Root [International] Knox Security & locked bootloader on new firmwares

[ironass]

Applications can have their permissions recindered remotely and basically Knox has the US military's approval. All good stuff for Samsung.

It will go far beyond just the US military. Five Eyes, (FVEY), and other defence and government departments worldwide as well as their contractors and sub contractors and any organisations who have sensitive information or are worried about industrial espionage all have lists of devices that they can or cannot use for security reasons. See this recent article...

Spy agencies 'ban Lenovo from secret networks'

 

[Rudedawg]

Sitting here on MGA trying to take this all in. It seems like things could be as they always were ...just with a one way ticket.


Ive been considering going back to stock unrooted alot lately, my phone has never been as spot on as since I first booted it up. Everything worked but soooo much bloat and a lack of UI customisation made my mind up about rooting once more.
Now im ok in this MGA bubble. My only issues are random phone resets time to time. A bug in the camera app me suspects. So untill 4.3 ...I guess call me the Robinson Crusoe of The forum.

 

[dynomot]

Sitting here on MGA trying to take this all in. It seems like things could be as they always were ...just with a one way ticket.


Ive been considering going back to stock unrooted alot lately, my phone has never been as spot on as since I first booted it up. Everything worked but soooo much bloat and a lack of UI customisation made my mind up about rooting once more.
Now im ok in this MGA bubble. My only issues are random phone resets time to time. A bug in the camera app me suspects. So untill 4.3 ...I guess call me the Robinson Crusoe of The forum.

I guess that goes for all of us. Ah well bring on 4.3, "have a break - have a Kit - Kat"

 

[Shotgun84]

There are ROM's out there which don't change the bootloader or knox so the only thing which is holding me back is that domination theme isn't compatible with the latest firmware. As soon as that's compatible I'll be on the latest.

 

[lotus49]

Is ther anything in the latest firmware that is particularly worth upgrading for?

It is very unlikely I shall be installing a stock ROM again since I am safely rooted with a pre-Knox firmware. If I want the latest features I shall probably wait until they appear in a custom ROM or I'll just do without.

 

[ironass]

Ah well bring on 4.3, "have a break - have a Kit - Kat"

Errr.... 4.4 = KitKat

(You were just trying to see if I was paying attention)

Is ther anything in the latest firmware that is particularly worth upgrading for?

Re: post #43...

Since the latest releases of firmware for the S4 all seem to be based on MGA/MH1 with just the addition of the new security features, I can see no reason to shift from my present ROM as there is no advantage. However, with the imminent release of Android 4.3 and the enhancements that this brings, I shall be updating.

 

[dynomot]

Errr.... 4.4 = KitKat

(You were just trying to see if I was paying attention)

I was ironass, I was. (More likely was a typo, TBH.)

 

[Raptor_Jesus]

The ability to lock bootloaders on Samsung devices has been a constant claim from many users, that because of security reasons.

If you have a Nexus, it comes locked out of the box, and nobody can run ClockWorkMod from a external sdcard and grab all your partitions there. And if you unlock the bootloader you get the device formatted. On Samsung actually data can be stolen because of the previous explanation, so I am really glad they decided to implement it.

It's a step forward in security and goes in the direction of iOS which is almost impossible to read you data without knowing your passwords / fingerprints.

 

[Gomjaba]

if you unlock the bootloader you get the device formatted. On Samsung actually data can be stolen because of the previous explanation, so I am really glad they decided to implement it.

Actually a good point. I think what most people annoys is not KNOX itself - its that no one really knows if Samsung would refuse hardware warranties based on the Knox Warranty flag ...

 

[dynomot]

Actually a good point. I think what most people annoys is not KNOX itself - its that no one really knows if Samsung would refuse hardware warranties based on the Knox Warranty flag ...

Since tripping the Knox security actually alters (ergo breaks) the hardware my guess is it would void any warranty. The phone would be "damaged", as in useless as a BYOD phone and the security features would not work anymore. I would imagine in UK law it would be legal to deny warranty on a rooted phone with Knox compromised. The "Pre Knox" denial of warranty is very dubious legally in the UK. Samsung have got around that now.

We still pay our money and take a choice wether to root or not, only now with the new bootloaders and Knox I think anybody rooting can kiss their warranty good bye.

 

[EarlyMon]

The warranty blackmail of rooting, driven in part by corporate greed and in part by bad rooters trying to scam the suppliers when they screw up.

Sprint (US carrier) came out with an enlightened service policy a few years ago. Take them your broken phone. They'd restore it to stock on the service bench. If it worked, you paid, if it didn't, it was a hardware fault and you didn't.

With an HTC, you go to HTCdev.com to unlock the bootloader and you decide before proceeding to give up the warranty. You know what you're choosing.

Because of the fraud aspect, I can see suppliers wanting to cover their backsides.

But Sprint has already shown the path to salvation for the corporate greed part.

Sadly that hasn't caught on.

I keep hearing that we're such a small minority of users.

Seems to me we're big enough to dominate the industry blogs, and get a lot policies and laws passed concerning us.

 

[dynomot]

Indeed EarlyMon.

I'm more than a little annoyed with myself. I bought a smashed screen SGSIII, bought a screen, replaced it and to my delight got it working again. Played with it Rooted, flashed etc, but in my exuberance didn't back up the EFS folder, more fool me. Fortunately my local repair shop can fix it as long as I can prove it is mine (I can) so no harm done. I wouldn't try and scam Samsung, but I feel pre judged by their Knox counter.

 

[EarlyMon]

I saw that post and was hoping for the best - glad you had an honest vendor to help you on that!

But yeah - I know exactly what you mean.

The presumption of guilt - what could possibly go wrong?

Statistics and semiconductors are a funny thing.

There is no certainty that any storage location on any electronic media will be accurate for all time.

Let me break that down - ever done a battery pull to fix something, and it worked?

Then you were the victim of a class of semiconductor upset called latch-up: some bit at the right place to cause trouble got stuck in ram and a board-level reset (what us non-removable battery types do) or removal and reapplication of power fixes it.

Statistically, the probability of the Knox counter going astray all without the user doing anything is extremely small. Like winning the lottery.

And like winning the lottery, that probability is not zero.

The right way to have done this would have been a semiconductor fuse, not a counter.

Some day, someone is going to claim that losing his warranty is not their fault - and not one person that matters is going to believe them.

This isn't about the silly, undying myth of Android being inherently unsecure.

It's about Android being secure for enterprise use.

Enterprise use means that instead of the maker or carrier essentially being the root user - read precisely: the administrator - and instead of you being the root user, someone at your place of work becomes your administrator.

The only way for that to have been possible in the past was to have rooted devices distributed - the opposite of what makes security sense for a corporation.

So Android hasn't been able to realistically play in enterprise. We used to have an enterprise forum but removed it because it was a non-starter.

Does Knox make it possible to work in an enterprise environment?

Yes, all the way up to military enterprise.

Will it make individual users more secure?

If you say so.

But the first day that a Knox update releases to fix the latest security threat is the day that the answer to that last question will be proven: no.

Just saying.

PS - just for a little levity and definitely for perspective, here's a classic from over 3 years ago warning you about how insecure Android is.

NSFW, foul language, you've been warned.

Just as true today as it was back then.

 

[lotus49]

Although blowing the eFuse is irreversible, I don't understand how Samsung prevents the bootloader being hacked directly.

I presume that there is code in the firmware somewhere that blows the eFuse before unlocking the bootloader. If that code could be identified and disabled by directly altering the low level data, the bootloader could be unlocked leaving the eFuse intact.

I cannot be the first person to have thought about this so I wonder how they can prevent this.

 

[Gomjaba]

Although blowing the eFuse is irreversible, I don't understand how Samsung prevents the bootloader being hacked directly.

I presume that there is code in the firmware somewhere that blows the eFuse before unlocking the bootloader. If that code could be identified and disabled by directly altering the low level data, the bootloader could be unlocked leaving the eFuse intact.

I cannot be the first person to have thought about this so I wonder how they can prevent this.

Good point, but given that it is approved by the US military as well makes me wonder if this is not just a software solution, but embedded in the hardware somehow somewhere - which essentially just gets enabled once you install the new firmware.

So clearly, how they do that (hardware / encryption / software) will remain a nice kept secret until someone can indeed hack it....

But again - given the military approval I'd be surprised someone can find it - without making Samsung looking like an idiot

 

[dynomot]

My reading of the situation, and I could be wrong is that the Knox flag and therfore the e-fuse are tripped by rooting, during rooting. Not by unlocking the bootloader, but the actual rooting of it. No matter what you do if the device is rooted (and I doubt there are many different ways to root) the actual process of rooting trips it. Next to impossible (but I live in hope) to circumvent.

 

[sntaylor]

A hardware thing might be along the right lines as Samsung have always planned to have Knox in the s4, certainly it was one of the big things being touted at the release of it!

 

[EarlyMon]

Has the existence of an efuse been confirmed?

 

[ironass]

Has the existence of an efuse been confirmed?

Good point EarlyMon.

In post #1 I link to chainfire's post, here, where he states...

"I've taken a look around, I've disassembled the bootloader, etc, and it looks like an efuse might be involved ( == not resetable ). I'm not exactly sure what triggers it yet either."

However, over on xda forums thread, "Samsung Knox: Warranty Void Behavior"
there is some speculation to this and to how the Knox counter is blown, as shown in the post by the developer, DjeMBeY, here and here.

There are currently 45 pages of posts and it would appear that in the absence of an official statement from Samsung on how Knox Security actually works and what impact an increased Knox counter has on your warranty, it is all speculation thus far.

Those who know more than I, (not hard), seem to be going with the efuse embedded in the chip as this would appear to be the most likely way of flagging a security breach without the ability to reset the Knox counter by re-programming, re-flashing or using a jtag thus making Knox secure enough for its intended purpose.

 

[EarlyMon]

The Qualcomm S4 has a rather sophisticated efuse setup.

http://forum.xda-developers.com/showthread.php?p=30781353

It wouldn't surprise me if the later processors do as well.

Interesting if it's being used.

 

[Hawker]

What you also consider is if this efuse actually does exist within the chip, why did it take samsung so many firmware releases to utilise it? I would think they would have been making full use of it from day one.

 

[EarlyMon]

What you also consider is if this efuse actually does exist within the chip, why did it take samsung so many firmware releases to utilise it? I would think they would have been making full use of it from day one.

Why?

Knox is a comprehensive enterprise security solution.

The Department of Defense was first published as considering Android for deployment back in 2010 and iOS consideration followed shortly thereafter.
This may affect DoD office workers but their first look was for data fusion and command coordination for soldiers on the ground.

Developing suitable specs and running through trials did not happen overnight.

And until they were really ready to understand and support enterprise security, there was simply no need.

http://www.spyghana.com/android-more-reliable-in-security-than-iphone/

How about some numbers?

http://www.xda-developers.com/android/just-how-safe-is-safe-in-android/

In the common parlance, user isolation from malware is already hitting 5 nines.

99.999% of app installs won't present the problem.

100% of that is driven by people understanding app permissions before installing.

And not everyone does.

So in an enterprise situation, people are paid to stay on top of it for the whole organization.

But outside of that, there's just no need.

 

[dynomot]

Hawker, I suspect Knox wasn't ready in time, but the rest of the software and hardware was. I'm speculating of course, but I can t think of any other logical reason. It does seem odd that the bootloader was open on early firmwares up until comparatively recently.

 

[EarlyMon]

Am I the only one that remembers that Samsung hired Steve Kondik from CyanogenMod back in August 2011 and fell over themselves in the press bragging about how developer friendly they were?

That at that point, they were encouraging CM development for their phones?

Anyone? Beuller? Anyone?

Bling, bling, dollar, dollar bill, y'all.

In 2011, Android times were different and 2010 saw the SGS with a lot of problems. A year later, Samsung saw the demand for rapid updates and more feature choices so they opened up a lot.

Today, Android and Samsung aren't struggling for domination, they have it.

Where's the rest of the dollar bills that haven't been scooped up?

Not with rooters spreading the word to non-rooting friends.

It's in enterprise sales - virgin territory.

 

[ironass]

What you also consider is if this efuse actually does exist within the chip, why did it take samsung so many firmware releases to utilise it? I would think they would have been making full use of it from day one.

Two reasons spring to mind old stick...

1. The partnership and licensing agreement between Samsung and Centrify was not ready in time. See here and here.

2. Samsung waited until you had got the S4... just to spite you.


(Personally, I think the latter )