Join Us!

Is it possible to p...
 
Notifications
Clear all

Is it possible to prove a phone has been never rooted?  

  RSS
Skywalker
(@skywalker)
Active Member

Hi everybody,

I have a UFED's logical extraction from a Samsung Galaxy Young II and I would like to prove the mobile has been never rooted.

Is it possible? Which files do I need to check?

Thanks everybody.

Quote
Posted : 19/02/2020 6:49 pm
Igor_Michailov
(@igor_michailov)
Senior Member

https://docs.samsungknox.com/knox-active-protection/learn-more-en.htm

ReplyQuote
Posted : 19/02/2020 6:54 pm
athulin
(@athulin)
Community Legend

… and I would like to prove the mobile has been never rooted.

Is it possible?

The word 'prove' is very strong. 'Strong indication' is much weaker. But 'proof' should not leave any doubts.

Consider that all this is software … and consider that software has bugs as well as undocumented features. I can't see how any half-decent forensic analyst could 'prove' what you want to prove without redefining the term in some way, or without major mental reservations.

ReplyQuote
Posted : 19/02/2020 9:14 pm
jaclaz
(@jaclaz)
Community Legend

… and I would like to prove the mobile has been never rooted.

Is it possible?

The word 'prove' is very strong. 'Strong indication' is much weaker. But 'proof' should not leave any doubts.

Consider that all this is software … and consider that software has bugs as well as undocumented features. I can't see how any half-decent forensic analyst could 'prove' what you want to prove without redefining the term in some way, or without major mental reservations.

Yep, though in the specific case of Samsung, things are a bit more complex.

The Knox "Warranty bit" is pretty much hardware, according to Samsung

https://support.samsungknox.com/hc/en-us/articles/115013562087-What-is-a-Knox-Warranty-Bit-and-how-is-it-triggered-

If the Warranty Bit is tripped, the device displays Knox WARRANTY VOID 0x01.

If that is the case, there is no way to revert the Warranty Bit and Knox won't work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.

Point is that they are lying. roll

As - at least for some devices - there are tools capable of resetting the "fuse", example
http//androidfact.com/about-samsungs-knox-counter/

So it only remains to know if a method exists for the specific phone, and there is of course no real way to prove that it doesn't exist.

But I wouldn't be surprised if someone used the official Samsung documentation as if it was the utimate truth.

jaclaz

ReplyQuote
Posted : 20/02/2020 8:49 am
Skywalker
(@skywalker)
Active Member

… and I would like to prove the mobile has been never rooted.

Is it possible?

The word 'prove' is very strong. 'Strong indication' is much weaker. But 'proof' should not leave any doubts.

Consider that all this is software … and consider that software has bugs as well as undocumented features. I can't see how any half-decent forensic analyst could 'prove' what you want to prove without redefining the term in some way, or without major mental reservations.

Yep, though in the specific case of Samsung, things are a bit more complex.

The Knox "Warranty bit" is pretty much hardware, according to Samsung

https://support.samsungknox.com/hc/en-us/articles/115013562087-What-is-a-Knox-Warranty-Bit-and-how-is-it-triggered-

If the Warranty Bit is tripped, the device displays Knox WARRANTY VOID 0x01.

If that is the case, there is no way to revert the Warranty Bit and Knox won't work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.

Point is that they are lying. roll

As - at least for some devices - there are tools capable of resetting the "fuse", example
http//androidfact.com/about-samsungs-knox-counter/

So it only remains to know if a method exists for the specific phone, and there is of course no real way to prove that it doesn't exist.

But I wouldn't be surprised if someone used the official Samsung documentation as if it was the utimate truth.

jaclaz

Hi jaclaz,

How can I read the Knox bit? Is it possible to read the bit through a logical extraction?

Thanks!

ReplyQuote
Posted : 23/02/2020 8:14 pm
arcaine2
(@arcaine2)
Active Member

Point is that they are lying. roll

As - at least for some devices - there are tools capable of resetting the "fuse", example
http//androidfact.com/about-samsungs-knox-counter/

So it only remains to know if a method exists for the specific phone, and there is of course no real way to prove that it doesn't exist.

That's a strong word. TriangleAway was made to get rid of that exclamation mark triangle that showed up after running custom recovery or custom boot. It existed before Knox flag was introduced and while it's possible it was able to trick bootloader to show 0x0 again, it was quickly patched on supported devices. Some of devices listed on that page doesn't support Knox. It didn't work at all on S4 and Note 3 as far as i know. For S4 there was a way via ISP. Later models are not supported at all.

Samsung Galaxy Young II mentioned in first post doesn't even have this flag in bootloader.

ReplyQuote
Posted : 23/02/2020 8:26 pm
jaclaz
(@jaclaz)
Community Legend

That's a strong word.

You are referring to "lying"? ?

Not at all, as athulin stated it is the "prove" that it is a strong word.

A simple statement of fact, if you have a device with the Knox bit tripped to 0x01 you know for a fact that it has been tripped (i.e. the device has been surely been "fiddled with"[1]), if you have a device with the Knox bit showing as 0x00 it is very likely that it has not been touched, but you cannot state with absolute certainty that it was never fiddled with.

jaclaz

[1] though - in theory - you cannot totally exclude that a mad scientist created something making the bit look as 0x01 even if the device wasn't ever rooted though there are objectively very little incentives/reasons to do that

ReplyQuote
Posted : 24/02/2020 9:23 am
droopy
(@droopy)
Active Member

It is complicate. Samsung FUSE could change the number when rooted in download mode. If you see a 1, seems firmware was changed.

It is not 100% solution as old ones could trick this by software. But on new phones works ok.

ReplyQuote
Posted : 24/02/2020 12:35 pm
Skywalker
(@skywalker)
Active Member

That's a strong word.

You are referring to "lying"? ?

Not at all, as athulin stated it is the "prove" that it is a strong word.

A simple statement of fact, if you have a device with the Knox bit tripped to 0x01 you know for a fact that it has been tripped (i.e. the device has been surely been "fiddled with"[1]), if you have a device with the Knox bit showing as 0x00 it is very likely that it has not been touched, but you cannot state with absolute certainty that it was never fiddled with.

jaclaz

[1] though - in theory - you cannot totally exclude that a mad scientist created something making the bit look as 0x01 even if the device wasn't ever rooted though there are objectively very little incentives/reasons to do that

How can I read the Knox bit (as well as Young II has the bit)?

Thanks!!

ReplyQuote
Posted : 24/02/2020 11:28 pm
arcaine2
(@arcaine2)
Active Member

How can I read the Knox bit (as well as Young II has the bit)?

Boot into download mode, and there should be either Warranty Void Flag, or Knox Warranty Void flag. It can 0, or 0x0, or 1 or 0x1 if anything custom was booted at some point.

ReplyQuote
Posted : 01/03/2020 11:34 am
Skywalker
(@skywalker)
Active Member

How can I read the Knox bit (as well as Young II has the bit)?

Boot into download mode, and there should be either Warranty Void Flag, or Knox Warranty Void flag. It can 0, or 0x0, or 1 or 0x1 if anything custom was booted at some point.

Thanks!!

ReplyQuote
Posted : 05/03/2020 8:23 pm
Share: