Last updated: 10 Dec:
WARNING... if you are rooted or thinking of rooting the latest Android 4.3 firmware on the Galaxy S4
, in their infinite wisdom, have released the latest Galaxy S4 stock firmwares, including Android 4.2.2
onwards, see #1.8
, for the International, and all future firmwares such as Android 4.3
with locked bootloaders
and Knox security
flag which are a prerequisite for installing the optional, full, Knox Security app. The actual Knox app is downloaded from the Play Store via an icon on the phone, if required.
It is being rolled out across the board to all the latest devices, branded and unbranded, with the exception of the GT-i9505G
, Google Play Edition with stock Android firmware. It also comes installed on the latest Galaxy Note 3
and is being rolled out in new firmware updates for the Galaxy S3
and Note 2
as well as some tablets.
Their reasoning behind this is to plug security exploits and prevent devices with sensitive data (corporate, defence or government) from having their data compromised, hence the Knox security
. This is to comply with the security demands from these organisations IT departments for secure BYOD's and is not dissimilar from the Blackberry and Apple security protocols
. This means that the latest Samsung devices are now deemed acceptable for use where security is important and increases Samsung's market potential.
This obviously has implications for rooting and flashing custom ROM's. Unfortunately, once the bootloader is locked, reverting to an earlier firmware or nandroid backup is not possible and will not
unlock it or remove or reset the Knox flag and, as seen on the International, can render it unusable.
Flashing the latest Android firmwares will overwrite your system files and kernel as well as locking the bootloader, if not already locked. If you are flashing this to an already rooted phone, it will un-root you and, currently, there is no way to re-root and flash a custom recovery or ROM without tripping the Knox flag and possibly, see #1.10
, voiding your warranty as well as rendering it unusable as a BYOD for organistaions that require an untouched Knox counter for security. It also means that if you have apps that rely on root, such as SuperSU, you will not be able to uninstall them. Therefore, if you are going to install a stock Samsung, Knox enabled firmware to a rooted phone, you should first fully un-root and uninstall any root associated apps prior to updating.
Taken from theq86's
post on xda
Originally Posted by theq86
Conclusions and Facts about KNOX-enabled firmwares (based on statements from chainfires post and it's comments above, and based on this thread)
Assumptions on how KNOX flag in bootloader works:
- Not possible to downgrade to KNOX-disabled firmwares/bootloaders (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see Downgrade from last firmware with Knox warranty SOLVED!!!!! - xda-developers, not confirmed)
- Even if you flash a KNOX-enabled firmware via odin (e.g. the latest fw) knox will be set to 0x1
- Flashing unsigned or modified images via odin will set knox to 0x1
- Samsung stated, resetting the flag is impossible
- KNOX is mandatory and can not be completely removed
- Warranty Void is no counter, it is a flag (0,1) it was never seen 0x2 or so
- Mirroring all partitions from a clean 0x0-Device to a 0x1-Device via JTAG produces an unfunctional device (reversible by restoring the 0x1 partitions on the phone)
- KNOX bootloader verifies signatures of kernels and recoveries. No custom ones possible without voiding the knox warranty
Knox technical information:
- Some experts think, an eFuse is involved. (eFUSE - Wikipedia, the free encyclopedia). An eFuse is mostly only incremential. Even unwriteable by low level tools or JTAG. But it is still not proven, that eFuse is used.
In short... if you are on Knox Firmware then you are currently screwed for rooting, custom ROM's and recoveries as the Knox flag will be tripped and also, there is no possibility of going back to a pre Knox/unlocked bootloader firmware or nandroid backup as this will trip the Knox flag also.
If you are on Knox enabled firmware and wish to view your Knox counter status, go into Download Mode
and the Knox flag is shown in the list at the top left of the screen. If, "KNOX WARRANTY VOID:
", is showing as 0x0
then you have not tripped the Knox flag and your warranty is fine. If it is showing as 0x1
, your Knox flag is permanently blown and your warranty is void.
There is a ray of hope for those who wish to update to Android 4.3
and are rooted in that dev's for the International phones have released custom firmwares for Android 4.3
that do not
already have the locked bootloader and Knox Security. However, these are only available to those that do not
already have Knox firmware installed. So, if you want to carry on rooting or root your phone in future, then do not
update to the Knox enabled Android 4.3
as it is a one way street.
#1.6. Root de la Vega
claims that it can root Knox enabled devices but does not mention custom recovery or custom ROM flashing. Use at your own risk. There are also reorts that Voodoo's, OTA RootKeeper
, has kept root on phones that are rooted and have updated OTA. Although it is not supporting 4.3 officially and may not work on the new 4.4, KitKat, release. Potentially leaving you with a rooted phone that you, "may", not be able to update without blowing the Knox flag.
The following article by Galen Gruman in Info World, lifts the lid on the new Knox security feature and goes into a lot more detail regarding its future use, (oh yes, there's more to come), on phones and tablets and why some carriers may not even implement it fully... The truth about Samsung Knox for Android security
The higher-level security technology for select Android devices isn't really available yet, despite the hype
Samsung releases are categorised as follows:-
= year = 2013 (13th letter of alphabet)
= Month of year (May in this case, 5th letter of the alphabet)
= Release of that month (10th for, "A", as they start 1-9 first, before letters)
is pre MGG
, (2013, July, 16th release), and is before Knox. Only stock
Samsung firmwares MGG
onwards, (with the exception of MH1
), have Knox.
To locate your firmware version... type *#1234#
into the dial pad and look at the last 3 letters/numbers of AP:
Here are some useful links to explain Knox...
What is Samsung Knox?
(Comes with a short, simple, self explanatory video)
Samsung Knox User Manual/Guide
There appears to be some confusion as to whether tripping the Knox flag to 0x1
does in fact void your warranty as there are conflicting reports and statements regarding this, as discussed in this xda forum
Let's find out if KNOX flag 0:1 does void the phone's warranty or not
It would seem that some posters in various locations have received warranty repairs even though their Knox flags were 0x1
. However, in other posts, Samsung declare that warranty is void in such circumstances. For instance, the USA, here
, and UK, here
, whilst other posts seem to contradict this here
There is a bounty being offered for any developer who can successfully reset a tripped Knox flag to 0x0
, see #1.4
. See thread, here
. This currently stands at... US$2,282