Root [International] Knox Security & locked bootloader on new firmwares

[dynomot]

Thanks EarlyMon.

Syd I think it is good news. Maybe Samsung have rushed out so many similar firmwares, seemingly different for different regions only, that they've tacked on this Knox to patch the security holes and they are going to patch it properly later. The only thing that concerns me is the patch is floating around Google anyway, why does the bootloader need to be locked?

The good news is it is Samsung, the patch is out there and we've already got a rooted ROM minus Knox.

 

[dynomot]

Just got in, you're not all trying to goad me into giving it a go are you.....that's cruel....

Well Syd, Ironass is sticking, that should sound alarm bells. I am too, perfectly happy with MH1 at the moment. Should 4.3 pop up however with a locked bootloader without a hack that has been tried and tested I could be sorely tempted to risk it should a work around be announced, no matter how dodgy. Personally I'm sure Chainfire is on it as we wait.

Stay with what you have, I wouldn't want you to suffer bootloader lock with no way out.

 

[sntaylor]

Knox isn't a new feature in the current updates, just the way it's been updated itself and implemented(I'm guessing anyway, but I know it is a feature that was already there for the s4 at some point!) And as early suggests, it's Def an issue with Samsung rather than Google, though I'm not entirely sure if the Knox feature does have anything to do with the master keys etc? I'm sure someone else can bring us up to confirmed speed on this

Personally I'm quite happy with the cm10.2 based pro bam, I'll have no issues with locked bootloaders etc the only thing I kinda miss, and even then it's not a massive miss, is the Samsung camera app, otherwise the phone is running smoother and nicer than it had been with any mga Rom I tried :-(

 

[Sydney99]

Well Syd, Ironass is sticking, that should sound alarm bells. I am too, perfectly happy with MH1 at the moment. Should 4.3 pop up however with a locked bootloader without a hack that has been tried and tested I could be sorely tempted to risk it should a work around be announced, no matter how dodgy. Personally I'm sure Chainfire is on it as we wait.

Stay with what you have, I wouldn't want you to suffer bootloader lock with no way out.

Absolutely dyno. On mh1 I'm well into second day of battery with 41% left, all working smooth. No point changing unless New features come along.

Even I ain't that dum.

 

[ironass]

Even I ain't that dum.

TIP: Don't ask for a show of hands Syd!


I have virtually re-written post #1 of this thread to update it with the latest information available as regards the new stock Samsung firmwares for the i9505 and other S4 models.

It is not just the locked bootloader causing the problems for dev's and us flashers but also the new, embedded, Knox Security that has been added to please corporate and government institutions.


TIP: 2 The term, "efuse", in post #1 is pronounced... EFF-You's

 

[ironass]

Have updated post #1, yet again, with more information gleaned from posters over the weekend, #1.3, who had tried to root the new firmwares. Have also included advice on what to do under such circumstances and have indexed the post for easy reference.

My advice is to check the firmware details of anyone posting unusual problems on this forum in case they have tried to root any of the latest firmwares.

 

[Sydney99]

Should have got the HTC one after all!

 

[dynomot]

Should have got the HTC one after all!

SYD ! Wash your mouth out with soap and water !

 

[ironass]

Should have got the HTC one after all!

Syd! :hmpf: An hour on the Naughty Step for you and don't move until I tell you!

Actually, I think that we will be seeing more of this security situation from other handset manufacturers who are keen to get their handsets accepted by government and large corporations, who demand enhanced security for BYOD.


Have added yet another paragraph, #1.4, to the rapidly growing post #1. This concerns reports that I have been reading on other forums that those who have upgraded to the latest bootlocked and Knox security firmwares, even though they are not rooted, have been experiencing problems with some of the Play Store apps that are possibly being treated as security breaches by Knox.


FYI: Knox requires a locked bootloader to operate.

It is named after the United States bullion depository, often referred to as Fort Knox, in Kentucky, which featured in the James Bond film, Goldfinger, starring Sean Connery.

 

[dynomot]

I saw the post about Whatsapp in the general SGS4 forum and thought about asking what firmware they were running, as I did wonder.

I think if Knox requires a locked bootloader to work, both are here to stay. I don't require Knox - my device is my own. Would it be too much for Samsung to provide two versions of the same update, one with Knox and the locked bootloader and one without. Only those admin privileges should be able to update via OTA or Kies, and have a choice which version they install.

 

[lotus49]

Should have got the HTC one after all!

This will only affect people who install or have their phone provided with a ROM that includes a locked bootloader.

I can see why Samsung did this as it provides a rock solid way for a ROM to check that it is running on a device that has not been tampered with.

It is not a good thing for those of us who like to install 3rd party ROMs but want to have the possibility to return the device to factory condition but, let's face it, we are a tiny minority.

 

[dynomot]

It is not a good thing for those of us who like to install 3rd party ROMs but want to have the possibility to return the device to factory condition but, let's face it, we are a tiny minority.

While this is undoubtedly true, I think you miss two points. One Android is meant to be Google's (not Samsung's) "Open Source" operating system. Now how open is "Open" is open to debate, but you get my point.

Second, and more importantly, given that we who flash and tinker with our devices are a tiny proportion of Android users, we still paid our hard earned cash on the device of our choice. A new firmware has decreased it a usability for us. Are we entitled to compensation?


Personally I find the excuse of warranty voiding simply by rooting as disgusting. It is a cop out, and here in the UK at least very dubious legally. I can't imagine Hewlett Packard (for instance) voiding a hardware warranty just because I installed Linux on my lap top.

I bought an Android smartphone not an Apple one, and while I can see the appeal of a device that works well, I want to escape the lovely walled garden and explore on my own.

 

[lotus49]

While this is undoubtedly true, I think you miss two points. One Android is meant to be Google's (not Samsung's) "Open Source" operating system. Now how open is "Open" is open to debate, but you get my point.

The issue here isn't to do with the licensing of the code though is it?

A new firmware has decreased it a usability for us. Are we entitled to compensation?

Only if you install it. If you don't, you are no worse off than when you bought your phone. Having said that, if I were just about to buy an S4, this would definitely put me off. I am disappointed that Samsung has chosen to do this but it will only affect my future purchasing decisions. I am very happy with my S4 regardless of what Samsung now decides to do.

Personally I find the excuse of warranty voiding simply by rooting as disgusting. It is a cop out, and here in the UK at least very dubious legally.

I'm completely with you here and I do not believe that this would stand up in court.

I have to say that I do think this is actually quite a clever security control that will appeal to businesses and I think Samsung's decision is probably a commercially sensible one for them.

 

[dynomot]

I agree it is clever, no arguments there. It's also more than a little underhanded. Millions of Android owning people will have updated by now OTA, some with more nous with Kies, and no doubt found things a little better, smoother and maybe less buggy. In short they'll be happy in their ignorance. And why not? They on the surface have lost nothing and gained something, all the time not realising they now have a device crippled from it's former state. How many of those that do flash and root have kept their devices "stock", just for a while and only found out that last OTA update has cut their rooting dreams at the knees. Melodramatic? Perhaps, but I am angered by Samsung.

I see where your coming from with the licensing of the code. Your right that is not the issue. I concede that.

I just despair, I'm not naive enough to believe Samsung won't follow the bottom line. If Knox makes them the darling of the corporate world giving needed security to BYOD. They need and should go after this lucrative market. I wish they'd actually told us first though, locking their damn bootloaders.


Sorry , rant over.

 

[Sydney99]

Might as well call it an iGalaxy...

 

[dynomot]

Might as well call it an iGalaxy...

Now your goading me Syd

I know someone who is a network engineer. He installs a companies network in a new office, trouble shots and moves on. He loves Apple, but not in a blind way. He loves how everything Apple "just works", the inherent problems of getting say a BlackBerry to talk to a IBM server and on to a Windows terminal are just not there. He loves the "Walled Garden", where once he hated the "closedness" of them.

I feel this is the way it is all heading, where money is to be had "openness" and the like can go hang. The internet is in continuous danger of being chopped up by the ISPs who would love to be able to supply access with "options" like cable TV. There's not much we can really do except rant, and wring our collective hands. Just be aware of it, and don't walk into a future ignorant. Knowledge is power.

 

[Sydney99]

Right, so this Knox and bootloader bollocks. As I see it, now that you can root a Knox firmware, there are 2 issues from flashing
1. Once you flash, there's no going back....
2. It voids warranty

So, for the first point, generally it's unusual to want to use old versions unless you find a gem. For the second, we all live with this possibility anyway when we start rooting or phones.

So really, is this not a lot of hot air and panic....or am I missing something.......again!

 

[ironass]

Right, so this Knox and bootloader bollocks. As I see it, now that you can root a Knox firmware, there are 2 issues from flashing
1. Once you flash, there's no going back....
2. It voids warranty

So, for the first point, generally it's unusual to want to use old versions unless you find a gem. For the second, we all live with this possibility anyway when we start rooting or phones.

So really, is this not a lot of hot air and panic....or am I missing something.......again!

1. Definitely, no turning back to pre Knox firmware but as you say Syd, how many of us ever want or need to go back?

2. In the absence of an official statement from Samsung can I amend that to say that... in theory it could be used to void warranty.

The reason I say this is that DjeMBeY maintains that there are legitimate, unrooted, reasons that could increase the Knox counter. So, let us say for instance that a warranty repair was needed and TriangleAway had been used to reset the Samsung binary counter and a stock firmware was flashed then it could quite easily have been an error installing a stock firmware via KIES and there will be no other supporting evidence to prove otherwise... i.e. the Samsung binary counter.

I can understand why Samsung had to do this and why other manufacturers will almost certainly have to follow suit. Grudgingly, I have to say that Samsung made a darned good job of it and one that will reassure the IT departments of those who require this sort of security on a device to allow its use.

Since the latest releases of firmware for the S4 all seem to be based on MGA/MH1 with just the addition of the new security features, I can see no reason to shift from my present ROM as there is no advantage. However, with the imminent release of Android 4.3 and the enhancements that this brings, I shall be updating.

 

[sntaylor]

Where I see issues will be if Google or Samsung release a version that's buggy and many people don't like, such as ics on the s2, I'm sure I'm not alone in remembering the complaints from it and the number of people enquiring about rooting just to go back to gingerbread(personally I never had any issues with ics but that's just me )

Obviously for the masses, Knox ain't really an issue either way, but for those that need it it's great and those in our camp, it's a pain in the ass!

 

[Shotgun84]

Yeah I'm not really seeing the problem if you're already rooted. All you have to do is flash one of the numerous ROM's which doesn't contain the new bootloader or Knox and you're on the latest firmware with the possibility of returning to your old. I'm actually quite surprised that DjeMBeY keeps including the bootloader. Although he knows more than me so I'm sure he has his reasons. I can see how it may be a problem if you aren't already rooted but are planning to though.

 

[dynomot]

This would be all fine and dandy, save for the elephant in the room, and I may be trying to compare apples with oranges. (can I squeeze in any more metaphors in that sentence?) But doesn't flashing make Knox physically "break" something, telling Samsung we have flashed? Leaving aside the BYOD corporate world where it a a fine, and to be applauded security measure, isn't it a bit "big brother". If I wanted to I could go out buy a Windows PC and install Linux. A year later, if I wanted to I could remove Linux, reinstall Windows and sell it as what it is a Windows laptop. No one would need to know and know one would be affected. Now say I flash my phone, Knox comes in and later I flash an ordinary stock firmware to sell it, I actually sell it broken. It can't be used as a BYOD by it's new owner and Samsung won't honour (illegally in the UK in my understanding anyway) a my warranty. This us what sticks in my craw. I guess I will have to accept it, doesn't make me happy though.

 

[EarlyMon]

Remember, Samsung is not only after the corporate market - they're going after the military.

Here's a cached copy (links or it didn't happen), hopefully viewable despite the Java script session id -

http://webcache.googleusercontent.c...DDFA8FF7076E?id=458+&cd=6&hl=en&ct=clnk&gl=us

I personally think that influenced the bootloader decision.

 

[sntaylor]

Remember, Samsung is not only after the corporate market - they're going after the military.

Here's a cached copy (links or it didn't happen), hopefully viewable despite the Java script session id -

National Vulnerability Database (NVD) National Checklist Program Checklist Detail for Samsung Knox Android 1.0 STIG Version 1

I personally think that influenced the bootloader decision.

Sorry early but link doesn't seem to wanna work for me using chrome at least :-(and although I'm only replying now,I actually tried it about five mins after you posted it....

Google
404. That

 

[EarlyMon]

Google: nist Samsung knox

See the link at web.nvd.nist.gov as well as some others that may be interesting.

Sorry about the Java script session.

 

[dynomot]

Fascinating, Knox appears to be the dogs danglies when it comes to security on Android devices. For phones with Knox up and running from a server they have a white list of applications that are allowed. Applications can have their permissions recindered remotely and basically Knox has the US military's approval. All good stuff for Samsung.