Shared publicly  - 
 
Knox Warranty on new I9505 ROMs

As I've stated before, my dev version of Triangle Away is currently operational (though not yet released) for the flash counter and binary status with the new Knox I9505 ROMs.

If you have an I9505 you've probably noticed the new Knox Warranty status in the bootloader, and I know some of you are hoping Triangle Away will reset that.

Unfortunately, that's unlikely. I've taken a look around, I've disassembled the bootloader, etc, and it looks like an efuse might be involved ( == not resetable ). I'm not exactly sure what triggers it yet either.

Mind you, I'm not a bootloader expert nor have I spent hours and hours digging through it, so there's a chance this information might turn out to be wrong later - but that's what it currently looks like to me.
198
14
Aswin Aravind's profile photoRichard Brown's profile photojudas janus's profile photoNic Jackson's profile photo
157 comments
 
E fuses are really nasty things. They could be used for good.. Like serial numbers and what not... But no, manufacturers are using them for evil and permanently marking a device because you've done something 100% reversible via software update. 
 
This won't in any way prevent Mobile Odin from being updated to work with the latest firmwares +Chainfire ?
 
I understand the point behind it i think but it/knox should be an opt-in thing for enterprise use surely. also id love to hear of a test-case involving rooting/warranty. In the EU for example, aparently rooting/flashing can only legally void a warranty if it could have caused the fault but the OEMs dont seem to be hearing that..
 
This could possibly be thevworst news ive heard all week :-( was really hoping their would be a fix but it cant be helped its just samsubg turning into a bad apoke withbdevs as im sure many will opt for other phones like nexusses ih well sansung have lost my custom thanks +Chainfire your a pro ! Shame about samsung implementing this crap to a consumers device ! 
 
Device status is official s9 does thid allow me to uodate via kies or wifi or will knox be built as my phine is complete stock unrooted but knox shows 0x1 but device is official
 
Information Security expert here: The whole point of KNOX is to prevent devices with sensitive data (corporate or government) from having that data be compromised. While as an information security professional, I absolutely see the need for KNOX's protections (including a hardware chain of trust, aka the efuse). As an android enthusiast, I'm sad that fastboot OEM unlock isn't used in situations like this. Allow users to root their devices without potentially compromising the data stored on them. That way both power users and business are satisfied.
 
would it be possible for sammy to make the efuse a flashable add-on for enterprise and let normal users have a normal phone or is it like hard wired?
 
+Smity Smith no, not like an add-on. The efuse is set with values during the production of the device and theoretically are not able to be changed. The solution might instead be a "developer edition" of a device. Knowing US carriers, we're unlikely to see the situation flipped where you'd instead buy a "corporate edition" device. Keep in mind BYOD (Bring Your Own Device) is a huge market Samsung wants to capture and if a consumer device can be a "secure" device with the flip of a switch, why not make every phone locked down. There's got to be a compromise though...
 
I don't see the big deal.. if you want your phone to have the warranty it came with, you can't modify it.. if you want to use it to it's full potential, you void your warranty. This is the same thing that is happening with the Moto X, even though it's bootloader is locked.. and unlocking is provided by Motorola.. you void your warranty.

What I'm saying is.. while this is not ideal.. we're not having something happen to us (our phones) that we didn't expect.
 
Cheers Andrew. Understood man :-)
Yeah Brad its something that was bound to happen but its still wrong imo... actually the efuse isnt wrong but manufacturers refusing to fix faulty hardware because the firmware is modded is downright wrong.
This is why id love to see a high profile test-case in the courts to clarify things. I get that us modders are a tiny minority though. I worry that all the OEMs could adopt this efuse thing as an excuse to not honour warrantys but disguised as a security must-have
 
Understanding the function of "efuses":  Forget the "e" part, just think of it functionally like a fuse.  Once it's blown, it must be physically replaced.  And it's not a socketed part like a normal fuse, it's embedded in a chip soldered to the board.  Since replacing chips is often not feasible, or at least very difficult and/or expensive, for all practical purposes, yes, once blown, it's blown in perpetuity.  The "e" part comes into play in that it's not blown by an abnormal condition causing excessive current, it's done by control circuitry on-purpose...and it's "e" because of the fact that its status (still present or blown) can be probed/read by the processor.

It could also be thought of like a PROM  (mind you, not like the more common types of an EPROM or an EEPROM, but the original PROMs which were in essence an array of fuses) with an integrated "programmer."
 
Man thats a horrible thing lol. But i suppose the fact that its triggered by software means that could potentially be blocked by software? (Although i suppose samsung have made that very hard hence the name knox?)
 
It's all a matter of software, some of which the user can modify (what's in flash), some of which can't (the power-on reset code which is executed...at least I think you can't alter it once the manufacturer programs it).  If that POR code will run any ole bootloader, that bootloader doesn't have to look at the efuse.  If on the other hand you can somehow flash a bootloader with a proper signature into the device, you either have to figure out how to sign your bootloader somehow (which yours doesn't look at the efuse) and it passes signature verification (nearly impossible, unless you can find a weakness in the sig algo, brute force the key, get a leaked key, etc.), or you're also out of luck because the POR code looks at the efuse directly.
 
Thanks for explaining things to me guys. I appreciate it
 
Damn :/ If i want locked device I would buy HTC or Sony. It's realy unfair, especially Samsung didn't warn users about it. Now I have locked device without root, which is pretty useless for power user.
 
+Marek Puszko you can still root and use your device. The only thing is you must live with the Knox Warranty Void Flag on (0x1)
 
+Chainfire are you planning to release the new triangleaway even without the Knox Warranty Void clear capability? We are looking forward to it. Anyway we don't even know the implications of this new flag. Maybe it affects users just in a Knox BYOD environment so who cares. 
 
I know. But if I want to be sure about the warranty, there shouldn't be any footprint of digging in device. If I root phone - there will be one.
Sony is good example here (at least older devices like Neo V): you can root device and unrooot it without problem. Unlocking bootloader (irreversible) is neccesary only if you want to use CM etc. And you know it BEFORE purchase. 
 
The only thing I don't unterstand in this place is: The phone is out for several months and they enable the fuse NOW? When it was already there, as I unterstand it according to that post, why was this crap not enabled in the first place? Really weird... start to hate that stupid pseudo-security programs :(
 
Bad news for all who had already rerooted the s4 ...
Now i'm sitting on an unrooted again s4 with knox warranty void 0x1   ...
Older Firmwares flashing is not possible anymore
And i'm thinking about, if it's possible, to flash Google Edition Firmware...
 
Same thing for me, but I'm thinking about CyanogenMod... xD
 
+Chainfire if you reflash a stock rom (like MH8), doesn't it remove the root and reset the counters to zero after a full wipe?
Thanks
 
+Marco Nunes Yes, it does remove root. No, it'll neither reset the flash counter, nor the knox void flag. And a full wipe doesn't affect the bootloader at all.
AND as discussed above, once you've flashed this %&$§?! knox booloader, you can't even flash a non-knox image at all...
 
I use custom rom based on mh8 with bootloader removed.. And reset flash counter to zero.. :/
 
how we can remove this bootloader and flash another one?
 
which rom has this knox thing inside ? 
 
So, the only solution, is to flash the new Rom without the bootloader (modded Rom), if we haven't update yet...right? 
 
If I were you I would skip the update. Most unstable piece of software that claims to be stable ever.
 
+Roberto Sartori I know what you mean but since you're not able to downgrade from what I've heard it might be hard. Also that would probably pickup on it or it would just pure not work as Linux permissions were changed.
 
I wouldn't update (unless you have LTE in your area). It's very buggy and well waiting out will see what can be done.
 
I updated triangle away to 3.05 version for my i9505 xef. After nearly charged all, the phone won't stop to reboot. Maybe another program didn't like this update? or the system workaround which blocking the root access?
 
Ok i had to remove my sd card to not have the loop reboot.

A problem of this triangle away update with sd card system? 
 
Keep up the good work +Chainfire, I'm sure you master devs guys will come up with something to save us all. Thanks for all the hard work.
 
+Chainfire E-Fuses on the i9505 damn that sucks... :( However I reckon they will have done the same thing to the i9500 because it is a really convenient way of ensuring ones warranty status.
 
FYI...Samsung told me that Knox warranty becomes 0x1(void) when the device with secured bootloader attempts to have non-secured bootloader.  MH1 is the very first binary with secured bootloader.  If MH1 is attempted to be downgraded to lower version(i.e. MGD) which has non-secured bootloader, then Knox warranty becomes void forever, and this means that the device can be used only for non-Knox device(no container can be created).
 
means that warranty is void for the whole device ...
It says ...bad user- you have opened the bootloader so look what to do if a hardware error not caused by rooting occures...
And another point samsung lost fans with ^^

And Downgrade from MH5 to MGA for example is NOT possible...
 
+Jeffery Butler +Chainfire 
Has anyone here received  "knox warranty void" after updating by OTA or Kies and having a rooted device before MHx ( only stock fw + root e.g.) ?
 
the new bootloader causes odin to fail when u try to flash an older firmware
I've tried it a bunch of times.
Had to make an "Disaster Recovery" (google translation xDD)  with kies to make my phone stop bootlooping (recovery mode was not able to start)
Maybe there are some ways with custom recovery but i read in some forums that the knox counter still keeps 0x1 after reflashing older Firmware because the bootloader ws not donwgraded ^^

And befor rerooting after update i had knox warranty void with 0x0
after rerooting 0x1 ^^
 
+Andre Ponert The information I provided was taken directly from a contact at Samsung.  I'm currently testing KNOX functionality for another company and ended up running into this issue during some routine remediation testing.  I now have a i9505 that is useless to test KNOX with.

The process I followed was this...

1) Start with MH1
2) Use CF-Auto-Root tool to root device
3) Use Odin to re-flash MH1

Samsung has said that they have had a handful of reports (4 or 5 total) that re-flashing MH1on a device with MH1 switched KNOX Warranty Void flag to 0x1 and advised us against doing this.

The only information I was given was what I posted.  I don't feel comfortable answering your question since Samsung stated to me that the KNOX Warranty Void flag can not be changed back once changed.
 
Hi! I own a Samsung Galaxy S4 GT-i9500 which i already rooted so my warranty has been void. May I help you?
 
+Ducu Alx I have a I9505 and had a rooted MEA version on it (rooted with CF-Auto-Root). I've upgraded to MH8 directly through Odin, my KNOX warraty is still ON (0x0). I haven't rooted MH8 because I've read +Chainfire post BEFORE. This is how it looks now: http://screencast.com/t/HEc7taZv
I hope this info helps you.
 
Supposedly, the only thing that's supposed to set the Knox warranty void-flag to 1 is flashing the bootloader. Perhaps I'm a noob since I need to ask this: Would CF Auto Root overwrite the bootloader and thus trigger this flag? Or would it flash some other part of the system and leave the warranty void flag alone, thus achieving root without having to worry about knox?
 
+Tim Loots as far as I understand this process, it has to alter the boot loader to boot one-time-only into an "inert" state to be able to alter the files needed for root, which otherwise are protected. If it doesn't boot into this special state, it won't be able to alter those files as they are protected. Please someone correct me if I'm wrong.
 
That makes sense, too bad though. I hope we get a clearer picture of exactly what the consequences of this change are. I'd really like to root my phone and have it run CM, but right now I'm not so sure I'm not going to run into all sorts of problems. All things considered, the warranty void-flag doesn't even bother me that much.
 
+Tim Loots same here, just want to know if I can put the Google Edition on my phone without any problems.
 
Quite upset over this. I was going to buy the note3 but that ain't gonna happen now. New note3 owners won't have the luxury of skipping the new bootloader.

So I guess I'll just have to wait for the nexus 5 instead. Could do worse I suppose. 
 
Sorry for my supid question... What does it mean a permissive bootloader? How can web check actual status? Thanks.
 
Sorry for my supid question... What does it mean a permissive bootloader? How can web check actual status? Thanks.
 
Quite sure he meant his SELinux status, that's not the bootloader per se. What is it you want to check anyway? No offense, but do you have any clue what this is about?
 
My freedom is not working saying that it needs updated market what the heck?
 
My wife is using an O2 branded device and it has no KNOX popups while rooted, nor does it have the KNOX counter. I have the 'Unbranded' version (GT-I9505) and have both the counter and the popups. the only reason i rooted was to use the PS3 gamepad with Modern Combat 4 (Multiplayer online using 4G). I wish i had of bought the N4, and i will never purchase a Samsung handset again.
 
is it not possible to remove the knox features from the bootloader before you update? If you haven't updatet yet i mean.
 
Removing the whole bootloader should work. But why would you want that? 
 
First i9505 have a worse camera... bow and that KNOX ** I wont to by another phone and never by SAMSUNG again!
 
First i9505 have a worse camera... bow and that KNOX ** I wont to by another phone and never by SAMSUNG again!
 
First i9505 have a worse camera... bow and that KNOX ** I wont to by another phone and never by SAMSUNG again!
 
Fuu, i ordered note 3 today, but i didnt read about Knox :(. I sure hope you or someone else can get us a "fix" for this :)
Jon Tan
 
FFUUUU , I updated in kies to knox firmware without knowing have such thing :(((
 
Just like me (and many others). That's why I'm so upset :|
Jon Tan
 
whatever shit can be cracked
 
damn, better stay with N900 then, N9005 is a no go for now unless you don't care about warranty
Io kap
 
punish samsung i will stop buy and i will sell my s4
 
Good thing most third-party warranty services won't care. What annoys me is Samsung's decision to throw Knox in with consumer end-user firmware, I think this should only be enabled on enterprise and business phones, maybe BYOD for business. Maybe.
 
Any new information about resetting Knox?
 
There really isn't any news. I've asked around, but no answers yet. I'll be getting a Note 3 later today or tomorrow (not sure which exact model, whichever model is normal over here), and I'll CF-Auto-Root it, and see what it does to the KNOX flag (assuming it's present - I don't personally care about the warranty anyway). I have the KNOX flag on my S4 set to 1, but I did a lot of mucking about and did try to flash an older bootloader, so ...
 
I have untouched S4 with stock Samsung Touchwiz and I want to flash CWM and Google Edition S4 android (from i9505G). Will it set KNOX flag to 1?
 
after almost 5 years with my very first android htc desire rooted and flashed a million times ;) .. i just upgrade for the SGS 4 i9505 (XXUDMH6) __ any link to learn how to root the device please ?
 
You have everything on XDA developers :)
 
I know, currently recognized themer and few thousands of posts, hundred of themes, whatsapp mods, thousands of thanks, etc... any link would be just much appreciated
 
i did read a lot since two days and i already knew about chainfire magic on android since the galaxy S   :)
that's why i feel safe to ask here !
 
Just to follow up on my earlier message, simply flashing a custom recovery on the Note3 sets the knox warranty void to 0x1
 
Just to check, I will get KNOX after latest android upadte? What if I don't have that update yet, install custom rom and sometime when I need warranty flash stock rom and reset everything. Is that possible? How can I check if I have KNOX?
 
What I would like to understand is if having a GN2 like myself and updating when available Android 4.3 will I be having the same problems like knox and sim locking as the GN3? 
 
The 4.3 for GN2 will also have the new bootloader, SELinux with no longer : permissive.
Maybe there would be the Update in the Download Modus with the new knox waranty void Flag because i dont think samsung will remove that only for some older models
 
Thanks for the info Kevin, as I thought. I will definitely remain on 4.1.2. To think I will have to look for an alternative of the GN3 doesn't make me happy, but I will if this continues to be Samsung's policy 
 
Ci sono novità? Su knox 0x1 galaxy s4 gt-i9505?
Grazie e Saluti

Translate
 
Simple question:
What happens If I'm on the old bootloader and flash new MH8 for example through Mobile Odin? (Mobile Odin doesn't flash bootloader). Chainfire or anyone can answer this? I know it's not to do it so far.
Sotos P
 
If I unroot and use odin to restore to a stock firmware the knox warranty will be still void.

Ps: I just rooted my device I have never flashed a custom rom
 
Does the pre release leaked 4.3 firmware for I9505 have knox installed? 
Stan S.
 
oh please... i hope it is not triggered by an efuse... there must be a way to reset it. 
 
Hi i ran triangle away 3.10 and i still get the custom status on system settings, any suggestions? It would be greatly appreciated
 
+Antonio Valladares hi, did you try to flash a stock rom like i9505xxuemi8 ? It works for me but I still have knox status 0x1. 
 
Hi Chainfire, I just wanted to confirm that the new CF-Auto-Root for GT-I9505 is able to be flashed without bricking the device (currently on stock H8 ROM with locked boot loader)?  Because your CF-Auto-Root Repository mentions unlocking the boot loader?  But there is no script listed for the GT-I9505? Thanks in advance!
 
+Steve Weaver Not true. Last week my I9505 was unable to connect to my mobile network and after trying all (factory reset, installing another rom, etc) I ended sending it to the repair service. Of course I unrooted it and launched triangle away. Bottom line sometimes you need warranty.
 
+passaris konstantinos Thanks for your help. I know about efs and it seems that the folder was ok. I had my IMEI and things like bluetooth or wifi were working fine. Anyway my phone is now under repair and I hope to have it back soon but I'm afraid that with knox installed.
 
+Lyall Johnson in download mode, i do not see any sort of knox warranty status. I don't think my ROM is knox-enabled yet. 
 
Hi everyone. Do you know if old Galaxy (S2 & S3) have Knox efuse inside? If yes is interesting to know why Samsung never talk about it? 
 
I think that the KNOX technology may protect business data, but it does not prevent other systems to spy the phone. If there is any problem in the existing code, I remember the DEX problems with the play store (apps could get root or more permissions as allowed). I think, if I look at the public KNOX architecture, that this system still allows internal attacks against the phone itself and the funny thing is, if these rumors about the efuse chip are true, destroy the device after the attack. Funny funny.  They are beginning to kick us all out of their (spy?) system. I like the S4, but there should be an option to refuse knox for people who do not want this. Did you all notice that we users get all kicked out of our operating systems, it began with vista on pc and now knox on android. We are loosing the control about our own machines we bought. We have less rights about these things than we should have. Sorry 4 my engl
 
Finally signed loaders or so with CAs.. a final word about these.. there are a lot of examples for manipulated or stolen CAs that gave out faked valid certificates... an attacker with a valid CA may be able to upload something that no one wants... now the question may be... who could do that... we all know...
 
Please find a solution to the I9505 Knox, appears to me (0x1)  , i need 0x0 .  Thanks
 
we should in fact have the option for refusing knox and selinux I'd say.

HTC is no option here for a similar phone for me. I want to have a removable battery and removable extra storage.

I disabled knox with pm disable com.sec.knox.seandroid
but every datarestore f*cked up the selinux context that had to fix every time. So left stock touchwiz in favor of cm 10.2.

 
 
So GMD Stylus Control is SOL right along with me. Lovely.

As a mom, I say fuck 'em. I can be responsible for my own phone, and I can pay $10/mo for insurance so I can toast my phone (under a car tire works well). I need both root and a stylus, and that's what they led me to believe I was buying. If something I know should be warrantied goes bad, like Sammy USB ports do, then am I wrong for finding a way to hold them culpable for it?
 
This doesn't stop me from flashing custom roms because i never cared about warranty.. 
 
okey. I got it. eFuse can be irreversible and an one way switch. but what about the software that checks for Knox's 0x0 and 0x1? That is crackable. some of us just have to find the right part of the software parameter that returns the value of Knox.
 
okey. I got it. eFuse can be irreversible and an one way switch. but what about the software that checks for Knox's 0x0 and 0x1? That is crackable. some of us just have to find the right part of the software parameter that returns the value of Knox.
 
aah...crap... i just spent hours trying to get CM on my i9505 here in norway. Now i get by this thread, and yes i am 0x1... hoping for +Chainfire fo figure this out, will atleast donate 2x favorite beverages. Been using all the galaxys, from 1 to 4, but now it seems i gotta go with something without fort knox. dammit!
 
+Chainfire. Dude. Forget about the eFuse for a moment... Do you think that some time in the future people like me who accidentally upgraded to 4.3 can find a way to downgrade? Since recovering my phone from a failed flash Kies nicely decided to flash it's latest firmware into the phone. This really does piss me off
 
My phone is flag 0x1 . Do you think that in the future it will go fix? :/
 
Personally I don't care about the flagged status.. i wonder will Samsung's approach make people rethink their future purchases? I know I won't be buying another phone from Samsung.
 
I don't care either. However, for me a few things are mandatory, removable battery as well as micro sd card support. that rules out a few models and makes. Both knox and selinux may go for me.
 
Hi all,
Below is a good news shared by someone:

Today I went to Samsung service center to fix my note 3 SM-N9005 after I missed up with it.. no efs folder, no IMEI, bootloader flashed to MJ3 and the Konx was 0x1 actually warranty void..

The technician guy checked the Konx and told me the warranty is void but don't worry I will fix it for free.

The surprised thing is that they have fixed my mobile within 10 minutes.
After fixing it.. I checked the the Konx is back to 0x0 so they reset it !.
The bootloader back to MJ1 so they downgraded the bootloader !!.
IMEI and serial no. never changed !!.
And no hardware change at all.. so now, its very clear the Konx trigger is a software trigger and can be reset again with some how.
 
+Nirav Parekh maybe the same way as with SIM cards. Blow a fuse, by entering wrong pincodes. And then be able to "reset" via PUK code until all fuses are blown.  (obviously to a maximum?)
 
I will also confirm that this is def a software thing and not hardware this comes from samsung them selfs who have stated they can reset it but only at their service centre as I will not have the said software at home but they can fix it only took 3 weeks to obtain this information from them
 
any one have any idea about downgrade i9505 4.3 to 4.22?
tnx in advance
 
I haven't been able to downgrade the s4, but I did downgrade my note2 after the 4.3 update with the back to stock mc2, I swear this should work with the s4 somehow. I'm getting ready to sell my s4 on Craig's list, it just doesn't seem like there is any progress in breaking Knox, and it is really bogging down the system. I've benchmarked both the note2 and the s4 and the difference is the s4 takes twice as long to execute the test with a Knox bootloader
 
if i accepted the 4.3 ota on galaxy s3 and then rooted to set knox warranty void to 1 can i unroot it to accept the next update?
 
one guy says that he carried in his phone to samsung agent and they did reset it. Most likely it can be reset but it would take a lot of work.
 
 Sorry for my english, I try all I can and I find that the problem with knox is aboot.mbn, im not a boot programmer but i know computer science and  I verify this file called aboot.mbn and have the Knox to enable,  if any programer can try to make a aboot.mbn that cancel or desable Knox youve won the game and posible reset counter and downgrade.
 
well that is what the guy said. the samsung agents reset it for him. it can be reset. they have the software to do it. i wonder if one of the would leak that software?
 
I see..... Then we just have to wait for the leaked software. 
 
Is it possible to create a fake bootloader image so that knox status can be hidden?
 
 
Hmmmm....have to wait for the software leak. 
 
 One doubt.on my N7100 the knox status shows "1" only it is not "0x1". is this a glitch?
 
 
Well that's the one we're talking bout. 
 
hopefully not an efuse, i badly wish it's not an efuse xD maybe it's possible to just lock the efuse? or bypass it in some deep system edits xD (hopefully)
 
I heard that you have to pay 65.00 euros to reset it
 
looks like a hacker competition what samsung started there...and looks like they loose alot of customers right now. can we not just take samsung to court to steal our time like that?
 
Galaxy Tab 4 8.0 (SM-T330) Android version 4.4.2 KNOX Warranty Void 0x1 after owning the device for less then 2 weeks, when it was still under warranty for another 14 months. Followed a thread on XDA to achieve this. Why do people not remove dead threads that no longer work? 
Add a comment...