Knox Security & locked bootloader on new firmwaresTips

Last Updated:

  1. ironass

    ironass Well-Known Member

    Last updated: 09 MAY 2014

    #1.0. Samsung have released the latest Galaxy S4 stock firmwares, including Android 4.2.2, MGG onwards, see #1.8, for the International, and all future firmwares such as Android 4.3 and KitKat with locked bootloaders and Knox security flag which are a prerequisite for installing the optional, full, Knox Security app. The actual Knox app is downloaded from the Play Store via an icon on the phone, if required.

    It is being rolled out across the board to all the latest devices, branded and unbranded, with the exception of the GT-i9505G, Google Play Edition with stock Android firmware. It also comes installed on the latest Galaxy Note 3 and is being rolled out in new firmware updates for the Galaxy S3 and Note 2 as well as some tablets.

    Their reasoning behind this is to prevent devices with sensitive data (corporate, defence, government, etc: ) from having their data compromised, hence the Knox security. This is to comply with the ever growing security demands from these organisations IT departments for secure BYOD's, (Bring Your Own Device), and is not dissimilar from the Blackberry and Apple security protocols. This means that the latest Samsung devices are now deemed acceptable for use where security is important and increases Samsung's market potential.

    Samsung have further announced the Knox 2.0 mobile security platform that will come pre-loaded on the Galaxy S5 and will be introduced to older devices running KitKat...

    Samsung rolls out Knox 2.0 enterprise security suite to Galaxy S5 handsets

    #1.1. This obviously has implications for rooting and flashing custom ROM's if your workplace demands a secure Knox device. Unfortunately, once the bootloader is locked, reverting to an earlier firmware or nandroid backup is not possible and will not unlock it or remove or reset the Knox flag and can render it unusable with loss of Wi-Fi and/or sound and may require a repair to get it working again in some cases.

    #1.2. Flashing the latest Samsung stock Android firmwares will overwrite your system files and kernel as well as locking the bootloader, if not already locked. If you are flashing this to an already rooted phone, it will un-root you and, currently, there is no way to re-root and flash a custom recovery or ROM without tripping the Knox flag and rendering it unusable as a BYOD for organisations that require an untouched Knox flag for security. It also means that if you have apps that rely on root, such as SuperSU, you will not be able to uninstall them. Therefore, if you are going to install a stock Samsung, Knox enabled firmware to a rooted phone, you should first fully un-root and uninstall any root associated apps prior to updating.

    #1.3. In short... if you are on Knox Firmware then you are currently screwed for custom ROM's and recoveries as the Knox flag will be tripped and your device will no longer be Knox secure as a BYOD if your workplace requires it. Also, there is no possibility of going back to a pre Knox/unlocked bootloader firmware or nandroid backup as this will trip the Knox flag also.

    #1.4. If you are on Knox enabled firmware and wish to view your Knox counter status, go into Download Mode and the Knox flag is shown in the list at the top left of the screen. If, "KNOX WARRANTY VOID:", is showing as 0x0 then you have not tripped the Knox flag. If it is showing as 0x1, your Knox flag is permanently blown and your phone is no longer suitable for Knox security purposes.

    #1.5 There is a ray of hope for those who wish to update to Android 4.3 and are rooted in that dev's for the International phones have released custom firmwares for Android 4.3 & 4.4.2 that do not already have the locked bootloader and Knox Security. However, these are only available to those that do not already have Knox firmware installed and will not comply with the Knox security protocols if your place of work requires them.

    #1.6. CF-Auto-Root by chainfire and Root de la Vega claims that they can root Knox enabled devices but do not mention custom recovery or custom ROM flashing. Use at your own risk. There are also reorts that Voodoo's, OTA RootKeeper, has kept root on phones that are rooted and have updated OTA. Although it is not supporting 4.3 officially and may not work on the new 4.4, KitKat, release. Potentially leaving you with a rooted phone that you, "may", not be able to update without blowing the Knox flag.

    #1.7. The following article by Galen Gruman in Info World, lifts the lid on the new Knox security feature and goes into a lot more detail regarding its future use, (oh yes, there's more to come), on phones and tablets and why some carriers may not even implement it fully... The truth about Samsung Knox for Android security
    The higher-level security technology for select Android devices isn't really available yet, despite the hype

    #1.8. Samsung releases are categorised as follows:-

    M = year = 2013 (13th letter of alphabet)

    E = Month of year (May in this case, 5th letter of the alphabet)

    A = Release of that month (10th for, "A", as they start 1-9 first, before letters)

    Therefore, MEA is pre MGG, (2013, July, 16th release), and is before Knox. Only stock Samsung firmwares MGG onwards, (with the exception of MH1), have Knox.

    To locate your firmware version... type *#1234# into the dial pad and look at the last 3 letters/numbers of AP:

    #1.9. Here are some useful links to explain Knox...

    What is Samsung Knox?
    (Comes with a short, simple, self explanatory video)

    Samsung Knox User Manual/Guide

    #1.10. There appears to be some confusion as to whether tripping the Knox flag to 0x1 does in fact void your warranty as there are conflicting reports and statements regarding this, as discussed in this xda forum thread...

    Let's find out if KNOX flag 0:1 does void the phone's warranty or not

    It would seem that some posters in various locations have received warranty repairs even though their Knox flags were 0x1.

    #1.11. Finally, Samsung have issued the following statement that seems to indicate that Knox will not be used when considering warranty repairs and that they are maintaining the old status quo of, "Don't ask... don't tell", when it comes to rooting whereby a device on stock firmware and a reset Samsung, hidden, flash counter, (separate from the Knox flag), are OK, a warranty repair is considered.

    About rooting Samsung KNOX-enabled devices and the KNOX warranty void bit

    #1.12. There is a bounty being offered for any developer who can successfully reset a tripped Knox flag to 0x0, see #1.4. See thread, here. This currently stands at... US$3,173.

    CJKINNEY, _Sale_, Uber-Duper and 5 others like this.
  2. Goodspike

    Goodspike Well-Known Member

    We should start a poll on how long it will take someone to crack this.
  3. ironass

    ironass Well-Known Member

    No point, if an exploit is been found... Samsung will seal it! It has already been out for the International phones for some 8 weeks and the consensus of opinion from developers is that once you have Knox, you're stuck with it!
  4. Rxpert83

    Rxpert83 Dr. Feelgood Moderator

    It'd be kind if ironic and embarrassing if they had to keep patching it
  5. Goodspike

    Goodspike Well-Known Member

    Okay, so we'll make the earliest choice two weeks out. :D
  6. ironass

    ironass Well-Known Member

    True! As you've probably already seen on the ATR forum for the International phone Rxpert83, it has been the Holy Grail for a lot of dev's, quite a few of whom have compromised their phones in an attempt to find a way of resetting the Knox flag.

    There is even a bounty out, currently US$1,160, for anyone who can reset the Knox flag...

    [Bounty] Reset KNOX counter to 0x0 (UPDATE- $1160)
    Rxpert83 likes this.
  7. tntlassiter

    tntlassiter Well-Known Member

    So will having Knox make it any harder for the feds to hack into my phone any time they see fit or is it just making things harder on the user?
  8. ironass

    ironass Well-Known Member

    The NSA will be answering your post in person as soon as we at GCHQ in Cheltenham, England, forward them the details. In the meantime, can you please answer your last text message as it seems important. ;)
  9. jj14x

    jj14x Guides Guide

    My Sprint S4 is on MF9 (4.2) - rooted, so recovery shows "Custom".
    If I flash stock 4.3 using ODIN, it looks like it will unroot me.

    Is it right to assume though, that it will set my Knox counter to 0x0 and will make me fully stock?(in the sense that it will no longer show custom in recovery/about-page)?

    I'm trying to get this back to stock and sell it as soon as my Nexus 5 gets here.
  10. dynomot

    dynomot Well-Known Member

    Dear Mr "ironass", we at MI6, having looked at the GCHQ report you sent of said text have not forwarded the information to the NSA, as the message merely "tripped" some key words and phrases you at GCHQ continually monitor. Be advised that it "needs nuking" only reflects, in this instance, that the recipients dinner would need heating in a microwave oven when they got home. Please read the full body of the SMS caught for key words and phrases before passing on to us. We appreciate your continued vigilance. MI6.

    Seriously. Knox just screws us who wish to root, not your 95%+ owners of Knox enabled devices. Indeed it is a Samsung master stroke of genius. A secure phone within a phone allowing our good friends at agencies like the NSA and GCHQ to use their SGS4's to take snap shots of grannie's 90th birthday while simultaneously sending other snap shots to the NSA "Dropbox" account for further study.

    A jest of course, but that is the level of security it is meant to offer, If the NSA, FBI , CIA or even Internal Revenue wanted the details of any communication via your phone they could get them, Knox or no Knox, but a rival company or government, probably not. They might have to ask GCHQ, MI6 or MI5 first though on how to do it, as our "checks and balances" on our security services are very lax compared to yours, and that is saying something.
  11. hansangb

    hansangb Well-Known Member

    FYI, I FDR'ed my phone and no more Knox "update please" pop ups. It's been 24 hours. Let's hope it stays that way.
  12. ironass

    ironass Well-Known Member

    I think we are going to see more and more unhappy bunnies who have updated to the latest Knox security enabled firmware and locked bootloaders and either now realise they cannot root and install custom recoveries and ROMs or blow their warranty attempting to do so.

    As we have seen over the last 2 months or so on the International version, GT-i9505, which experienced Knox on Android 4.2.2, there are now 2 distinct camps...

    1. Those who updated to Knox enabled stock firmware and now dare not, or cannot, root and install custom recovery or ROM's for fear of blowing the Knox flag.

    2. Those that waited and did not update and are able to root and flash the latest new custom ROMs that come without Knox and the locked bootloader. See #1.5 in post #1.

    If you think that you may want to root your phone, now or in the future, then the best advice I can give you is not to update to a Knox enabled firmware and root now to disable nagging reminders to update and at the same time you are prepared for when the dev's for your phone version bring out the first custom ROMs mentioned in 2.
  13. Shocky

    Shocky On Probation

    For me the only option is to use the i9505G roms for now, quite tempted to get a Nexus 5 and sell the Galaxy S4.

    Kinda sad really as if this doesn't change this will be my last Samsung phone. :(
  14. lotus49

    lotus49 Well-Known Member

    Fortunately, I rooted and installed a custom recovery before all this Knox nonsense was released so I am still free to update using non-Samsung ROMs and I shall probably install the Google Play Edition 4.4 ROM when it comes out.

    For my next phone though, I shall be looking elsewhere, probably at whatever is the latest Nexus. It's a real shame. I bought an S2 and an S4 for myself and an S3 for my oldest son and all three phones have been great. Not being able to root or install a custom ROM is a deal-breaker though so it looks like no more Samsung phones for me :(.
  15. sntaylor

    sntaylor Well-Known Member Contributor

    Sadly I think many people who root will start to look at other options for their next phone, I suspect the s5 will come with Knox as standard, never know though, there may well be someone figures out a way to deal with it all.

    Thankfully I rooted within hours of getting the phone and I've been sensible enough not to update. I can picture two years down the line though and HTC and Sony have all introduced security measures which don't allow returning from root and there will basically become a developer phone, probably from cyanogenmod Inc which allows any changes at all?
  16. dynomot

    dynomot Well-Known Member

    I updated to stock firmware for UK (at work on Note 3 can't recall it's number) using Odin v3.09. I fully expected and was prepared for it to trip the Knox flag, but it didn't. An OTA Vodafone update was available, but I thought what the hell. So upgrading via Odin is OK it would seem.

    Also I have trawled 59 pages of XDA about Knox, and there is a question, still of does it invalidate your product warranty or the warranty given by Knox that your data is secured. I have neither the legal knowledge or money to trip my Knox flag, and then try and claim warranty. Legally you may still have a warranty, practically you haven't.

    Incidentally while we're on about Knox. A way of making your own, flashable by Odin. tar file that installs root via the "root de la vega" method is available as a script you run in "Command prompt" on your PC. It works for the Note 3 and "should" work for the SGS4. I must admit I've never touched "command prompt" in Windows, I imagine it's a bit like terminal in Debian (Linux) which I have used. I've downloaded it all and will give it a whirl tonight. All good fun. :)
  17. ironass

    ironass Well-Known Member

    If one could conclusively prove that the Knox flag is tripped by some legitimate means whilst upgrading on stock Samsung firmware for your device, then there may be a legal argument for challenging any warranty avoidance.

    See #1.6 of post #1 regarding the Root de la Vega method for those already on Knox firmware such as yourself. Please report back your findings on this root method and if you can install a custom recovery and ROM using it without tripping the Knox flag. Good luck old, fearless, test pilot!
  18. dynomot

    dynomot Well-Known Member

    Well I "know" flashing a custom recovery will trip it (Knox). I think if I successfully root I'll try mobile Odin first. I can't remember if it needs a custom recovery or indeed if it works anyway.

    We shall see.
  19. ironass

    ironass Well-Known Member

  20. nerys

    nerys Well-Known Member

    Can someone explain the legality of this warranty stuff.

    I was my understanding that its against federal law to void a warranty for something unrelated to the warranty request.

    IE they have to show that your "changes" are the reason for the warranty request to deny the warranty coverage.

    they tried the same thing with cars and inkjet printers and lost in court. epson can't deny your warranty for using third party ink unless they can prove the third party ink was the source of the problem. etc.. etc...

    SO how can samsung "summarily" void your warranty just because you tripped their stupid little counter?

    Second WHO USES stock warranties anymore anyway.? I have an insurance policy on my phone. if something happened to my phone "I WOULD USE THAT" not samsung.

    I see people saying I will leave samsung for nexus. Nexus is "junk" I would not buy a nexus device if it was the cheapest on the market. its worthless garbage since you can't replace the battery without tearing it apart (and hope you can get a replacement) and you can't expand the memory storage internally. IE "useless" hardware no matter how good the specs might be.

    Heck I really wish samsung would add a second micro sd slot. 64gb is just not enough. I keep filling it.

    SO WHAT if your warranty is voided. Woopee.
  21. Gomjaba

    Gomjaba Well-Known Member

    I believe to this day it is all just a wild assumption.. I have yet to read a report where someone got the warranty repair denied based on a Knox flag tripped.

    Having said that, people did get a deny because of a binary counter 0>. Whether that is technically legal or not is a different issue. Until someone takes Samsung to court in cases like this, Samsung will continue to do so.

    And I also have insurance, which is the easiest way to unlock your phone too lol. Every phone I claimed was replaced by there international model rather than locked and branded (not that I car as I always use the same carrier).
  22. lotus49

    lotus49 Well-Known Member

    That is certainly the case in English law. I don't believe this would stand a chance in either an English or a US court.
  23. Goodspike

    Goodspike Well-Known Member

    What people want to look at is the Magnuson-Moss Warranty Act. I don't remember what exactly it says, but nerys' theory isn't totally out in left field.
  24. ironass

    ironass Well-Known Member

    Have added a couple of links in #1.9 of post #1 to help explain what Knox Security is all about in very simple terms, with a video, as well as the Knox User Manual/Guide.

    I have also added, in #1.8, a breakdown of the Samsung firmware release numbering in an attempt to clear up any confusion on whether a particular firmware is Knox enabled, or not.

    I have also amended the main body of post #1 to read that Knox, "may", invalidate your warranty and have also added in #1.10, a link to the xda forum thread on the subject of the Knox flag and warranty. This thread shows that the situation with tripping the Knox flag and warranty repairs is still far from clear and that there are conflicting reports on the subject.
  25. ironass

    ironass Well-Known Member

    I do not pretend to be a legal eagle but offer the, "Devil's Advocate", argument.

    Taken from my reply, here....

    As per post #17, above...

    The bottom line, it would seem, is that the onus is on the claimant to prove that any damage covered by the warranty, could not be caused by rooting.

Share This Page