Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,742,742 Members 37,640 Now Online
XDA Developers Android and Mobile Development Forum

Galaxy S5 Knox Reset (New Hope)

Tip us?
 
tkato
Old
#181  
Senior Member
Thanks Meter 6
Posts: 123
Join Date: Oct 2009
cool, thanks for the all the info , I'm currently using a custom ROM on my S5 via MOP so I still got my Knox 0x0, wish it so stay that way
 
belzebub40k
Old
#182  
Senior Member
Thanks Meter 16
Posts: 101
Join Date: Dec 2010
Quote:
Originally Posted by tkato View Post
cool, thanks for the all the info , I'm currently using a custom ROM on my S5 via MOP so I still got my Knox 0x0, wish it so stay that way
I just flashed my phone today with the NeatROM and Knox status is still 0x0. Are NeatROM and ALEXNDR the only ROMs which can by flashed via Mobile Odin Pro or could every ROM be flashed with MOP without tripping Knox?
 
tkato
Old
#183  
Senior Member
Thanks Meter 6
Posts: 123
Join Date: Oct 2009
I'm using Neatrom as well currently, they're the only ones that specifically say their ROM is Knox 0x0, which is the safer alternative, but you can flash Omega ROM or and other ROM as long as it doesn't flash a custom kernel and recovery, and from what I heard there's a developer that said his kernel was stock and it turned out it wasn't, so a bunch of people got flagged... I think it's safer to go with the ROM that specifically say they're Knox 0x0, but if you're cautious enough, I guess you can install any ROM.
 
nicholaschum
Old
(Last edited by nicholaschum; 30th July 2014 at 02:32 PM.)
#184  
nicholaschum's Avatar
Senior Member
Thanks Meter 947
Posts: 1,434
Join Date: Feb 2011
Location: Hong Kong (Toronto, ON)

 
DONATE TO ME
Quote:
Originally Posted by tkato View Post
I'm using Neatrom as well currently, they're the only ones that specifically say their ROM is Knox 0x0, which is the safer alternative, but you can flash Omega ROM or and other ROM as long as it doesn't flash a custom kernel and recovery, and from what I heard there's a developer that said his kernel was stock and it turned out it wasn't, so a bunch of people got flagged... I think it's safer to go with the ROM that specifically say they're Knox 0x0, but if you're cautious enough, I guess you can install any ROM.
That was in X-Note 12-14. For the Note 3. Don't worry about that.






Or you can just pull the kernel out of the ROM zip - better safe than sorry. Just remove boot.img from the root of the zip (usually).
Problem with ROMs? Try this. Still no? Ask me on Google+!
Root/TWRP/Kernel/ROM/Downgradable and KNOX 0x0 on N900W8? My guide.

Phone: Note 3 - Rogers SM-N900W8
Temasek UO v119 w/ ke. v3.86, TWRP 2.7.1, NA2 BL, NB7 Modem, KNOX 0x0

Tablet: Nexus 7 (2012)
PA 4.2 Beta 2, TWRP 2.7, Multiboot - UbTouch, Ub13.10, PA, CM11

Note 3 ◆ Xperia Tab P ◆ Nexus 7 ◆ Note II LTE ◆ S III LTE ◆ One X ◆ Note I ◆ Galaxy Nexus ◆ S II LTE ◆ S II


 
Vaira
Old
(Last edited by Vaira; 30th July 2014 at 03:56 PM.)
#185  
Member
Thanks Meter 18
Posts: 77
Join Date: Dec 2010
Quote:
Originally Posted by nicholaschum View Post
Hi there, may I introduce some mind boggling facts into your assumption as well?

I have the Canadian Note 3, and I am currently the OP of the N900W8 KNOX 0x0 guide.

I added an educated answer to why this is happening only for our devices on my thread, if you want to check it out.

I am on NA2 bootloader (Mexican leaked), Custom Recovery, Custom Kernel, Custom ROM - and KNOX is still at 0x0.

The fact that people have been using MOP to flash custom ROMs and keep KNOX at 0x0 shows that custom ROMs don't trigger the flag, and neither do modem flashes. It is all within the Recovery-Kernel TrustZone.

To answer your "Nobody knows exactly how 'knox' knows when the kernel has changed" with an educated theoretical answer - KNOX tests for Su/checks typical directories for Su and hence it starts crashing (but this doesn't mean that it would trip KNOX, it has just detected an unsafe environment in the userland) [Which is why people disable KNOX/uninstall KNOX on custom ROMs - disabling KNOX through SuperSU has no adverse effects towards the flag].

If you take a look at how KNOX functions, you will know what the so-called TrustZone is, which is typically why after the SECOND reboot after a normal root using Odin, your flag would be tripped on a normal device. Your phone goes into it's boot algorithm called "Secure Boot" which verifies the signatures on the bootloader, kernel and occasionally system software. As CF-Root is injected into a partition without any need of authentication or permissions, it will automatically boot after applying the "update", bypassing the check once, but after a reboot, poof goes your KNOX.

If I could dumb it down any further, when regarding Towelroot and not getting KNOX 0x1, it is because it is essentially a backdoor exploit using the signed Samsung kernel, which does not breach any of the TrustZone partition checks. A userland exploit, while gaining the help of the kernel (either through a backdoor or a buffer overflow) will not, and is unable to, destroy any higher level system structures such as the Kernel, ROM structure or Bootloader (as an office worker can't just fire their boss, they can still help and change ideas of their boss, but they can't make them *not* the boss (digitally UNsign him to trip KNOX)). However changing the officer in the company just by firing and hiring a new one, can easily corrupt the company by changing rules of the lower hierarchical members (Using Odin to inject Auto CF-Root). This is KNOX's main rule, written out for us to know.

All I can say is, after nearly a full year with my Canadian Note 3 and half a year with KNOX 0x0, this answer is the car and the driver relationship. The Car being the bootloader, and the driver being the kernel. As these are the two main things that KNOX loves tripping us on, I can safely assume that the bootloader is the key reason why people get tripped KNOXes.

Some useful information here on KNOX: http://www.samsung.com/my/business-i...ung_KNOX-0.pdf

Hi again, thanks for your additions, finally there is one I can talk more tech specific about Knox.

Sure it is all about the bootloader as primary control instance, that's actually no news. To query the KNOX flag and to display it in Odin mode is job of the bootloader, also to trigger it.
Finally Samsung has introduced KNOX with a KNOX bootloader and can ‘remove’ Knox by simply releasing a bootloader which does not display the flag anymore.

Your mentioned device has Exynos SoC, right? AFAIK the KNOX flag is stored inside of RPMB area in eMMC and can be reset, at least at those named devices when flashing these areas http://forum.gsmhosting.com/vbb/f672...ox-s4-1775213/

Here people can see why it is different to Qualcomm devices. (I have posted that link already).


We know details about secure boot (here is the link again): http://blog.azimuthsecurity.com/2013...cure-boot.html

Anyway there are some questions open. One needs to know about the early boot stages and what exactly are the steps / conditions tripping Knox. (Some have reported that to have another initramfs already in the boot.img is sufficient to trip knox whereas to apply root doesn’t. What is used to calculate the hash, which will be enrypted / signed?

Some scenarios you might have an answer:

When rooting with towel root I can ‘flash’ the recovery partition through terminal emulator using DD command. Can I use the custom recovery once without tripping knox?
AFAIK MOP uses temporarily a custom recovery in order to have the system idle / unused to apply the custom rom.

There are different ways to reboot via extended boot menu, which has different entries at the bootolader (recovery, soft re-boot, re-boot, Odin mode). Can I boot it a way / special sequence knox won’t be tripped? Keep in mind soft boot into download mode is somewhere ‘behind’ the hard boot way (power+ volume down).
The Following 2 Users Say Thank You to Vaira For This Useful Post: [ Click to Expand ]
 
nicholaschum
Old
(Last edited by nicholaschum; 30th July 2014 at 04:33 PM.)
#186  
nicholaschum's Avatar
Senior Member
Thanks Meter 947
Posts: 1,434
Join Date: Feb 2011
Location: Hong Kong (Toronto, ON)

 
DONATE TO ME
Quote:
Originally Posted by Vaira View Post
Hi again, thanks for your additions, finally there is one I can talk more tech specific about Knox.

Sure it is all about the bootloader as primary control instance, that's actually no news. To query the KNOX flag and to display it in Odin mode is job of the bootloader, also to trigger it.
Finally Samsung has introduced KNOX with a KNOX bootloader and can ‘remove’ Knox by simply releasing a bootloader which does not display the flag anymore.

Your mentioned device has Exynos SoC, right? AFAIK the KNOX flag is stored inside of RPMB area in eMMC and can be reset, at least at those named devices when flashing these areas http://forum.gsmhosting.com/vbb/f672...ox-s4-1775213/

Here people can see why it is different to Qualcomm devices. (I have posted that link already).


We know details about secure boot (here is the link again): http://blog.azimuthsecurity.com/2013...cure-boot.html

Anyway there are some questions open. One needs to know about the early boot stages and what exactly are the steps / conditions tripping Knox. (Some have reported that to have another initramfs already in the boot.img is sufficient to trip knox whereas to apply root doesn’t. What is used to calculate the hash, which will be enrypted / signed?

Some scenarios you might have an answer:

When rooting with towel root I can ‘flash’ the recovery partition through terminal emulator using DD command. Can I use the custom recovery once without tripping knox?
AFAIK MOP uses temporarily a custom recovery in order to have the system idle / unused to apply the custom rom.

There are different ways to reboot via extended boot menu, which has different entries at the bootolader (recovery, soft re-boot, re-boot, Odin mode). Can I boot it a way / special sequence knox won’t be tripped? Keep in mind soft boot into download mode is somewhere ‘behind’ the hard boot way (power+ volume down).

Gonna do a quick note since I'm out ATM, my device is a Qualcomm Snapdragon, exactly the same specs as N9005 (or the G900F in terms of processor wise).

EDIT: Alright I'm at my desk. Yeah that link is very useful, and everyone should read it. But I'm a type of person to read things and simplify for the common user as not just any user on here would know anything about what was written. As I read code often, that isn't any problem for me to translate

You raised some great questions - the custom recovery (if left long) will eventually trip KNOX because recoveries aren't SEAndroid enforcing, and that would cause the yellow text of SET WARRANTY BIT: Kernel/Recovery. The thing is, usually people trip their KNOX from using Odin and flashing there.

I don't think MD5 can be used to the system software, as System software is easily changeable, it would be quite complex for it to 100% match up what Samsung wants. I am pretty sure at least 1000 people have mismatched MD5s when they updated their software over the air, but still has KNOX at 0x0. As the kernel would not be touched, a substitute line of code could be executed during the processing of these partitions at boot, hence allowing them to avoid certain signature restrictions.

When I said that the bootloader checks for signatures, I believe that if it boots into Download mode directly, the boot sequence has been bypassed (As you can boot directly into Download mode without seeing the Samsung logo). Flashing into the firmware and then setting Auto-Reboot does not *actually* reboot it, but just re-initiates it's current session. Hence the "Secure Boot" is interrupted, as Odin has priority and has the power (a CEO can fire a manager) to remove the Bootloader, this factor could be added into the supposed list of speculation, and that the Bootloader isn't "initiated" after the first Odin flash. Only the second reboot would the bootloader start it's complex signature verification and cause havoc.

There could be a way to emulate this but that would require something more powerful than Odin. If I had several N9005's I would test if I could prevent KNOX tripping by flashing stock DIRECTLY after I flash CF-AutoRoot, to see if my theory is correct. If Download mode does indeed block the bootloader signature verification after each flash for one boot, then a simulation of that "one process" would be the key to interrupt secure boot.

[Not targeted at you Vaira, just for the other people to understand] Basically, the boss of the company comes into the office every single day, and all the workers would act normally. The boss begins to act strange and allowing all these weird "contracts" (Root) to be signed, people begin questioning him "Are you okay?" (KNOX's doubts of a secure container). The next morning, the boss comes in and demands that everyone change the rules and now everyone got promoted, even though it sounds great, the boss is taken into some sort of checkup, and they found out he contacted a "brainwashing disease". Naturally when this happens, people will make sure everyone gets "treated" for this brainwashing disease (KNOX 0x1) - cannot trust their own company to work anymore, and the company will break (KNOX cannot be run anymore).

Oh, and just to add for the sake of my experience. KNOX 1.0 is an actual software that you could launch up on your phone and install secured apps on, without the need of a company plan like KNOX 2.0. Which is why I kept saying it as if it were launchable.
Problem with ROMs? Try this. Still no? Ask me on Google+!
Root/TWRP/Kernel/ROM/Downgradable and KNOX 0x0 on N900W8? My guide.

Phone: Note 3 - Rogers SM-N900W8
Temasek UO v119 w/ ke. v3.86, TWRP 2.7.1, NA2 BL, NB7 Modem, KNOX 0x0

Tablet: Nexus 7 (2012)
PA 4.2 Beta 2, TWRP 2.7, Multiboot - UbTouch, Ub13.10, PA, CM11

Note 3 ◆ Xperia Tab P ◆ Nexus 7 ◆ Note II LTE ◆ S III LTE ◆ One X ◆ Note I ◆ Galaxy Nexus ◆ S II LTE ◆ S II


 
Vaira
Old
#187  
Member
Thanks Meter 18
Posts: 77
Join Date: Dec 2010
My KNOX device still has 0x0. It is the P605, though. (Galaxy Note tab 10.1 LTE 2014, Snapdragon 800). I won't hesitate to experiment until the fuse is blown, living in the EU Samsung cannot void warranty (have a positive example from a friend).

Anyway I think closely about which experiments are reasonable and I want to do as many as I can. The problem here is that MOP does not support my device (yet). I have rooted it and customized the stock rom a bit, it's de-knoxed and debloated, has wannam Xposed. Anyway I haven't tried to apply a custom recovery yet.

AFAIK the sys partition is not checked you can exchange / delete any app there you want. Controlled are the recovery partition and the boot.img (kernel) partition. At Odin mode you can see different states, the only one that is not reversible is the KNOX warranty void flag.
I think when SELinux is not enforcing the message comes from the kernel. KNOX won't be tripped because it is permissive now, it will be tripped because to get the kernel into permissive mode you need to recompile it with different settings. The actual reason is a different signature of the recompiled stock kernel. The original Samsung stock kernel even when de-knoxed and rooted does block setenforce 0.

Well for now I would save the original recovery partition, DD the custom recovery and directly boot into it 'reboot recovery', then exit it from there via reboot device, then DD back the original recovery. With some luck it should keep knox 0x0, because the boot process is 'shorter'.
With very much luck only Odin mode itself controls, that would mean one could use a custom recovery any time when applied via terminal emulator.
I don't know when I'll try it though, ATM I am satisfied with the device without custom recovery...the only thing I would like is to have a permissive kernel...to get rid of that NSA crap and to have paragon NTFS running.


One more question, have you SELinux permissive with KNOX 0x0?
 
nicholaschum
Old
#188  
nicholaschum's Avatar
Senior Member
Thanks Meter 947
Posts: 1,434
Join Date: Feb 2011
Location: Hong Kong (Toronto, ON)

 
DONATE TO ME
Quote:
Originally Posted by Vaira View Post
One more question, have you SELinux permissive with KNOX 0x0?
By flashing a custom ROM available on the Note 3 forums, as well as a custom kernel, I can grasp KNOX 0x0 while SELinux status is Permissive.
Problem with ROMs? Try this. Still no? Ask me on Google+!
Root/TWRP/Kernel/ROM/Downgradable and KNOX 0x0 on N900W8? My guide.

Phone: Note 3 - Rogers SM-N900W8
Temasek UO v119 w/ ke. v3.86, TWRP 2.7.1, NA2 BL, NB7 Modem, KNOX 0x0

Tablet: Nexus 7 (2012)
PA 4.2 Beta 2, TWRP 2.7, Multiboot - UbTouch, Ub13.10, PA, CM11

Note 3 ◆ Xperia Tab P ◆ Nexus 7 ◆ Note II LTE ◆ S III LTE ◆ One X ◆ Note I ◆ Galaxy Nexus ◆ S II LTE ◆ S II



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes