Typically, no, Samsung are one of the few manufacturers who consistently don't lock bootloaders. I've been flashing Samsung Android phones for over 10 years: https://github.com/Benjamin-Dobell/Heimdall
That said, they have locked bootloaders on some devices. Predominantly in the US market, I believe at the request of carriers. However, it's traditionally been the minority of devices.
What? Samsung is the most hostile of manufacturers in this regard. Unlocking the bootloader, installing another bootloader, or running a different kernel burns fuses permanently in the device and renders it unable to use their version of hardware-secured storage, aka "Knox."
Kiss some multimedia apps, payment apps, and enterprise security features goodbye...along with a bunch of random features like private mode in their browser.
Flashing an unsigned (or potentially differently signed) bootloader burns fuses. Sure. However, other manufacturers don't just burn fuses, you specifically need to apply for permission to flash your bootloader e.g. https://www.oneplus.com/support/answer/detail/op588
Samsung at least don't require personal details for you to take control of your device. Sure, you lose access to some multimedia, but don't blame Samsung for that, blame Widevine DRM certification. Knox goes out the window, but the entire point of Knox is to (try) guarantee a device isn't tampered with. At least you can remove it!
well, Miami and one plus requires you to provide phone number etc., so that seller and other people don't sell you malicious second hand phone or tampered phone. However, there are no fuses, so your phone will still be on warranty if you unroot it.
What does “tampered with” mean? Particularly in the context of a device you own?
I would consider a device tampered with if someone besides me (the owner) did something with it, without my authorization. But anything short of that is surely just me using the device. I mean, I have physical possession after all.
Signing images and requiring that the bootloader can't flash anything else is just vendor lock in / ceding your power as an end user. It doesn't make you more secure in any way since a bad actor will figure out a way to bypass making writes to the system partition.
Umm I remember ordering Chinese phones way back when (think android 4) with unlocked boot loaders - both had some random junk installed via custom ROM and you couldn't uninstall it.
Why would Samsung allow its proprietary 'Knox' to work with other bootloaded OS? They have every right to not support any other OS other than their own.
They aren't "not supporting any other OS", they're causing the hardware to damage itself to prevent that software from working.
It's like your laptop's motherboard detected you installed another OS in place of the OEM-provided Windows installation, and overvoltaged your NVidia GPU to burn it out. "We have every right to not support high-performance graphics on any other OS other than our own - if you want to install your own OS, you can still use the integrated Intel GPU".
Damaging the hardware is a bit of an overstatement. What people are calling fuses isn't really a fuse in the traditional sense. An eFuse usually is just write once memory. All the limiting features are implemented in software which reads out the state of this memory.
Correct me if I'm wrong, but once the eFuse is triggered (which, if it's write-only memory, still involves a physical change that could be interpreted as damage), it's effectively unfixable without replacing the whole motherboard, reflashing it with your original serial number, IMEI, etc. At least that's what I recall from reading about it - Samsung service can "reset" the Knox lock-out, but they do it by replacing the whole board.
In other words: there's no way for me to just take the phone to my workshop / local hackerspace, and fix it with a soldering iron. Even if I could source the right parts, it's going to be a PITA to make them work. I didn't investigate it further, but I assume that these days, cryptography is used for critical parts to attest each other as genuine (similar to what new iPhones do, which is why you can't just replace the "home" button if it breaks).
Additionally, since I haven't heard of people doing software workarounds, whatever in Knox is reading the state of the eFuse, cannot be trivially patched. I recall reading somewhere that triggering the eFuse somehow overwrites Knox itself - if that's correct, then they may not even be anything left to enable afterwards.
----
I'm going to concede here that my example was somewhat hyperbolic - burning a single eFuse isn't the same as overvolting the whole GPU. But only somewhat - the reasoning/intent behind the two cases is the same. Additionally, cryptography blurs the line between what's hardware damage and what's a software limitation. Take, for example, secure erasure of data: you can smash a hard drive with a sledgehammer and then microwave the remains to slag, but you can get the same result by keeping the data encrypted, and then... losing the keys.
This entire comment is irrelevant. The Knox fuse only matters if you're flashing the stock rom back. Only the stock rom actually cares about Knox. The custom roms all ignore the value from Knox or simply spoof it. In other words it's just punishing you for daring to flash a custom ROM.
If someone goes to the trouble of implementing an efuse, they will also implement the check in the hardware so it can't be bypassed. An easy example is optical drives with fixed numbers of region switches that refuse at the hardware level to read discs from the wrong region and also refuse at the hardware level to switch regions once all the fuses have been blown.
Knox is actually irrelevant as most custom roms just fake whatever value is needed to get certain apps going and it's really just Samsung pay I believe.
That's sorta the status-quo. But I'd fully support any legislation that mandates open bootloaders on all devices, definitely would help save the iPad from obscurity.
My experience is that Samsung devices are quite easy to root. There is that e-fuse thing that disable some features permanently, but to my knowledge, these are mostly intended for corporate devices and you can ignore them for personal use.
With Galaxy phones they are extremely hostile to unsigned flashes to the device. You essentially need to exploit a zero day in the stock rom to get temporary root and then while you have temporary root you flash a new recovery. And then you gotta make sure it doesn't flash the stock recovery back in the next boot by making sure your next reboot goes into the recovery. And then you can flash your custom ROM. I skipped some steps too.
After looking a bit into it, it looks like most US/Canada models have a locked bootloader. Other models, including mine (Europe) don't and it only needs booting into download mode using a key combination and flashing a custom recovery using Odin.
It doesn't matter anyway. Thanks to Google pushing remote attestation, all you can expect from a custom ROM is the actually important apps (like bank) no longer working.
I think you mean hardware attestation. And yes, it is the biggest problem I have. I can do without KNOX, but it is becoming harder to do without these locked down apps (ex: bank), and workarounds are harder to get by, no matter the manufacturer.
And of course forget about anything that isn't iOS or Android. I don't expect banks to support alternative OSes anytime soon.
I probably won't root my next phone, not worth the hassle for a daily driver.
What could be nice is if phones could run VMs, so you have your stock ROM with all your "important" apps, and a VM where you can run anything you want: hacked Android, Linux, maybe even a desktop OS. Modern phone hardware should be more than powerful enough to do that.
The only two apps that are affected by Knox is Samsung Pay and Samsung Health. And that is only an issue if you decide to flash the stock rom back on the device. If you use custom roms they typically have a workaround to get both of those apps working with the Knox fuse tripped.
The easiest daily driver to root is Sony and Google phones. You simply unlock the bootloader and flash. There's no nonsense to deal with.
Ability to root and sideloading are two different but similar issues on the topic of freedom.