• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [International] Knox Security & locked bootloader on new firmwares

ironass said:
Two reasons spring to mind old stick...

1. The partnership and licensing agreement between Samsung and Centrify was not ready in time. See here and here.

2. Samsung waited until you had got the S4... just to spite you.


(Personally, I think the latter ;))
Click to expand...


I think you just want to make our soggy moggy paranoid !

Seriously, you have trawled the depths of Wikipedia and probably found the real answer. I'll claim an intelligent guess though.

Earlymon sums this whole debacle well, its about $'s at the end of the day. Android now is dominant, it needs new markets to grow further. Knox has given Samsung at least a way in.
 
dynomot said:
I think you just want to make our soggy moggy paranoid !
Click to expand...

... and your point is? ;)

Seriously, you have trawled the depths of Wikipedia and probably found the real answer. I'll claim an intelligent guess though.
Click to expand...

The ability to add Knox to older phones such as the S3 would indicate that the wherewithal to implement Knox has been present for some time. Be it in the Qualcomm chip or elsewhere. Therefore, I surmised, that since it had not been implemented earlier it was because of the necessary software and licensing.

Earlymon sums this whole debacle well, its about $'s at the end of the day. Android now is dominant, it needs new markets to grow further. Knox has given Samsung at least a way in.
Click to expand...

I would tend to agree with that inasmuch as the BYOD market is huge worldwide and Samsung needed to gain approval for its latest devices from government, defence and corporate IT departments for devices that could offer a separate and secure environment on their phones such as that offered by Blackberry, for instance. As it states in this Centrify release...

"Centrify can leverage Samsung's extensive global sales and marketing teams to promote its solutions to the wide network of Samsung customers, carriers and channel partners."


UPDATE

Have further updated post #1 with what is currently known about Knox, so far.
 
First, sorry for my PC terms like BIOS while referring to a phone. Not completely schooled up on the current names, but I think you'll understand my thought.

I know this may be a slightly off topic, while related. Where would you think the code to pop the efuse is. Would it be in the BIOS level, possibly requiring a JTAG interface to replace with code that will not pop the efuse? Maybe I'm way off track, but I think this type of security would have to be supported to the BIOS level.

If at BIOS level I think you may be able to flash a new bios that will not pop the efuse regardless of the recovery or ROM being used. I understand that a JTAG interface with these phones is beyond what most of the ROM users would be capable on there own and that most devices would have a physical trail from being JTAGed since soldering on the board is often required so a warranty would be out of the question. But, it could allow for you use the device in a corporate level is you corporation has a BYOD program and on the weekends or such play with other ROMs/rooting without having the KNOX system report the device as "compromised" or by a second device to toy with.
 
Phones don't have a BIOS but the bootloader is analogous to it. It's the lowest level firmware component and it dictates the boot vector, and includes some maintenance functions.

Here's some info to help sort out terms -

http://forum.xda-developers.com/wiki/Bootloader

Open source bootloaders do exist, Das U-Boot is one, I seem to recall another but don't recall the name. They're uncommon in phone rooting.

Replacing bootloaders with modified versions and even using jtag to get through bootloader security when all else fails isn't at all unheard of with HTCs.

When you do that, an HTC becomes permanently s-off (a term unique to HTCs) where encrypted signature security is permanently off. I never gave it much thought but for all I know, the HTC s-on/off flag might be an efuse.

So the jtag unlocking precedent is certainly there, not sure about it with respect to the Knox flag.

Very interesting thought. :)

PS - if you could circumvent Knox and be undetected, I'd expect Samsung to OTA patch that in a jiffy. Anyone without the update would be suspect.

Trying to bypass IT security where you work hardly seems worth it, but that's imo.

Also review the OP for what's known so far about using jtag and Knox.
 
First, I'm not saying to try and bypass IT security where you work. I think that if you had a devices that still has the "Knox bit" in a 0 state and you jtag a boot-loader that had the code that stores 1 to the "Knox bit" modified to store to, and check, a different location, a "false Knox bit", that can be changed on and off you could use a custom rom. I would expect that Knox software should fail to load since 1 is reported unless Knox is still looking directly at the "Knox bit" location and seeing 0. Then if you got hired by a company that had a BYOD program, your company adds the program or you just want to sell the phone you restore stock recovery/rom. The custom boot-loader would then store 0 to "False Knox bit" location and Knox would work again in a secure environment. After confirming that all is working and not setting that "false Knox bit", you should be safe to restore the original boot-loader if desired and have an OEM perfect device. Again soldering a jtag interface to the board would be enough to void the warranty, not like I would be trying to claim a warranty on it though.

As you can see I was not thinking about bypassing IT security at work, but allowing freedom to use the device as we want is a way that is reversible if needed.

The jtag mention in the OP is about just coping from a device with Knox bit still off to one that has already been set. But if that bit is write-once, as stated by Samsung, and is part of some series of addresses that have a check-bit, when it is expected 0 from Knox bit but is getting 1 the check fails.

Again, I have no idea how they are writing this code, just guess at what could have been done.
 
Please see the diagrams on the link I provided for efuses.

I think Knox is fundamentally SELinux, not an application that can be patched and spoofed into thinking it's still secure.

We'll see.
 
I not suggesting it should think its secure when its not. Just of ideas to prevent it from popping the eFuse when its not secure (custom roms and such), so that if you revert to a secure system (OE rom) it does not refuse to act secure because of the eFuse reflects that at some time with a previous load it was not secure. Unless the chatter about Knox not working after restoring to a secure state once the eFuse is blown from a previous custom rom are not true I'm under the impression that some apps will not treat the phone as secure if that eFuse is blown, regardless of whether the current install actually is secure.

Maybe I'll just sit back a bit and see how the updates and news concerning this plays out. I like to run custom recovery so that I can do full backup/restores with easy, but if I'm on travel out of the country I would like to use the phone in a much more secure manner, maybe one day even access to work related things if my employer decides to support Samsung's push into corporate market place.
 
What am I failing to see here? I Understand the efuse blows your warranty. Is that the down side? I never return one of these devices via warranty its a hassle and I just replace it with a used one off of cl or buy a new one? I'm rooted and running gpe ROM but don't remember if it was before the mh8 rom
 
Updated post #1 with more details on Knox enabled firmware and, in #1.4, how posters can check their current Knox status.

Still no reliable way of rooting and flashing a custom recovery without tripping the Knox counter, AFAIK. Also, no way of resetting the counter.

If anyone comes across a reliable method of doing either, please do not hesitate to post it here! :banghead:
 
Think if this is how things are developing this will be my last Samsung, unless a bypass hack is found
 
I'm sure I've suggested this already, but, I really believe that as all the companies go in this direction and modding your phone becomes irreparably traceable(no reset on counters etc) cyanogenmod Inc will bring out their own phone or range of phones, possibly taking the stock unit from say Samsung, but selling it with their own, very customisable, firmware, without having to void warranty as root is a given?

Either way, I shall be awaiting a few weeks or more before buying my next phone to see what I can and can't do. I will also now have to take extra care I don't break this s4, as I fear a replacement would come Knox activated :-(
 
Ironass, thanks for this comprehensive guide and even bigger thanks for the rooting guide.

But i am confused with all this talk of 'MGG' and Knox.

I have rooted my

GT-I9505
Android Version 4.2.2
Baseband I9505XXUBMEA

I have no Knox counter flag messages when i boot into download mode, so i am confused if i should continue the flash the ass of my shiny new S4 the way i did with my S2.

Can you throw me a stupid bone here please
 
Romulous said:
Ironass, thanks for this comprehensive guide and even bigger thanks for the rooting guide.

But i am confused with all this talk of 'MGG' and Knox.

I have rooted my

GT-I9505
Android Version 4.2.2
Baseband I9505XXUBMEA

I have no Knox counter flag messages when i boot into download mode, so i am confused if i should continue the flash the ass of my shiny new S4 the way i did with my S2.

Can you throw me a stupid bone here please
Click to expand...

Samsung releases are categorised as follows:-

M = year = 2013 (13th letter of alphabet)

E = Month of year (May in this case, 5th letter of the alphabet)

A = Release of that month (10th for, "A", as they start 1-9 first, before letters)

Therefore, MEA is pre MGG, (2013, July, 16th release), and is before Knox. Only stock Samsung firmwares MGG onwards, (with the exception of MH1), have Knox.
 
You have an old boot loader. You are Knox free. If you flash anything with a new boot loader there's no going back. So anything new will do this.

If you stick to roms and firmware that you flash with a zip and doesn't include the new boot loader, you don't have to worry about Knox. Generally speaking that's the aosp roms and Sammy roms like Echoe....

That's my simplistic view, over to rusty bum for a more a thorough and accurate picture ;)
 
And that folks, is why this Website/forum/mods are so great.

Thanks ironass and Syd, here is a virtual high 5 from me!

Now i need to decide if i want to remain on stock rooted or try Echoe rom V7.

Although i must admit, i am missing my nightly updates of Cyanogen.
 
So in October I changed my lovely S2 I9100 running Carbonrom 4.2.2 for a shiny new S4 I9505....then read about Knox etc :mad:. I assumed that my phone had Knox as in my application manager I have "Knox notification manager" and "Knox store" but after reading these posts I am not sure. There is nothing about Knox in download mode and my baseband is MG7. Does this mean Im Knox free?
 
kingink65 said:
So in October I changed my lovely S2 I9100 running Carbonrom 4.2.2 for a shiny new S4 I9505....then read about Knox etc :mad:. I assumed that my phone had Knox as in my application manager I have "Knox notification manager" and "Knox store" but after reading these posts I am not sure. There is nothing about Knox in download mode and my baseband is MG7. Does this mean Im Knox free?
Click to expand...

Looks that way -


ironass said:
Samsung releases are categorised as follows:-

M = year = 2013 (13th letter of alphabet)

E = Month of year (May in this case, 5th letter of the alphabet)

A = Release of that month (10th for, "A", as they start 1-9 first, before letters)

Therefore, MEA is pre MGG, (2013, July, 16th release), and is before Knox. Only stock Samsung firmwares MGG onwards, (with the exception of MH1), have Knox.
Click to expand...
 
Have added a couple of links in #1.9 of post #1 to help explain what Knox Security is all about in very simple terms, with a video, as well as the Knox User Manual/Guide.

I have also added, in #1.8, a breakdown of the Samsung firmware release numbering, mentioned a few posts earlier, in an attempt to clear up any confusion on whether a particular firmware is Knox enabled, or not.

Sydney99 said:
Let's find out if KNOX flag 0:1 does void the phone's warranty or not - Page 6 - xda-developers

Djembey just got his phone back. Knox was tripped. Samsung still repaired under warranty.......interesting!
Click to expand...

In light of Syd's post, I have also amended the main body of post #1 to read that Knox, "may", invalidate your warranty and have also added in #1.10, a link to the xda forum thread on the subject of the Knox flag and warranty. This thread shows that the situation with tripping the Knox flag and warranty repairs is still far from clear and that there are conflicting reports on the subject.
 
Just trying to confirm that my I9505G I purchased from Google has an unlocked bootloader. I don't have Knox installed, and no flag appears when I go into Download mode. I was able to install Goo Manager and custom recovery from within the application (TWRP.)

Seeing that I will be getting my updates from Google instead of Samsung, then I guess I won't have to worry about Knox.
 
evilbastard said:
Just trying to confirm that my I9505G I purchased from Google has an unlocked bootloader. I don't have Knox installed, and no flag appears when I go into Download mode. I was able to install Goo Manager and custom recovery from within the application (TWRP.)

Seeing that I will be getting my updates from Google instead of Samsung, then I guess I won't have to worry about Knox.
Click to expand...

As per #1.0 in post #1...

ironass said:
It is being rolled out across the board to all the latest devices, branded and unbranded, with the exception of the GT-i9505G, Google Play Edition with stock Android firmware.
Click to expand...

Bootloader is not locked on GE which is a requirement of Knox.
 
You must log in or register to reply here.
Back
Top Bottom