Knox Security & locked bootloader on new firmwares

[Jaymes]

I think we are going to see more and more unhappy bunnies who have updated to the latest Knox security enabled firmware and locked bootloaders and either now realise they cannot root and install custom recoveries and ROMs or blow their warranty attempting to do so.

As we have seen over the last 2 months or so on the International version, GT-i9505, which experienced Knox on Android 4.2.2, there are now 2 distinct camps...

1. Those who updated to Knox enabled stock firmware and now dare not, or cannot, root and install custom recovery or ROM's for fear of blowing the Knox flag.

2. Those that waited and did not update and are able to root and flash the latest new custom ROMs that come without Knox and the locked bootloader. See #1.5 in post #1.

If you think that you may want to root your phone, now or in the future, then the best advice I can give you is not to update to a Knox enabled firmware and root now to disable nagging reminders to update and at the same time you are prepared for when the dev's for your phone version bring out the first custom ROMs mentioned in 2.

Operating on an un-rooted I9505 s4, running android 4.2.2 but I am confused on how to know if rooting my phone will trip this counter. How can I know for sure if I have already updated to a firmware that has knox enabled or if I am free to root?

 

[ironass]

Operating on an un-rooted I9505 s4, running android 4.2.2 but I am confused on how to know if rooting my phone will trip this counter. How can I know for sure if I have already updated to a firmware that has knox enabled or if I am free to root?

If you are running pre MGG Android firmware, see #1.8 in post #1, you are safe to root by following the instructions in the Rooting Galaxy S4 - Dummies Guide.

 

[DrArmageddon]

Thanks Samsung ! Now my S4 feels like a walled android garden. If this is the route that Samsung is taking their devices with Android I will not be buying a Note3 Note 4 or S5. If I wanted a walled garden experience I would buy any other phone including IPhone. Funny now my Z10 with BB10 OS feels more versatile with direct APK installs with real security behind it. Guess I need a nexus for a pure google and android rooting experience. Bye bye Sammy

 

[Mr. Lucky]

Thanks Samsung ! Now my S4 feels like a walled android garden. If this is the route that Samsung is taking their devices with Android I will not be buying a Note3 Note 4 or S5. If I wanted a walled garden experience I would buy any other phone including IPhone.

. . .

Bye bye Sammy

Abolutely agree. Like any company, Samsung is following the money. In this case, they believe it is their best interest to make inroads into the corporate world. The thing is, corporate IT departments are typically not early innovators. I predict Samsung will come to regret this move, when they see the droves of consumers switching to something else when their phones come off-contract.

We have four Samsung-branded Android devices in this household AWA a washing machine, range, and OTR microwave. After this move though, they will never see another dime of my money.

 

[ironass]

Thanks Samsung ! Now my S4 feels like a walled android garden. If this is the route that Samsung is taking their devices with Android I will not be buying a Note3 Note 4 or S5. If I wanted a walled garden experience I would buy any other phone including IPhone. Funny now my Z10 with BB10 OS feels more versatile with direct APK installs with real security behind it. Guess I need a nexus for a pure google and android rooting experience. Bye bye Sammy

I predict Samsung will come to regret this move, when they see the droves of consumers switching to something else when their phones come off-contract.

Just wondering how you guys think having the Knox Flag and a locked bootloader will affect the vast majority of un-rooted users in future?

 

[Mr. Lucky]

Just wondering how you guys think having the Knox Flag and a locked bootloader will affect the vast majority of un-rooted users in future?

Short answer: It won't.

However, many people are drawn to Android specifically because of what the devices can do once rooted. XDA Developers practically exists for this sole purpose. It doesn't have to be a "vast majority" to be statistically significant. If Samsung's gamble on acceptance in the private sector doesn't pan out, it will hurt them. Speaking for myself, if I'm going to be restricted to some corporate entity's decision as to what is acceptable use of a device I bought and paid for, I might as well get an iPhone - timely updates and no bloatware.

 

[Rockman]

So it trips this knox counter gizmo and can void the warranty. What about actually rooting, does it make it impossible or what. I might not care about that if I can still root. I need wireless tether that's really all I want out of root.

 

[ironass]

So it trips this knox counter gizmo and can void the warranty. What about actually rooting, does it make it impossible or what. I might not care about that if I can still root. I need wireless tether that's really all I want out of root.

Rooting is still possible on Knox firmware.

 

[ironass]

We should start a poll on how long it will take someone to crack this.

Okay, so we'll make the earliest choice two weeks out.

Starting the 16th October and the bounty on cracking Knox and resetting the flag, now stands at US$2,142...

[Bounty] Reset KNOX counter to 0x0 (UPDATE- $2142)

 

[Funderbolt]

It'd be kind if ironic and embarrassing if they had to keep patching it

I'm new to Samsung, and I'm not sure this is related, but I'm getting security messages that lead to another message to update samsung security policy. An attempt to update always fails after it connects to the servers.

Does anyone know what this is?

 

[ironass]

Knox Security enabled firmware has now been out on the Galaxy S4 for some 3 months now and remains un-crackable in terms of re-setting the Knox warranty void flag mentioned in post #1. The bounty on this now stands at US$2,282, here.

As mentioned in #1.0, Knox enabled firmware is now being rolled out to other Samsung phones, notably the Galaxy S3, and their owners are now waking up to this. However, I am given to understand that it is implemented slightly differently to the Galaxy S4.

The advice remains the same... if you are rooted, or are thinking of rooting your phone...

DO NOT UPGRADE TO ANDROID 4.3. It is a one way trip as you cannot successfully return to Android 4.2.2 without screwing your phone up. See #1.1.

Whilst it is possible to gain root access without tripping the Knox flag it is a minefield and in any case, flashing a custom recovery or ROM will trigger the Knox flag. See your phone version's, All Things Root forum, for details of these methods.

It is still unclear from reports, here, if tripping the Knox flag, apart from rendering the phone useless as a secure BYOD, actually affects your warranty rights, with reports of repairs carried out, hardware being covered but not software, etc; etc: Please read the linked xda thread for more details.

Knox enabled firmware means just that... it has the prerequisites for Knox Security, a locked bootloader and Knox flag. The actual Knox app is downloaded from the Play Store via an icon on the phone, if required.

If you are on pre Knox firmware, there are a number of custom ROMs that offer Android 4.3 and even 4.4, (KitKat), that are Knox free and use your unlocked, 4.2.2, bootloader. See your phone version's, All Things Root forum, for details of these.

See post #1 for the latest, up-to-date, details on Knox firmware.

 

[ironass]

At long last... an official statement from Samsung regarding the Knox Security flag and your warranty.

About rooting Samsung KNOX-enabled devices and the KNOX warranty void bit


The way I read it, is that the status quo has returned and the old, "Don't ask... don't tell", policy of a stock ROM, if possible, for warranty repairs is back in force and that Knox will not be used to deny warranty. This has already been borne out from the numerous posts on xda, see #1.10 in post #1, where people have had their devices repaired in spite of a blown Knox flag.

So, it would seem that only those who need Knox Security for BYOD for work purposes, need to be concerned about blowing the Knox flag.

I feel a re-write of a number of my guides and posts is now needed.

 

[ironass]

Post #1 has been extensively re-written in the light of the latest statement, at last, from Samsung, regarding Knox Security and warranty repairs and places the emphasis on not rooting devices where the users place of work requires Knox Security to be enabled and the Knox flag to be untouched.

 

[ironass]

Samsung has unveiled the new Knox 2.0 Mobile Security platform that will ship with the Galaxy S5 and come to other phones running KitKat.

"The biggest change which Samsung Knox 2.0 brings to the table is different method of handling Android apps. The suite digitally secures Google Play apps data, therefore eliminating the need to run them in a dedicated Knox mode like in the previous version."

"Finally, Samsung will launch a dedicated Knox marketplace. The cloud-based app store will allow companies’ IT administrators to easily install apps on multiple devices."

Source

See, also...

Samsung Debuts Knox 2.0 Mobile Security Platform: MWC

 

[lotus49]

At long last... an official statement from Samsung regarding the Knox Security flag and your warranty.

...

So, it would seem that only those who need Knox Security for BYOD for work purposes, need to be concerned about blowing the Knox flag.

Would I be correct in thinking that one other group of people who might care is anyone who might wish to revert to a stock ROM? My S4 is 0x0 and rooted (I rooted before they rolled out the locked down firmwares) but my Note 10.1 2014 isn't and it is a source of some frustration to me.

 

[ironass]

Would I be correct in thinking that one other group of people who might care is anyone who might wish to revert to a stock ROM? My S4 is 0x0 and rooted (I rooted before they rolled out the locked down firmwares) but my Note 10.1 2014 isn't and it is a source of some frustration to me.

The jury is still out on that one lotus49.

As per #1.10, some people are getting warranty repairs even though the Knox flag is tripped and others, in various locations, are not. The ones that don't, omit to say whether they bothered to reset the separate Samsung flash counter using, say, Triangle Away by chainfire.

In #1.11 it would appear that Samsung are not actively discouraging rooting and flashing ROMs but are pointing out the pitfalls when it comes to the Knox security warranty side of things.

 

[silentwitness]

The jury is still out on that one lotus49.

As per #1.10, some people are getting warranty repairs even though the Knox flag is tripped and others, in various locations, are not. The ones that don't, omit to say whether they bothered to reset the separate Samsung flash counter using, say, Triangle Away by chainfire.

is triangle away now compatible with the I9500? I remember trying it in the beginning and it didn't support my phone.

 

[ironass]

is triangle away now compatible with the I9500? I remember trying it in the beginning and it didn't support my phone.

No, I'm afraid it is still not compatible with the i9500 silentwitness. A USB jig is your best bet I guess.

 

[ironass]

The first Samsung Galaxy S4 model to receive the new Knox Security 2.0 firmware is the GT-i9505, German, unbranded, release, I9505XXUGNE5.

This will be on all future updated firmwares, along with Kids Mode and improvements to TouchWiz.

See...

Galaxy S4 I9505 gets an update with Kids Mode and KNOX 2.0

What does Knox Workspace v2.0 bring according to this...

"Samsung's Knox 2.0 platform has been renamed the Knox Workspace, and includes a number of new features:

Platform security: Upgraded features include TrustZone-Protected Certificate Management, KNOX Key Store, Real-Time Protection for System Integrity, TrustZone-Protected ODE, Two-factor Biometric Authentication and an enhanced Knox framework.
Support for all Android apps from the Google Play Store.
Split-Billing to separate calculate the bills for personal-use apps and professional-use apps.
Two new cloud-based services, KNOX EMM and KNOX Marketplace, and a customization service, KNOX Customization targeted specifically at SMBs. KNOX EMM provides cloud-based mobile device management and identity and access management, while KNOX Marketplace is a store for businesses to purchase KNOX and enterprise cloud apps. KNOX Customization allows users to customize B2B solutions with off-the-shelf hardware."

 

[ironass]

It looks as though Samsung's Knox Security has caught on and will be incorporated by Google in its, "L", release firmware, across the board. This will mean that all Android devices, not just Samsung's, will have Knox Security pre-installed in the basic Google Android, "L", firmware. This will be welcomed by I.T. managers worldwide and will mean that Android, "L", will be accepted as a secure platform and on a par with the iPhone.

Android L Knox integration is essential in the fight against hackers