangri]

Hi - sorry for having to necro this thread! I have just got some time to properly test this out repeatedly by starting out completely fresh with stock Android 10 rom.

Just wanted to report the latest enhancer module 0.3-fix from releases still doesn't seem to work properly after flashing with Magisk. I can confirm it was only until after I replaced the vold files individually in TWRP that it finally starts working. Not entirely sure if this is because the Magisk module is coming up too late during boot.

Yes that's the reason, vold is a critical system service and Magisk seems to not be able to replace it. I've also tried Magisk Delta early mount feature but the result is the same.

[KikMyaz]

Issue resolved in #26 . Thank you for the help!