1. Are you ready for the Galaxy S20? Here is everything we know so far!

[Virgin Mobile] [GUIDE][Q&A] Myths and Truths About KNOX

Discussion in 'Android Devices' started by TheBritton, Dec 14, 2013.

  1. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter

    Important Things You Need To Know
    How Does Knox Affect Root Users?

    There has been inaccurate information circulating about Knox and how it affects us as root users.
    So I have compiled this Q&A and I will update it as questions and answers arise.
    CNexus at XDA has made a similar thread:
    [FAQ] KNOX and you - xda-developers

    Q: If I have KNOX can I root my device?

    • Yes, you can most certainly root your device. KNOX apps may prevent SuperSU from functioning properly but the KNOX bootloader does not prevent one from gaining root access.
    Q: If I have KNOX can I install a custom recovery?

    • Yes. You may install a custom recovery with Odin. Doing so will trip the KNOX flag. The custom recovery can also be used to flash SuperSU or Superuser to gain root access or to install custom roms, kernels, and modems.
    Q: I've heard that I can't downgrade my firmware once I have the KNOX bootloader. Is this true?

    • Yes and no. The only thing the KNOX firmware will not allow you to downgrade is the bootloader. You can install custom roms. You can even install stock roms based on earlier versions of Android as long as they do not include a bootloader. The best method to do this is through a flashable zip via custom recovery. You CANNOT install earlier firmware via Odin. Odin firmware packages contain everything including the bootloader so once you have the KNOX bootloader you may just want to stay away from Odin altogether except for custom recoveries.
    Q: If I have KNOX can I install custom kernels?

    • I asked this question when I first got "KNOXed up" and the answer is yes. Once again, all the KNOX bootloader cares about is itself meaning you can flash whatever you want to the device as long as it's not another bootloader and if you don't mind tripping the KNOX flag. You are free to flash roms, kernels, and modems. Bootloader DOES NOT EQUAL Android Build Number DOES NOT EQUAL Modem.
    Q: How do I know if I have the KNOX bootloader?

    • When you enter download mode, you will see something that looks like this:

    • In the above picture KNOX warranty is in tact as the flag is 0x0
    • A KNOX warrant void line says 0x1
    • If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.
    Q: I took an OTA Update and now I have been KNOXed Up! I have been upgraded to MK5. Can I rid myself of this infliction?

    Q: I have tripped the KNOX flag? What does that mean exactly?

    • Excellent question. This brings us to the known facts about KNOX and what it means.

    Known Facts About KNOX:

    • Upgrading to newer Samsung firmware MK5 will upgrade the bootloader to KNOX bootloader. this will give an additional 2 lines in download mode about KNOX status.
    • Not possible to downgrade to KNOX-disabled firmwares/bootloaders without tripping the KNOX flag (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see http://forum.xda-developers.com/show....php?t=2444671, not confirmed)
    • Even if you flash a KNOX-enabled firmware via Odin (e.g. the latest fw) Knox will be set to 0x1
    • Flashing unsigned or modified images via Odin will set KNOX to 0x1
    • Once the KNOX flag gets set to 0x1 there is no way to set it back (that anyone has found yet anyway!) Samsung stated, resetting the flag is impossible
    • KNOX is mandatory and can not be completely removed
    • Warranty Void is no counter, it is a flag (0,1) it was never seen 0x2 or so
    • Mirroring all partitions from a clean 0x0-Device to a 0x1-Device via JTAG produces an unfunctional device (reversible by restoring the 0x1 partitions on the phone)
    • KNOX bootloader verifies signatures of kernels and recoveries. No custom ones possible without voiding the KNOX warranty
    • If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.
    • with the new KNOX bootloader root will work, however rooting will trip the KNOX flag

    1. Download the Forums for Android™ app!


  2. Jaay Dogg

    Jaay Dogg Android Expert

    Ok so what the hell is the point of the knox bootloader other than just pissing us off ?
  3. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter

    It's a security feature. The Knox apps can be used for security in workplaces and government agencies etc.. knox allows users to bring and use their own device at such places.
  4. struckn

    struckn Android Expert
    VIP Member

    In case it isn't clear from the OP:

    Bootloader DOES NOT EQUAL Android Build Number DOES NOT EQUAL Modem

    This seems to be where most of the confusion comes from, along with flashing from recovery versus pushing via Odin. Thank God you made this thread Britton. I can just link to here from now on instead of typing the same reply over and over. While I don't mind providing answers instead of "look it up" responses, this one was definitely overdue.
    Mikestony and TheBritton like this.
  5. Deleted User

    Deleted User Guest

    Picture needs readded under "how do I know if I have the knoz bootloader
    TheBritton likes this.
  6. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter

    Thanks, I'll be updating this afternoon
  7. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter

    Strange, I can see that picture perfectly fine from the computer but it is "broken" on Tapatalk.
    I'll re-upload it and host it somewhere else.
  8. struckn

    struckn Android Expert
    VIP Member

    Not showing on my computer either.
  9. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter

    I've re-uploaded using Tapatalk as the hosting server. See if that works better :)
  10. struckn

    struckn Android Expert
    VIP Member

    Working! Good job.
  11. deviation56

    deviation56 Newbie

    May want to add that it is possible to repair a hardbricked, KNOx'ed up SGS3, but as of right now it appears the *only* way to do that is via JTAG Riff Box.
    struckn likes this.
  12. struckn

    struckn Android Expert
    VIP Member

    Yeah, a lot of the Knox info implies that using Odin to push the official Knox boot loader ROM back onto the phone is supposed to work, but it seems like nobody who has bricked this way can even get into download mode! Conversely, all the assumptions were that JTAG wouldn't work, but now we know it does, go figure!
  13. deviation56

    deviation56 Newbie

    Yeah agreed- I meant to highlight "as of right now" not "only" but had an epic typing failure lol
    struckn likes this.
  14. ASJ80

    ASJ80 Newbie

    So does Knox actually modify something on the hardware since mirroring all partitions from a 0x0 device leaves it bricked?

    I wish I had a spare knoxed S3 to play with, but I'm not going to spend $300 to get one. I'm definitely not going to let my current phone get infected with Knox.

    I have some ideas and
    I would love to attempt downgrading the bootloader though, although I'm sure I'd just end up with a bricked phone if I did try since people a lot smarter than me can't do it.

    Edit: Also I don't see how Knox is supposed to secure anything if devices can just have the Knox apps removed and rooted and get access to the whole system anyway. Can someone explain
  15. ASJ80

    ASJ80 Newbie

    I've been doing a lot of reading over the past few days. So anyway I might as well post my ideas about removing the Knox bootloader since I'll probably never get to attempt it myself.


    With that said, here are the steps I'm envisioning that probably won't even work.
    1. Make sure the Knox efuse is not yet tripped, otherwise this has no chance of working.
    2. Create a debrick sdcard from an MG2 device (instructions for this can be found in other forums)
    3. Place the debrick sdcard into a Knoxed device.
    4. Use a usb jig to power the device into download mode. (Again, instructions for this can be found elsewhere with a Google search)
    5. Make sure the download mode screen makes no mention of Knox or warranty bit or whatever the download mode of a Knoxed device shows. This means download mode booted from the sd card and doesn't contain the code for blowing the efuse.
    6. Use Odin to flash an MG2 boot image.

    Again there is probably something I've overlooked that will cause this not to work, otherwise, I'm sure someone would have already tried it.
  16. jchammerpants

    jchammerpants Lurker

    Hey, gurus. Thanks for all the insights. I just purchased a VM S3, and have been reading about my rooting options.

    My phone is on MK5 4.3, and if I look under "Device Administrators" in the menu I see Knox (although it is not enabled).

    But when I compare my download screen to the one in this thread, it makes no mention of KNOX. Does that mean that my phone doesn't have the KNOX bootloader?

    This is everything my download screen displays:

    CURRENT BINARY: Samsung Official
    SYSTEM STATUS: Official
    Warranty Bit: 0

    Thanks again for all the help!
  17. upconvert

    upconvert Well-Known Member

    I believe the fact that it says "Warranty bit" means that you have knox, and the fact that it is zero means you haven't tripped it. Someone correct me if I am wrong.
    jchammerpants likes this.
  18. jdsingle76

    jdsingle76 Android Enthusiast

    Your are correct. It'll change to 1 once you trip it.
  19. PlumBlossom13

    PlumBlossom13 Lurker

    is knox used to prevent us from doing something? or is it a tracker app? does it peel info about your rom to who ever has that ability? to google? a hacker? something to block third party aps? why cant we choose to have it or not? what happens if you trip knox?
  20. I don't care about the warranty. If I root and install custom recovery/rom/kernel, will it brick the phone? Or just trip this counter and void my warranty?
  21. Tokens210

    Tokens210 Android Expert

    @Plumblossom- knox is a security program, was originally created if I recall correctly to enable ppl working for governments and other high security jobs to be able to use their phones for home and buissness instead of having a cell phone for each, but Knox doesn't work, reports online of folks getting spam thru Knox secure apps, issue is once installed it cannot be removed or altered or its designed to make the phone brick to an unrecoverable state

    @chris- as long as you follow directions to the T and ask questions and all that then your device should be fine, but there is always a chance to brick a device when installing/using custom Roms
  22. bads3ctor

    bads3ctor Well-Known Member

    This part is not true. I have flashed the stock Lollipop rom using Odin to my Galaxy S5 and my Knox flag is still 0x0. Might be true for the S3 but not for the S5.
    TheBritton likes this.
  23. mike lathrop

    mike lathrop Lurker

    I am new to this thread...but why do I have the knox app on my phone. I didn't ask for it. But now I get reminders that it is open in the notification bar. I didn't install it. I don't have a password or pin.

    How is this possible. How can I get rid of it? Help please.

Samsung Galaxy S3 Forum

The Samsung Galaxy S3 release date was May 2012. Features and Specs include a 4.8" inch screen, 8MP camera, 1GB RAM, Exynos 4412 Quad processor, and 2100mAh battery.

May 2012
Release Date

Share This Page