I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
drichter12 said:
I hope I am not cluttering things up with a stupid question but I would like to find out if rooting and KNOX are mutually exclusive. My situation is that I will be moving from a personal to corporate liable account at work soon (taking my S4 with me) and their only requirement is securing the device on MobileIron with KNOX. I don't really mind the stock rom but there are two or three things I would like to be able to do on my device that require root access (mostly config toggles with a profile manager and using TiBu).
Thanks for any wisdom you can pass on.
Click to expand...
Click to collapse
Same issue for me . . . any updates?
saintirish said:
Same issue for me . . . any updates?
Click to expand...
Click to collapse
Not yet.... I am moved over but they haven't set me up yet on MI. I reverted to un-rooted until then and will see what it looks like and maybe try rooting again after I am all set up.
I would not think that having administrator privileges on your device would prevent the Knox from working... I don't use Knox, though.
I just purchased Galaxy Note 3 (SM-N900) , Saw a new entity called "KNOX" ......What the hell is it ?? What is it's use ??
I have not tapped it's icon as yet as i am very unclear regarding it's functioning....Please explain in details if possible....
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
---------- Post added at 01:11 PM ---------- Previous post was at 01:07 PM ----------
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SEANDROID ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
jbbosu said:
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Click to expand...
Click to collapse
No, that's just the "Official/Custom" binary and system status indicators that have been present on Samsung devices for a while now. Those are resettable by wiping the phone and flashing a completely unaltered stock firmware image. There is also a custom binary flash counter that is resettable by TriangleAway.
KNOX is a totally different beast - a secure boot environment protected by a trust chain - the white paper explains it.
I wonder how it affects the battery life ? Sorry I didn't really understand anything you guys are throwing out .. I just don't like bloat ...
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You not understanding what I wrote is not my problem. If you want to know, go learn.
---------- Post added at 10:06 AM ---------- Previous post was at 09:34 AM ----------
arsi123 said:
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
Click to expand...
Click to collapse
Thanks man. Too many arrogant, self-entitled, impatient dweebs on this site who expect to be spoon-fed everything and cry foul when something requires reading comprehension beyond third grade.
fonejacker said:
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
Click to expand...
Click to collapse
thanks for the brief explanation... i'm new to android and was confuse about this too
Read the links in this Post: http://forum.xda-developers.com/showpost.php?p=45851579&postcount=1
Laymans terms, think of tAndroid as a container with no lid - things can go in or out.
Knox is a second container inside the 1st that has a lid. Anything done inside Knox stays inside Knox. You aren't able to utilise all the features of the original os, only the things Knox will let you.
Unfortunately it also effects the running of Android because to make sure that the Knox part doesn't get violated by anything not allowed it has to keep the whole OS "pure"...
That's why root access is a problem, it opens the lid a crack allowing things in and out that shouldn't be there so once you root it detects this, and no longer able to ensure complete safety of data, will no longer run as it should on your device. It just hangs around, a ghost in the system to pi$$ you off...
This is a simple idea of what Knox was intended to do, it actually has ties right to the kernel and bootloader, hence the warranty void problem.
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
No, no, no, you have it all wrong... Its not to protect YOUR data... It's to protect Samsung's bottom line.. All those nasty people with legitimate claims for warranty, Knox destroys that so you can't present for warranty if something goes wrong....
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
Read this: http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
And this: https://www.samsungknox.com/overview/technical-details
This also: http://forum.xda-developers.com/showpost.php?p=46795903&postcount=149
Secure Android Platform
Samsung KNOX offers a multi-faceted security solution rooted in the tamper-resistant device hardware, through the Linux kernel and Android operating system. The first line of defense against malicious attacks, Samsung KNOX is currently approved to run on US Department of Defense networks. (If flag 0x0, my opinion).
More important then warranty is the security. Flag at 0x1 means NOT SECURE. The people is warning for that by Warranty Void.
Read this also: http://www.sammobile.com/2013/10/09...alaxy-note-3-causes-hardware-damage-say-what/
Rooting-and-flashing-custom-software-on-the-galaxy-note-3-causes-hardware-damage-say-what
Thank you. Will check it out.
Hi, I'm new in this forum. I have a samsung galaxy S4 with knox 2.0. So I heard that with knox 2.0 each app doesn't have to be wrapped in a container anymore so theoretically you can install any app.
Now I have a problem, I have setup my knox container but I can only access the special knox app store. I really wanna access the full google playstore. So I can use this like a 2nd phone.
I read this is possible but I have no idea how to achieve this. I think it's only for enterprise users but is there absolutely no backdoor way to get this without needing an account. Or whatever
Can someone help me please?????[emoji31]
Anyone?
I've just upgraded from a Nexus i9250 running CM11 with PrivacyGuard to an S5.
As far as I can tell this stock S5 doesn't have any permissions control. And now I discover this Knox and Android for Work.
I am trying to figure out what to do about it. I MUST have permissions control.
On the one hand, both Knox and Android for Work seem like exactly what I have been looking for - to allow me to do secure operations separate from the rest of Android. Great, I thought, I can put Bitcoin, banking and a secure browser here. The warranty problem is of course complicated but for me I have decided to disregard this part of the decision.
But on the other hand Android for Work would require me to setup a domain and.... it will probably require ongoing fees in a few years time after it's established. While Knox could be a backdoor I am not looking to secure against NSA level - just apps I have no choice in using.
So should I root, maintaining 0x0 and install a permissions app of some sort? Or do I forget about this new security stuff and relax, install the familiar Cyanogenmod and blow the 0x0 to 0x1 as who cares anyway?
If I had known I would have gone with the OnePlusOne to avoid making the decision
The knox is there primarily to allow 'secure' (unmodified) devices to access secure, business (enterprise?) networks/servers.....If knox has been tripped due to modifications, connecting the device is denied. As I said, it's primarily aimed at the business sector.....
The fact that Samsung uses it as a warranty flag is secondary......
How knox will affect your personal aims, I don't know, but hopefully the above info *might* give you *some* insight as to how it works and what impact this could have on what you want to do......
Sent from my rooted, debloated stocKK kn0x0 SM-G900F