Root [Boost Mobile] [GUIDE][Q&A] Myths and Truths About KNOX

[TheBritton]

MYTHS AND TRUTHS ABOUT KNOX
Important Things You Need To Know
How Does Knox Affect Root Users?

There has been inaccurate information circulating about Knox and how it affects us as root users.
So I have compiled this Q&A and I will update it as questions and answers arise.
CNexus at XDA has made a similar thread:
[FAQ] KNOX and you - xda-developers

Q: If I have KNOX can I root my device?

• Yes, you can most certainly root your device. KNOX apps may prevent SuperSU from functioning properly but the KNOX bootloader does not prevent one from gaining root access.

Q: If I have KNOX can I install a custom recovery?

• Yes. You may install a custom recovery with Odin. Doing so will trip the KNOX flag. The custom recovery can also be used to flash SuperSU or Superuser to gain root access or to install custom roms, kernels, and modems.

Q: I've heard that I can't downgrade my firmware once I have the KNOX bootloader. Is this true?

• Yes and no. The only thing the KNOX firmware will not allow you to downgrade is the bootloader. You can install custom roms. You can even install stock roms based on earlier versions of Android as long as they do not include a bootloader. The best method to do this is through a flashable zip via custom recovery. You CANNOT install earlier firmware via Odin. Odin firmware packages contain everything including the bootloader so once you have the KNOX bootloader you may just want to stay away from Odin altogether except for custom recoveries.

Q: If I have KNOX can I install custom kernels?

• I asked this question when I first got "KNOXed up" and the answer is yes. Once again, all the KNOX bootloader cares about is itself meaning you can flash whatever you want to the device as long as it's not another bootloader and if you don't mind tripping the KNOX flag. You are free to flash roms, kernels, and modems. Bootloader DOES NOT EQUAL Android Build Number DOES NOT EQUAL Modem.

Q: How do I know if I have the KNOX bootloader?

• When you enter download mode, you will see something that looks like this:

​

• In the above picture KNOX warranty is in tact as the flag is 0x0
• A KNOX warrant void line says 0x1
• If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.

Q: I took an OTA Update and now I have been KNOXed Up! I have been upgraded to MK5. Can I rid myself of this infliction?

• Why most certainly! jdsingle76 has a KNOX-free MK5 ROM which does not have KNOX apps. It also does not contain the KNOX bootloader so if you're still on MD7 or MG2 you can use this method to update to MK5 and not have to worry yourself with KNOX. That ROM can be found here: http://androidforums.com/virgin-mob...exed-deodexed-virgin-mobile-boost-mobile.html
• Instruction for installing the MK5 ROM can be found here: http://androidforums.com/virgin-mob...11-guide-mk5-wip-rooting-mk5-4-3-newbies.html

Q: I have tripped the KNOX flag? What does that mean exactly?

• Excellent question. This brings us to the known facts about KNOX and what it means.

Known Facts About KNOX:

• Upgrading to newer Samsung firmware MK5 will upgrade the bootloader to KNOX bootloader. this will give an additional 2 lines in download mode about KNOX status.
• Not possible to downgrade to KNOX-disabled firmwares/bootloaders without tripping the KNOX flag (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see http://forum.xda-developers.com/show....php?t=2444671, not confirmed)
  
• Even if you flash a KNOX-enabled firmware via Odin (e.g. the latest fw) Knox will be set to 0x1
• Flashing unsigned or modified images via Odin will set KNOX to 0x1
• Once the KNOX flag gets set to 0x1 there is no way to set it back (that anyone has found yet anyway!) Samsung stated, resetting the flag is impossible
• KNOX is mandatory and can not be completely removed
• Warranty Void is no counter, it is a flag (0,1) it was never seen 0x2 or so
• Mirroring all partitions from a clean 0x0-Device to a 0x1-Device via JTAG produces an unfunctional device (reversible by restoring the 0x1 partitions on the phone)
• KNOX bootloader verifies signatures of kernels and recoveries. No custom ones possible without voiding the KNOX warranty
• If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.
• with the new KNOX bootloader root will work, however rooting will trip the KNOX flag

 

[joelv6]

thanks for the awesome post and its very infromative ill say

 

[wetbiker7]

Nice Britton!! Great Q&A and very well written. Thank you sir.

 

[TheBritton]

Thanks I'll be adding more to it soon. Struckn has brought up some good points in another thread that I'll add tomorrow

 

[struckn]

Would also like to add that one of the driving factors behind Knox is the desire by Samsung to land some juicy government contracts. They are almost desperate to prove that their devices, in conjunction with their firmware, are secure enough for use by the military and some of the top defense contractors who have a BYOD policy. Unfortunately, this is occurring at the expense of all users, in my opinion. If an employer needs this level of security, then they can deal with Samsung directly in terms of getting their employees and their devices on board. Leave the rest of us the hell alone. This is also where the "you will be forced to pay extra on your plan with Knox included" myth comes from. There is a paid feature that allows Knox to truly operate the way Samsung intended, available to those companies who wish to pay for it; not, repeat not, a cost that the regular consumer will ever see.

 

[wetbiker7]

Would also like to add that one of the driving factors behind Knox is the desire by Samsung to land some juicy government contracts. They are almost desperate to prove that their devices, in conjunction with their firmware, are secure enough for use by the military and some of the top defense contractors who have a BYOD policy. Unfortunately, this is occurring at the expense of all users, in my opinion. If an employer needs this level of security, then they can deal with Samsung directly in terms of getting their employees and their devices on board. Leave the rest of us the hell alone. This is also where the "you will be forced to pay extra on your plan with Knox included" myth comes from. There is a paid feature that allows Knox to truly operate the way Samsung intended, available to those companies who wish to pay for it; not, repeat not, a cost that the regular consumer will ever see.

Bro, I could not have said it better myself! Let them deal with Samsung directly. Why on God's green earth would they want to put something out there that the military may be interested in only to have it cracked and bashed by the brilliant minds who do this sort of thing as a hobby. It would be quite embarrassing IMO. Wouldn't you think? You can bet your bottom dollar they will slice and dice up Knox given enough time. Why in the world would they put something like that out to to open public only to have it busted wide open? The only reason I can think of is to help improve it. Let the people find and exploit the security issues for free instead of paying top dollar to have a private firm do it. Hmmm, now that's making sense now that you've got my gears turning. They would actually be saving millions by letting the Devs find it's flaws for free. Oh yes indeedy.... makes sense to me.

What are your thoughts?

 

[struckn]

That is such a good point, I hadn't thought about it from that angle. They may claim it is invincible once tripped all they want as well, but since it was made by man it can be defeated by man as well. There is no such thing as 100% irreversible, short of taking a baseball bat to the phone.

Edit: Another thought as well, they aren't even on the hook financially for all the users who are going to ruin a phone they spent several hundred dollars on. Not chump change by any means; as adventurous as I tend to be with flashing stuff on my phone, I can't just haul my butt off to the store tomorrow and buy a second one like it's no big deal. Ultimately a win/win for Samsung as long as enough users remain ignorant to what is happening in the rooted community.

 

[smith058]

Well if no one can hack it... then that weighs heavily in their favor for a contact.

BTW, I'm glad you've posted this, I haven't had much time lately to read and stay informed and have been quite curious about this topic

 

[struckn]

Well if no one can hack it... then that weighs heavily in their favor for a contact.

No doubt about that.

 

[Rally 517]

Ol the sweet prevail