• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [International] Knox Security & locked bootloader on new firmwares

ironass

Extreme Android User
Aug 17, 2010
12,762
6,351
Cotswolds, England
Last updated: 09 MAY 2014


#1.0. Samsung have released the latest Galaxy S4 stock firmwares, including Android 4.2.2, MGG onwards, see #1.8, for the International, and all future firmwares such as Android 4.3 and KitKat with locked bootloaders and Knox security flag which are a prerequisite for installing the optional, full, Knox Security app. The actual Knox app is downloaded from the Play Store via an icon on the phone, if required.

It is being rolled out across the board to all the latest devices, branded and unbranded, with the exception of the GT-i9505G, Google Play Edition with stock Android firmware. It also comes installed on the latest Galaxy Note 3 and is being rolled out in new firmware updates for the Galaxy S3 and Note 2 as well as some tablets.

Their reasoning behind this is to prevent devices with sensitive data (corporate, defence, government, etc: ) from having their data compromised, hence the Knox security. This is to comply with the ever growing security demands from these organisations IT departments for secure BYOD's, (Bring Your Own Device), and is not dissimilar from the Blackberry and Apple security protocols. This means that the latest Samsung devices are now deemed acceptable for use where security is important and increases Samsung's market potential.

Samsung have further announced the Knox 2.0 mobile security platform that will come pre-loaded on the Galaxy S5 and will be introduced to older devices running KitKat...

Samsung rolls out Knox 2.0 enterprise security suite to Galaxy S5 handsets

#1.1. This obviously has implications for rooting and flashing custom ROM's if your workplace demands a secure Knox device. Unfortunately, once the bootloader is locked, reverting to an earlier firmware or nandroid backup is not possible and will not unlock it or remove or reset the Knox flag and can render it unusable with loss of Wi-Fi and/or sound and may require a repair to get it working again in some cases.

#1.2. Flashing the latest Samsung stock Android firmwares will overwrite your system files and kernel as well as locking the bootloader, if not already locked. If you are flashing this to an already rooted phone, it will un-root you and, currently, there is no way to re-root and flash a custom recovery or ROM without tripping the Knox flag and rendering it unusable as a BYOD for organisations that require an untouched Knox flag for security. It also means that if you have apps that rely on root, such as SuperSU, you will not be able to uninstall them. Therefore, if you are going to install a stock Samsung, Knox enabled firmware to a rooted phone, you should first fully un-root and uninstall any root associated apps prior to updating.

#1.3. In short... if you are on Knox Firmware then you are currently screwed for custom ROM's and recoveries as the Knox flag will be tripped and your device will no longer be Knox secure as a BYOD if your workplace requires it. Also, there is no possibility of going back to a pre Knox/unlocked bootloader firmware or nandroid backup as this will trip the Knox flag also.

#1.4. If you are on Knox enabled firmware and wish to view your Knox counter status, go into Download Mode and the Knox flag is shown in the list at the top left of the screen. If, "KNOX WARRANTY VOID:", is showing as 0x0 then you have not tripped the Knox flag. If it is showing as 0x1, your Knox flag is permanently blown and your phone is no longer suitable for Knox security purposes.

#1.5 There is a ray of hope for those who wish to update to Android 4.3 and are rooted in that dev's for the International phones have released custom firmwares for Android 4.3 & 4.4.2 that do not already have the locked bootloader and Knox Security. However, these are only available to those that do not already have Knox firmware installed and will not comply with the Knox security protocols if your place of work requires them.

#1.6. CF-Auto-Root by chainfire and Root de la Vega claims that they can root Knox enabled devices but do not mention custom recovery or custom ROM flashing. Use at your own risk. There are also reorts that Voodoo's, OTA RootKeeper, has kept root on phones that are rooted and have updated OTA. Although it is not supporting 4.3 officially and may not work on the new 4.4, KitKat, release. Potentially leaving you with a rooted phone that you, "may", not be able to update without blowing the Knox flag.

#1.7. The following article by Galen Gruman in Info World, lifts the lid on the new Knox security feature and goes into a lot more detail regarding its future use, (oh yes, there's more to come), on phones and tablets and why some carriers may not even implement it fully... The truth about Samsung Knox for Android security
The higher-level security technology for select Android devices isn't really available yet, despite the hype


#1.8. Samsung releases are categorised as follows:-

M = year = 2013 (13th letter of alphabet)

E = Month of year (May in this case, 5th letter of the alphabet)

A = Release of that month (10th for, "A", as they start 1-9 first, before letters)

Therefore, MEA is pre MGG, (2013, July, 16th release), and is before Knox. Only stock Samsung firmwares MGG onwards, (with the exception of MH1), have Knox.

To locate your firmware version... type *#1234# into the dial pad and look at the last 3 letters/numbers of AP:

#1.9. Here are some useful links to explain Knox...

What is Samsung Knox?
(Comes with a short, simple, self explanatory video)

Samsung Knox User Manual/Guide

#1.10. There appears to be some confusion as to whether tripping the Knox flag to 0x1 does in fact void your warranty as there are conflicting reports and statements regarding this, as discussed in this xda forum thread...

Let's find out if KNOX flag 0:1 does void the phone's warranty or not

It would seem that some posters in various locations have received warranty repairs even though their Knox flags were 0x1.

#1.11. Finally, Samsung have issued the following statement that seems to indicate that Knox will not be used when considering warranty repairs and that they are maintaining the old status quo of, "Don't ask... don't tell", when it comes to rooting whereby a device on stock firmware and a reset Samsung, hidden, flash counter, (separate from the Knox flag), are OK, a warranty repair is considered.

About rooting Samsung KNOX-enabled devices and the KNOX warranty void bit

#1.12. There is a bounty being offered for any developer who can successfully reset a tripped Knox flag to 0x0, see #1.4. See thread, here. This currently stands at... US$3,173.
 
Samsung, in their infinite wisdom, have released the latest Galaxy S4 stock firmwares, MGG, MH5 and MH8 and all future firmwares I am given to understand, with locked bootloaders!

Their reasoning, I believe, behind this is plug security exploits such as the Master Key ones.

This obviously has implications for flashing custom ROM's which require an unlocked bootloader.

Even as I type, dev's are working on unlocking the bootloader, notably chainfire, and hopefully it will not be too long before this happens.

Until such time as a stable workaround is available the best advice is to avoid flashing any stock firmware or ROM's with a locked bootloader. DjeMBeY, for instance, has withdrawn his stock, rooted, MGG firmware because of this.

I am sure that someone like Hawker can give a better, more detailed, updated, explanation regarding the situation... providing we can sober him up!

That sucks
 
Upvote 0
Could this have caused my issue?

I updated the latest Vodafone update yesterday and my S4 (I9505)has no recovery mode - I see the android logo and 'no command' below it and I can't get it to connect to odin anymore.

I am royally boned. Can someone please help me? I just want to get MEA firmware back on there and root again. Reason is the phone is really slow to start up and wifi no longer works since the bastard update. Have a thread already so sorry for repeating but I am really stressed out!!

Cheers!!
 
Upvote 0
Have you checked to see if you are running one of the firmwares mentioned?

Hi Yes, the update was MGG I think.....:(

Some details in case helpful:

Baseband version I9505XXUBMEA
Kernal verion 3.4.0-1220369se.infra@SEP-138#1
Build JDQ39.I9505XXUDMGG

Any help would be greatly appreciated. It is due to go back to VF Tuesday, but since it was rooted they may not honour the warranty. I did use triangle away to reset the counter when it was rooted so maybe I will get away with it....but not sure...
 
Upvote 0
Hi Yes, the update was MGG I think.....:(

Some details in case helpful:

Baseband version I9505XXUBMEA
Kernal verion 3.4.0-1220369se.infra@SEP-138#1
Build JDQ39.I9505XXUDMGG

Any help would be greatly appreciated. It is due to go back to VF Tuesday, but since it was rooted they may not honour the warranty. I did use triangle away to reset the counter when it was rooted so maybe I will get away with it....but not sure...

You will need to flash the stock, MGG, firmware via Odin to get rid of root and custom recovery, if you have those, as you are returning it.
 
Upvote 0
Thanks Ironass - I am trying to find the firmware online, but not having much luck. I have tried using the sammobile site, but the download of the software fails half way.

Also, Odin3 will not connect to my phone anymore. I've been trying for the last 2 hours and also re-downloaded the usb drivers but still no luck. Could this be because I have the 'no command' error in recovery mode?

I will keep trying but looks like I have a very expensive paperweight at the moment.
 
Upvote 0
Thanks Ironass - I am trying to find the firmware online, but not having much luck. I have tried using the sammobile site, but the download of the software fails half way.

Try...

Samsung Updates Latest Firmware - LIVE!

Your region, (CSC), code for Vodafone UK is VOD.

Also, Odin3 will not connect to my phone anymore. I've been trying for the last 2 hours and also re-downloaded the usb drivers but still no luck. Could this be because I have the 'no command' error in recovery mode?

You will need PC Odin to flash I'm afraid. Try searching for the older, v1.87, Odin and see if that helps.

I will keep trying but looks like I have a very expensive paperweight at the moment.

If you do manage to flash the stock firmware, you may find that your problems are resolved... unrooted.... but resolved.
 
  • Like
Reactions: Kasser
Upvote 0
Thanks for helping but no luck getting odin and phone to connect. Have tried 5 different versions of odin but nothing.

Will just send this back and fingers crossed they fix it. Otherwise, I will just go back to my S2 and lick my wounds.

EDIT: Managed to get it to connect. I flashed MGG and still have wifi issue - just won't toggle to on position. Am I ok sending this back or do I need to hide the fact I used odin just now?
 
Upvote 0
Thanks for helping but no luck getting odin and phone to connect. Have tried 5 different versions of odin but nothing.

Will just send this back and fingers crossed they fix it. Otherwise, I will just go back to my S2 and lick my wounds.

EDIT: Managed to get it to connect. I flashed MGG and still have wifi issue - just won't toggle to on position. Am I ok sending this back or do I need to hide the fact I used odin just now?

MODS I HOPE THIS IS OK. IF NOT I APOLOGISE.

I'm uploading original I9505XXUBMEA_I9505VFGBMF2_CNX.zip stock Vodafone, firmware for you, and a working copy of Odin. I see that you look as though you know what your doing. I'll PM you when it's ready.
 
  • Like
Reactions: Kasser
Upvote 0
It's all linked to Google buttoning down on Android security, and not Samsung in particular.
Personally I fear for where all this may be leading to.
I wouldn't be surprised if soon we see the elimination of all apps that require root access from the Play Store.

Anyway on a lighter note, DjeMBeY has released Deodexed SuperSlim KNOX FREE MH8 - CWM, but rather irritatingly, Samsung have released ZHUDMH6 firmware which has a higher changelist (1371094)
:rolleyes:
 
Upvote 0
It's all linked to Google buttoning down on Android security, and not Samsung.
Personally I fear for where all this may be leading to.
I wouldn't be surprised if soon we see the elimination of all apps on the Play Store that require root access.

Anyway on a lighter note, DjeMBeY has released Deodexed SuperSlim KNOX FREE MH8 - CWM, but rather irritatingly, Samsung have released ZHUDMH6 firmware which has a higher changelist (1371094)
:rolleyes:


What's Knox free
 
Upvote 0
Personally I fear for where all this may be leading to.
I wouldn't be surprised if soon we see the elimination of all apps that require root access from the Play Store.

It's being so cheerful that keeps the old Welsh shepherd going...

Wur Doomed, Entombed & Marooned... - YouTube


(Unfortunately, I fear he may be right! :( )


On a brighter note SYD... the DjeMBeY, CWM, MH8 ROM seems fine... SYD... also the MGG 3Minit framework is working with it... SYD. If you wanted to give that combo a try and report back, then Hawker and I are here for technical support... SYD!
 
Upvote 0
So long as the workaround, well, works, on this new MH8 version of DjeMBeY's ROM and newer future releases, and we can extract our PAID FOR (are you listening Google/Samsung?) apps apks we should have no fear. :)

Let us hack/flash and modify our (yes Google, ours not yours) phones to our hearts content. Now where is Syd, our resident test piolet?
 
Upvote 0
So long as the workaround, well, works, on this new MH8 version of DjeMBeY's ROM and newer future releases, and we can extract our PAID FOR (are you listening Google/Samsung?) apps apks we should have no fear. :)

Let us hack/flash and modify our (yes Google, ours not yours) phones to our hearts content. Now where is Syd, our resident test piolet?

It's all linked to Google buttoning down on Android security, and not Samsung in particular.
Personally I fear for where all this may be leading to.
I wouldn't be surprised if soon we see the elimination of all apps that require root access from the Play Store.

Google might be trying to remove root obtained through exploits because they are a greater security risk than just obtaining root itself, but they're not the ones locking up your devices. Last time I checked, every Nexus device's bootloader can be unlocked with a simple "fastboot oem unlock" command, and the Google Play Edition of this S4 has an unlocked bootloader out of the box. On those devices, you can still unlock, root, flash recovery, roms, and kernels without the need for exploits. In other words, Samsung did this to you, not Google.
 
  • Like
Reactions: Raptor_Jesus
Upvote 0
Google might be trying to remove root obtained through exploits because they are a greater security risk than just obtaining root itself, but they're not the ones locking up your devices. Last time I checked, every Nexus device's bootloader can be unlocked with a simple "fastboot oem unlock" command, and the Google Play Edition of this S4 has an unlocked bootloader out of the box. On those devices, you can still unlock, root, flash recovery, roms, and kernels without the need for exploits. In other words, Samsung did this to you, not Google.

Are you sure jhawkkw? Our boot loaders were unlocked, it's just these new firmwares that have it from what I can gather. I'm not saying your wrong, but it would be nice to know who to grumble at before firing off an email to a CEO.
 
Upvote 0
Are you sure jhawkkw? Our boot loaders were unlocked, it's just these new firmwares that have it from what I can gather. I'm not saying your wrong, but it would be nice to know who to grumble at before firing off an email to a CEO.

For the most part, I only own Nexus devices. I've owned 3 of them and am on the verge of buying the new LTE Nexus 7 to make it my fourth. This wouldn't be the first device ever that came unlocked and was later locked. Samsung has begun to make a push to be seen as a corporate option and that requires tight security. That's why software like Knox is on the device.
 
Upvote 0
Knox is certainly to be blamed on Samsung (hence the sec in the file name below), but its a worrying trend nonetheless.

For those rooted users amongst us who are MGG+ original firmware, there are a couple of things you can try to get rid of the Knox annoying messages:

in an adb shell, type pm disable com.sec.knox.seandroid
or perhaps try and freeze Knox apps in TB

Personally, I'm staying on MGA for a while until this calms down a little.
 
  • Like
Reactions: EarlyMon
Upvote 0
Are you sure jhawkkw? Our boot loaders were unlocked, it's just these new firmwares that have it from what I can gather. I'm not saying your wrong, but it would be nice to know who to grumble at before firing off an email to a CEO.

I'm absolutely sure - this lays at Samsung and not Google.

Google is only responsible for Android and only for Nexus devices at this level.

Samsung phones run TouchWiz, an Android variation based on the Android Open Source Project (AOSP).

Anything hardware-specific to a given device comes from the device manufacturer - device drivers, the kernel, and the bootloader - along with security and update policies.

Your gripe is with Samsung.

Promise. ;) :eek:
 
  • Like
Reactions: dynomot and jhawkkw
Upvote 0
I'm absolutely sure - this lays at Samsung and not Google.

Google is only responsible for Android and only for Nexus devices at this level.

Samsung phones run TouchWiz, an Android variation based on the Android Open Source Project (AOSP).

Anything hardware-specific to a given device comes from the device manufacturer - device drivers, the kernel, and the bootloader - along with security and update policies.

Your gripe is with Samsung.

Promise. ;) :eek:


Well that's more encouraging news
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones