I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
drichter12 said:
I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
Click to expand...
Click to collapse
Same issue for me . . . any updates?
saintirish said:
Same issue for me . . . any updates?
Click to expand...
Click to collapse
Not yet.... I am moved over but they haven't set me up yet on MI. I reverted to un-rooted until then and will see what it looks like and maybe try rooting again after I am all set up.
I would not think that having administrator privileges on your device would prevent the Knox from working... I don't use Knox, though.
I just purchased Galaxy Note 3 (SM-N900) , Saw a new entity called "KNOX" ......What the hell is it ?? What is it's use ??
I have not tapped it's icon as yet as i am very unclear regarding it's functioning....Please explain in details if possible....
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
---------- Post added at 01:11 PM ---------- Previous post was at 01:07 PM ----------
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SEANDROID ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
jbbosu said:
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Click to expand...
Click to collapse
No, that's just the "Official/Custom" binary and system status indicators that have been present on Samsung devices for a while now. Those are resettable by wiping the phone and flashing a completely unaltered stock firmware image. There is also a custom binary flash counter that is resettable by TriangleAway.
KNOX is a totally different beast - a secure boot environment protected by a trust chain - the white paper explains it.
I wonder how it affects the battery life ? Sorry I didn't really understand anything you guys are throwing out .. I just don't like bloat ...
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You not understanding what I wrote is not my problem. If you want to know, go learn.
---------- Post added at 10:06 AM ---------- Previous post was at 09:34 AM ----------
arsi123 said:
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
Click to expand...
Click to collapse
Thanks man. Too many arrogant, self-entitled, impatient dweebs on this site who expect to be spoon-fed everything and cry foul when something requires reading comprehension beyond third grade.
fonejacker said:
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
Click to expand...
Click to collapse
thanks for the brief explanation... i'm new to android and was confuse about this too
Read the links in this Post: http://forum.xda-developers.com/showpost.php?p=45851579&postcount=1
Laymans terms, think of tAndroid as a container with no lid - things can go in or out.
Knox is a second container inside the 1st that has a lid. Anything done inside Knox stays inside Knox. You aren't able to utilise all the features of the original os, only the things Knox will let you.
Unfortunately it also effects the running of Android because to make sure that the Knox part doesn't get violated by anything not allowed it has to keep the whole OS "pure"...
That's why root access is a problem, it opens the lid a crack allowing things in and out that shouldn't be there so once you root it detects this, and no longer able to ensure complete safety of data, will no longer run as it should on your device. It just hangs around, a ghost in the system to pi$$ you off...
This is a simple idea of what Knox was intended to do, it actually has ties right to the kernel and bootloader, hence the warranty void problem.
Hi, I'm new in this forum. I have a samsung galaxy S4 with knox 2.0. So I heard that with knox 2.0 each app doesn't have to be wrapped in a container anymore so theoretically you can install any app.
Now I have a problem, I have setup my knox container but I can only access the special knox app store. I really wanna access the full google playstore. So I can use this like a 2nd phone.
I read this is possible but I have no idea how to achieve this. I think it's only for enterprise users but is there absolutely no backdoor way to get this without needing an account. Or whatever
Can someone help me please?????[emoji31]
Anyone?
I've just upgraded from a Nexus i9250 running CM11 with PrivacyGuard to an S5.
As far as I can tell this stock S5 doesn't have any permissions control. And now I discover this Knox and Android for Work.
I am trying to figure out what to do about it. I MUST have permissions control.
On the one hand, both Knox and Android for Work seem like exactly what I have been looking for - to allow me to do secure operations separate from the rest of Android. Great, I thought, I can put Bitcoin, banking and a secure browser here. The warranty problem is of course complicated but for me I have decided to disregard this part of the decision.
But on the other hand Android for Work would require me to setup a domain and.... it will probably require ongoing fees in a few years time after it's established. While Knox could be a backdoor I am not looking to secure against NSA level - just apps I have no choice in using.
So should I root, maintaining 0x0 and install a permissions app of some sort? Or do I forget about this new security stuff and relax, install the familiar Cyanogenmod and blow the 0x0 to 0x1 as who cares anyway?
If I had known I would have gone with the OnePlusOne to avoid making the decision
The knox is there primarily to allow 'secure' (unmodified) devices to access secure, business (enterprise?) networks/servers.....If knox has been tripped due to modifications, connecting the device is denied. As I said, it's primarily aimed at the business sector.....
The fact that Samsung uses it as a warranty flag is secondary......
How knox will affect your personal aims, I don't know, but hopefully the above info *might* give you *some* insight as to how it works and what impact this could have on what you want to do......
Sent from my rooted, debloated stocKK kn0x0 SM-G900F
This is just a thought I had and I was wondering if there should be any concern.
Where are fingerprints stored on the Galaxy S7 Edge? I assume they are managed and stored by Knox. But, if the phone has been rooted, Knox is permanently disabled even after returning to stock.
Does tripped knox mean the the security of saved fingerprints is compromised?
By the way, according to google's website for Nexus devices (https://support.google.com/nexus/answer/6300638?hl=en), rooting does not compromise fingerprint security on Nexus devices. I hope this is the same for Samsung devices?
I deleted all services knox with Titanium and everything is ok in the footprint
Kzyw said:
I deleted all services knox with Titanium and everything is ok in the footprint
Click to expand...
Click to collapse
I know that the scanner works after root. But my concern is whether a hacker or virus could potentially access the stored fingerprint once Knox is tripped, due to the lack of that security layer? Because I know Knox is the secure environment that stores sensitive data.
Yes, I install other kernel fingerprint work good
Protheus 4 win
the_OZONE said:
I know that the scanner works after root. But my concern is whether a hacker or virus could potentially access the stored fingerprint once Knox is tripped, due to the lack of that security layer? Because I know Knox is the secure environment that stores sensitive data.
Click to expand...
Click to collapse
In my opinion knox already a virus haha ?