Hi XDA.
I have had this idea for a while, not specifically for the Galaxy S8+, but if one device were to be worthy, it would be this one, due to the much higher kernel version compared to past devices.
The idea is to keep the 100% stock ROM, except with root, and have the system believe that it is 100% official. My idea is to root, and replace the Device Root Key (DRK) with a self-generated one, and then rebuild the whole ROM with all of the apps, the kernel, and other parts self-signed, with the device believing that the signatures are by Samsung. This would potentially allow us to relock the bootloader by having the device believe that the boot image is official.
This way we should be able to pass dm-verity whilst allowing modifications to system, pass safety net, and in the long run, pass KNOX with a kernel that fakes the KNOX bit to be cleared, and with further modifications, fake KNOX bit cleared in download mode. We could also make system modifications and convince KNOX that the changes are authorised and official.
Also, I do not like how theoretically Samsung can sign custom firmware to break into your device and remove the reactivation locks and potentially decrypt the device. In theory they cannot decrypt it if the encryption key is derived from the password and is not stored on the device, but I would not be surprised if there is a way.
I love Samsung stock software, but I wish I could root and still have the OOBE with Samsung Pay and KNOX containers.
But I am having trouble gathering concrete information. I am only partially sure that the DRK does what I said, and I am not sure if there are any other keys hardcoded into the device hardware, like the bootloader.
Can anybody comment on whether this is theoretically possible, and how? Or just any helpful information.
One thing I need to know is how the system reads the KNOX bit. If it is a protected mode instruction (unlikely because it would violate ARM compatibility) to put the result into a register, then it would be practically impossible to fake. But if only the kernel can check, then we can patch the kernel.
Also, can the KNOX eFuse be blown by unauthorised actions at runtime? As in, if one obtains root through a kernel vulnerability (like Galaxy S6 with PingPong) without tripping KNOX, are there actions / system modifications that can be done as root that can blow KNOX without flashing some unsigned image? My thoughts are that ideally, if rooting without blowing KNOX happens with another kernel exploit, we could use that window to replace the DRK and the whole system with self-signed software, that we would then have the golden experience of truly owning our own Samsung device, without KNOX ever tripping.
Thanks for any discussion!
Karatekid430
I have had this idea for a while, not specifically for the Galaxy S8+, but if one device were to be worthy, it would be this one, due to the much higher kernel version compared to past devices.
The idea is to keep the 100% stock ROM, except with root, and have the system believe that it is 100% official. My idea is to root, and replace the Device Root Key (DRK) with a self-generated one, and then rebuild the whole ROM with all of the apps, the kernel, and other parts self-signed, with the device believing that the signatures are by Samsung. This would potentially allow us to relock the bootloader by having the device believe that the boot image is official.
This way we should be able to pass dm-verity whilst allowing modifications to system, pass safety net, and in the long run, pass KNOX with a kernel that fakes the KNOX bit to be cleared, and with further modifications, fake KNOX bit cleared in download mode. We could also make system modifications and convince KNOX that the changes are authorised and official.
Also, I do not like how theoretically Samsung can sign custom firmware to break into your device and remove the reactivation locks and potentially decrypt the device. In theory they cannot decrypt it if the encryption key is derived from the password and is not stored on the device, but I would not be surprised if there is a way.
I love Samsung stock software, but I wish I could root and still have the OOBE with Samsung Pay and KNOX containers.
But I am having trouble gathering concrete information. I am only partially sure that the DRK does what I said, and I am not sure if there are any other keys hardcoded into the device hardware, like the bootloader.
Can anybody comment on whether this is theoretically possible, and how? Or just any helpful information.
One thing I need to know is how the system reads the KNOX bit. If it is a protected mode instruction (unlikely because it would violate ARM compatibility) to put the result into a register, then it would be practically impossible to fake. But if only the kernel can check, then we can patch the kernel.
Also, can the KNOX eFuse be blown by unauthorised actions at runtime? As in, if one obtains root through a kernel vulnerability (like Galaxy S6 with PingPong) without tripping KNOX, are there actions / system modifications that can be done as root that can blow KNOX without flashing some unsigned image? My thoughts are that ideally, if rooting without blowing KNOX happens with another kernel exploit, we could use that window to replace the DRK and the whole system with self-signed software, that we would then have the golden experience of truly owning our own Samsung device, without KNOX ever tripping.
Thanks for any discussion!
Karatekid430
