[Q] What the hell is "KNOX" ?? - Galaxy Note 3 Q&A, Help & Troubleshooting

I just purchased Galaxy Note 3 (SM-N900) , Saw a new entity called "KNOX" ......What the hell is it ?? What is it's use ??
I have not tapped it's icon as yet as i am very unclear regarding it's functioning....Please explain in details if possible....

nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
---------- Post added at 01:11 PM ---------- Previous post was at 01:07 PM ----------
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox

Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SEANDROID ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.

siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app

jbbosu said:
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Click to expand...
Click to collapse
No, that's just the "Official/Custom" binary and system status indicators that have been present on Samsung devices for a while now. Those are resettable by wiping the phone and flashing a completely unaltered stock firmware image. There is also a custom binary flash counter that is resettable by TriangleAway.
KNOX is a totally different beast - a secure boot environment protected by a trust chain - the white paper explains it.

I wonder how it affects the battery life ? Sorry I didn't really understand anything you guys are throwing out .. I just don't like bloat ...

Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!

Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse

siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.

ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You not understanding what I wrote is not my problem. If you want to know, go learn.
---------- Post added at 10:06 AM ---------- Previous post was at 09:34 AM ----------
arsi123 said:
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
Click to expand...
Click to collapse
Thanks man. Too many arrogant, self-entitled, impatient dweebs on this site who expect to be spoon-fed everything and cry foul when something requires reading comprehension beyond third grade.

fonejacker said:
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
Click to expand...
Click to collapse
thanks for the brief explanation... i'm new to android and was confuse about this too

Read the links in this Post: http://forum.xda-developers.com/showpost.php?p=45851579&postcount=1

Laymans terms, think of tAndroid as a container with no lid - things can go in or out.
Knox is a second container inside the 1st that has a lid. Anything done inside Knox stays inside Knox. You aren't able to utilise all the features of the original os, only the things Knox will let you.
Unfortunately it also effects the running of Android because to make sure that the Knox part doesn't get violated by anything not allowed it has to keep the whole OS "pure"...
That's why root access is a problem, it opens the lid a crack allowing things in and out that shouldn't be there so once you root it detects this, and no longer able to ensure complete safety of data, will no longer run as it should on your device. It just hangs around, a ghost in the system to pi$$ you off...
This is a simple idea of what Knox was intended to do, it actually has ties right to the kernel and bootloader, hence the warranty void problem.

Related

Regarding ROOTED Hero or any Droid phone..

Taken from an user in Androidforums.com ...
that kind of crossed my thoughts when I rooted my phone, what is the possibility though?
n0gik said:
This is a wonderful thread - and my apology if I've missed this question here or anywhere else.
Regarding 'rooted' Hero (or any other Android) phones, once they're rooted, can you set a root password? ('passwd' command after issuing 'su' command)
It would seem to me that leaving the superuser unprotected, with escalated execution privileges NOT protected, then downloading/installing a maliciously written application could become an issue. I'd hate to see thousands (millions?) of Android phones become disabled, DOS attack points or spamming mailer daemons.
Just trying to make an educated decision before rooting.
Click to expand...
Click to collapse
no answers????
I've not done much research on the subject however the superuser apk is there to protect us with custom roms so you can be protected from potentially malicious applications.
We really cant set a password on our root, especially since this is not a "Full" linux distro, it's very watered down to fit and run "well", this includes the SElinux. The SuperUser app offers protection, when an app runs that requires Root, superuser kicks in and asked Always Allow, Allow, Dont Allow, Never Allow.
Given, superuser probably has its weeknesses all security apps do and anyone with the smarts to figure out the loop holes will. It's a cell phone, not your bank account or medical records. I can't see you or anyone carying anything too private on it, maybe some corp. emails. Viruses happen, luckily there doesn't seem to be to much circulating in the way of Android. There are even a few AV apps on the market if you look for them.
The only app I have that requires root is WiFi Tether. Maybe, oneday, when we get full kernel source someone can protect our root a little better than it currently is. If having an Android phone has taught me anything, it is that Google security policies must be Garbage. Look at how they protect paid apps, if I was a Dev that wanted to make money on his code there is no way I could cope with only having stuff in a protected folder. Looks like they would have to make their own software protection, and some have.
Lcarpenter, thanks for answering.
I can breathe a little better now..

[Q] Rooting and KNOX

I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
drichter12 said:
I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
Click to expand...
Click to collapse
Same issue for me . . . any updates?
saintirish said:
Same issue for me . . . any updates?
Click to expand...
Click to collapse
Not yet.... I am moved over but they haven't set me up yet on MI. I reverted to un-rooted until then and will see what it looks like and maybe try rooting again after I am all set up.
I would not think that having administrator privileges on your device would prevent the Knox from working... I don't use Knox, though.

How does Knox work?

I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
No, no, no, you have it all wrong... Its not to protect YOUR data... It's to protect Samsung's bottom line.. All those nasty people with legitimate claims for warranty, Knox destroys that so you can't present for warranty if something goes wrong....
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
Read this: http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
And this: https://www.samsungknox.com/overview/technical-details
This also: http://forum.xda-developers.com/showpost.php?p=46795903&postcount=149
Secure Android Platform
Samsung KNOX offers a multi-faceted security solution rooted in the tamper-resistant device hardware, through the Linux kernel and Android operating system. The first line of defense against malicious attacks, Samsung KNOX is currently approved to run on US Department of Defense networks. (If flag 0x0, my opinion).
More important then warranty is the security. Flag at 0x1 means NOT SECURE. The people is warning for that by Warranty Void.
Read this also: http://www.sammobile.com/2013/10/09...alaxy-note-3-causes-hardware-damage-say-what/
Rooting-and-flashing-custom-software-on-the-galaxy-note-3-causes-hardware-damage-say-what
Thank you. Will check it out.

[Q] Better Permissions control without tripping KNOX

I've just upgraded from a Nexus i9250 running CM11 with PrivacyGuard to an S5.
As far as I can tell this stock S5 doesn't have any permissions control. And now I discover this Knox and Android for Work.
I am trying to figure out what to do about it. I MUST have permissions control.
On the one hand, both Knox and Android for Work seem like exactly what I have been looking for - to allow me to do secure operations separate from the rest of Android. Great, I thought, I can put Bitcoin, banking and a secure browser here. The warranty problem is of course complicated but for me I have decided to disregard this part of the decision.
But on the other hand Android for Work would require me to setup a domain and.... it will probably require ongoing fees in a few years time after it's established. While Knox could be a backdoor I am not looking to secure against NSA level - just apps I have no choice in using.
So should I root, maintaining 0x0 and install a permissions app of some sort? Or do I forget about this new security stuff and relax, install the familiar Cyanogenmod and blow the 0x0 to 0x1 as who cares anyway?
If I had known I would have gone with the OnePlusOne to avoid making the decision
The knox is there primarily to allow 'secure' (unmodified) devices to access secure, business (enterprise?) networks/servers.....If knox has been tripped due to modifications, connecting the device is denied. As I said, it's primarily aimed at the business sector.....
The fact that Samsung uses it as a warranty flag is secondary......
How knox will affect your personal aims, I don't know, but hopefully the above info *might* give you *some* insight as to how it works and what impact this could have on what you want to do......
Sent from my rooted, debloated stocKK kn0x0 SM-G900F

Samsung S8: completely remove Maas360 and KNOX?

Hi, I've been searching answers for this on Google for a while now but not found any sufficient answers.
I have a new phone that is completely locked down by company policies. I don't agree with these policies and they stop me from using my prefered launcher which needs root.
In short words, I want this crap off my phone!
Knox Enrollment Service is completely locked and cannot be disabled. Maas360 cannot be disabled and unlocked. I read that you cannot root a phone running Maas360 and KNOX the normal way.
Is there a ROM that would allow me to safely remove these services and turn my phone into a stock Samsung Galaxy S8 - or will that brick my phone?
Thanks for any advice
If its corporate policy, they will be notified if the phone is rooted or modified in any way and you could lose your job over it. They probably have strict policies in place to prevent access to company data. If you didnt agree then why did you add any company accounts to your phone?
whitedragon551 said:
If its corporate policy, they will be notified if the phone is rooted or modified in any way and you could lose your job over it. They probably have strict policies in place to prevent access to company data. If you didnt agree then why did you add any company accounts to your phone?
Click to expand...
Click to collapse
Thanks for your reply!
I don't know how these services work, but if I flash it with a custom rom that completely removes the old system and makes it into a "stock" Samsung phone. Then none of these services would be present to report any of these changes. I guess the receiving system would simply believe this phone is turned off and possibly after some weeks report that the phone hasn't reported in for X days. Thanks for worrying about me keeping my job, but that won't be a problem I assure you
mrkiwibanana said:
Thanks for your reply!
I don't know how these services work, but if I flash it with a custom rom that completely removes the old system and makes it into a "stock" Samsung phone. Then none of these services would be present to report any of these changes. I guess the receiving system would simply believe this phone is turned off and possibly after some weeks report that the phone hasn't reported in for X days. Thanks for worrying about me keeping my job, but that won't be a problem I assure you
Click to expand...
Click to collapse
It depends. I deploy MDM systems like this. Is this a corporate device or a personal device that is just enrolled?
whitedragon551 said:
It depends. I deploy MDM systems like this. Is this a corporate device or a personal device that is just enrolled?
Click to expand...
Click to collapse
Its a corporate device. When I first initialized the phone the KNOX or Maas360 started an enrollment service that was not optional.
mrkiwibanana said:
Its a corporate device. When I first initialized the phone the KNOX or Maas360 started an enrollment service that was not optional.
Click to expand...
Click to collapse
If its a corporate device there isnt anything you can do. It is enrolled at a physical hardware level in Android for Work. It will activate KNOX and call home every single time the device is wiped before you can proceed with any other functions. If it doesnt phone home to get the config, you cannot proceed with the setup. Its similar to DEP for Apple devices.
whitedragon551 said:
If its a corporate device there isnt anything you can do. It is enrolled at a physical hardware level in Android for Work. It will activate KNOX and call home every single time the device is wiped before you can proceed with any other functions. If it doesnt phone home to get the config, you cannot proceed with the setup. Its similar to DEP for Apple devices.
Click to expand...
Click to collapse
Thanks! Bad news for me, I guess I just have to bite into this sour lemon and accept. I will keep my hopes up that someone will find a way to blast past this in the future
Need help removing maas360
Hey, so my galaxy s8 had gone through the partial touch failure so as I was recommended I factory reset my phone and long story short I am stuck with maas360 and can't restore all my settings and such so I need to get it off preferably without a computer. (Also help with the touch screen would be nice but not crucial at this time)
Jok3Smok3 said:
Hey, so my galaxy s8 had gone through the partial touch failure so as I was recommended I factory reset my phone and long story short I am stuck with maas360 and can't restore all my settings and such so I need to get it off preferably without a computer. (Also help with the touch screen would be nice but not crucial at this time)
Click to expand...
Click to collapse
I love reading stories about MaaS360, I actually admin it for a company. If its a corporate device you may be sol, you may ask the admin to remove control, if it's a personal device to remove maas360.
Go into maas360- settings top right you should see 3 squares. hit remove MDM control after you remove control you can uninstall any part of MaaS360.
jmall84 said:
I love reading stories about MaaS360, I actually admin it for a company. If its a corporate device you may be sol, you may ask the admin to remove control, if it's a personal device to remove maas360.
Go into maas360- settings top right you should see 3 squares. hit remove MDM control after you remove control you can uninstall any part of MaaS360.
Click to expand...
Click to collapse
Hello . i installed an official software through odin to my s8 plus. Long story short, after factory resetting , i got this wierd app called "custom blocker" and in my device admin, i have knox customisation, knox enrollement and custom blocker restriction. this device is my own and not of any company. Why did these random apps appeared on my phone and how do i get rid of them? i am unable to update my phone or access the playstore.
Any help will be appreciated. Thanks.

Categories

Resources