1. Download our Official Android App: Forums for Android!

Root [Virgin Mobile] [GUIDE][Q&A] Myths and Truths About KNOX

Discussion in 'Android Devices' started by TheBritton, Dec 14, 2013.

  1. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
    MYTHS AND TRUTHS ABOUT KNOX
    Important Things You Need To Know
    How Does Knox Affect Root Users?

    There has been inaccurate information circulating about Knox and how it affects us as root users.
    So I have compiled this Q&A and I will update it as questions and answers arise.
    CNexus at XDA has made a similar thread:
    [FAQ] KNOX and you - xda-developers


    Q: If I have KNOX can I root my device?

    • Yes, you can most certainly root your device. KNOX apps may prevent SuperSU from functioning properly but the KNOX bootloader does not prevent one from gaining root access.
    Q: If I have KNOX can I install a custom recovery?

    • Yes. You may install a custom recovery with Odin. Doing so will trip the KNOX flag. The custom recovery can also be used to flash SuperSU or Superuser to gain root access or to install custom roms, kernels, and modems.
    Q: I've heard that I can't downgrade my firmware once I have the KNOX bootloader. Is this true?

    • Yes and no. The only thing the KNOX firmware will not allow you to downgrade is the bootloader. You can install custom roms. You can even install stock roms based on earlier versions of Android as long as they do not include a bootloader. The best method to do this is through a flashable zip via custom recovery. You CANNOT install earlier firmware via Odin. Odin firmware packages contain everything including the bootloader so once you have the KNOX bootloader you may just want to stay away from Odin altogether except for custom recoveries.
    Q: If I have KNOX can I install custom kernels?

    • I asked this question when I first got "KNOXed up" and the answer is yes. Once again, all the KNOX bootloader cares about is itself meaning you can flash whatever you want to the device as long as it's not another bootloader and if you don't mind tripping the KNOX flag. You are free to flash roms, kernels, and modems. Bootloader DOES NOT EQUAL Android Build Number DOES NOT EQUAL Modem.
    Q: How do I know if I have the KNOX bootloader?

    • When you enter download mode, you will see something that looks like this:
    [​IMG]

    • In the above picture KNOX warranty is in tact as the flag is 0x0
    • A KNOX warrant void line says 0x1
    • If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.
    Q: I took an OTA Update and now I have been KNOXed Up! I have been upgraded to MK5. Can I rid myself of this infliction?

    Q: I have tripped the KNOX flag? What does that mean exactly?

    • Excellent question. This brings us to the known facts about KNOX and what it means.


    Known Facts About KNOX:

    • Upgrading to newer Samsung firmware MK5 will upgrade the bootloader to KNOX bootloader. this will give an additional 2 lines in download mode about KNOX status.
    • Not possible to downgrade to KNOX-disabled firmwares/bootloaders without tripping the KNOX flag (An attempt sets 0x1) (even though some people state, downgrade is possible when omitting the bootloader file in a firmware package: see http://forum.xda-developers.com/show....php?t=2444671, not confirmed)
    • Even if you flash a KNOX-enabled firmware via Odin (e.g. the latest fw) Knox will be set to 0x1
    • Flashing unsigned or modified images via Odin will set KNOX to 0x1
    • Once the KNOX flag gets set to 0x1 there is no way to set it back (that anyone has found yet anyway!) Samsung stated, resetting the flag is impossible
    • KNOX is mandatory and can not be completely removed
    • Warranty Void is no counter, it is a flag (0,1) it was never seen 0x2 or so
    • Mirroring all partitions from a clean 0x0-Device to a 0x1-Device via JTAG produces an unfunctional device (reversible by restoring the 0x1 partitions on the phone)
    • KNOX bootloader verifies signatures of kernels and recoveries. No custom ones possible without voiding the KNOX warranty
    • If the KNOX warranty void line says 0x1 then you cannot use KNOX software as your device has been flagged as insecure. By this I mean that if your workplace / company supports bring your own device to work for corporate emails etc and they use KNOX to keep security your device will not allow this. You are still able to use future Samsung firmware releases with the KNOX flag 0x1.
    • with the new KNOX bootloader root will work, however rooting will trip the KNOX flag
     

    Advertisement

  2. Jaay Dogg

    Jaay Dogg Android Expert
    Rank:
    None
    Points:
    93
    Posts:
    758
    Joined:
    Aug 27, 2011

    Ok so what the hell is the point of the knox bootloader other than just pissing us off ?
     
  3. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
    It's a security feature. The Knox apps can be used for security in workplaces and government agencies etc.. knox allows users to bring and use their own device at such places.
     
  4. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
  5. struckn

    struckn Android Expert
    VIP Member
    Rank:
    None
    Points:
    213
    Posts:
    1,621
    Joined:
    Oct 9, 2012

    Oct 9, 2012
    1,621
    975
    213
    Male
    Colorado
    In case it isn't clear from the OP:

    Bootloader DOES NOT EQUAL Android Build Number DOES NOT EQUAL Modem

    This seems to be where most of the confusion comes from, along with flashing from recovery versus pushing via Odin. Thank God you made this thread Britton. I can just link to here from now on instead of typing the same reply over and over. While I don't mind providing answers instead of "look it up" responses, this one was definitely overdue.
     
    Mikestony and TheBritton like this.
  6. EricH4753

    EricH4753 Android Enthusiast
    Rank:
    None
    Points:
    68
    Posts:
    623
    Joined:
    Jun 24, 2012

    Jun 24, 2012
    623
    25
    68
    Male
    Unemployed
    Wheeling, WV
    Picture needs readded under "how do I know if I have the knoz bootloader
     
    TheBritton likes this.
  7. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
    Thanks, I'll be updating this afternoon
     
  8. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
    Strange, I can see that picture perfectly fine from the computer but it is "broken" on Tapatalk.
    I'll re-upload it and host it somewhere else.
     
  9. struckn

    struckn Android Expert
    VIP Member
    Rank:
    None
    Points:
    213
    Posts:
    1,621
    Joined:
    Oct 9, 2012

    Oct 9, 2012
    1,621
    975
    213
    Male
    Colorado
    Not showing on my computer either.
     
  10. TheBritton

    TheBritton Resident Galaxy Cat
    Thread Starter
    Rank:
    None
    Points:
    323
    Posts:
    2,257
    Joined:
    Oct 9, 2011

    Oct 9, 2011
    2,257
    1,225
    323
    Male
    Radio DJ & Production Director, NWS Certified Skyw
    Amarillo, TX
    I've re-uploaded using Tapatalk as the hosting server. See if that works better :)
     
  11. struckn

    struckn Android Expert
    VIP Member
    Rank:
    None
    Points:
    213
    Posts:
    1,621
    Joined:
    Oct 9, 2012

    Oct 9, 2012
    1,621
    975
    213
    Male
    Colorado
    Working! Good job.
     
  12. deviation56

    deviation56 Newbie
    Rank:
    None
    Points:
    16
    Posts:
    15
    Joined:
    Sep 3, 2013

    Sep 3, 2013
    15
    9
    16
    May want to add that it is possible to repair a hardbricked, KNOx'ed up SGS3, but as of right now it appears the *only* way to do that is via JTAG Riff Box.
     
    struckn likes this.
  13. struckn

    struckn Android Expert
    VIP Member
    Rank:
    None
    Points:
    213
    Posts:
    1,621
    Joined:
    Oct 9, 2012

    Oct 9, 2012
    1,621
    975
    213
    Male
    Colorado
    Yeah, a lot of the Knox info implies that using Odin to push the official Knox boot loader ROM back onto the phone is supposed to work, but it seems like nobody who has bricked this way can even get into download mode! Conversely, all the assumptions were that JTAG wouldn't work, but now we know it does, go figure!
     
  14. deviation56

    deviation56 Newbie
    Rank:
    None
    Points:
    16
    Posts:
    15
    Joined:
    Sep 3, 2013

    Sep 3, 2013
    15
    9
    16
    Yeah agreed- I meant to highlight "as of right now" not "only" but had an epic typing failure lol
     
    struckn likes this.
  15. ASJ80

    ASJ80 Newbie
    Rank:
    None
    Points:
    18
    Posts:
    47
    Joined:
    Jul 31, 2012

    Jul 31, 2012
    47
    11
    18
    So does Knox actually modify something on the hardware since mirroring all partitions from a 0x0 device leaves it bricked?

    I wish I had a spare knoxed S3 to play with, but I'm not going to spend $300 to get one. I'm definitely not going to let my current phone get infected with Knox.

    I have some ideas and
    I would love to attempt downgrading the bootloader though, although I'm sure I'd just end up with a bricked phone if I did try since people a lot smarter than me can't do it.

    Edit: Also I don't see how Knox is supposed to secure anything if devices can just have the Knox apps removed and rooted and get access to the whole system anyway. Can someone explain
     
  16. ASJ80

    ASJ80 Newbie
    Rank:
    None
    Points:
    18
    Posts:
    47
    Joined:
    Jul 31, 2012

    Jul 31, 2012
    47
    11
    18
    I've been doing a lot of reading over the past few days. So anyway I might as well post my ideas about removing the Knox bootloader since I'll probably never get to attempt it myself.

    Note: THESE ARE JUST IDEAS AND NOTHING I'M SAYING IS CONFIRMED TO WORK! IF YOU TRY THIS AND BRICK YOUR DEVICE, DON'T BLAME ME!

    With that said, here are the steps I'm envisioning that probably won't even work.
    1. Make sure the Knox efuse is not yet tripped, otherwise this has no chance of working.
    2. Create a debrick sdcard from an MG2 device (instructions for this can be found in other forums)
    3. Place the debrick sdcard into a Knoxed device.
    4. Use a usb jig to power the device into download mode. (Again, instructions for this can be found elsewhere with a Google search)
    5. Make sure the download mode screen makes no mention of Knox or warranty bit or whatever the download mode of a Knoxed device shows. This means download mode booted from the sd card and doesn't contain the code for blowing the efuse.
    6. Use Odin to flash an MG2 boot image.

    Again there is probably something I've overlooked that will cause this not to work, otherwise, I'm sure someone would have already tried it.
     
  17. jchammerpants

    jchammerpants Lurker
    Rank:
    None
    Points:
    5
    Posts:
    2
    Joined:
    Aug 12, 2013

    Aug 12, 2013
    2
    0
    5
    Hey, gurus. Thanks for all the insights. I just purchased a VM S3, and have been reading about my rooting options.

    My phone is on MK5 4.3, and if I look under "Device Administrators" in the menu I see Knox (although it is not enabled).

    But when I compare my download screen to the one in this thread, it makes no mention of KNOX. Does that mean that my phone doesn't have the KNOX bootloader?

    This is everything my download screen displays:

    ODIN MODE
    PRODUCT NAME: SPH-L710
    CUSTOM BINARY DOWNLOAD: No
    CURRENT BINARY: Samsung Official
    SYSTEM STATUS: Official
    QUALCOM SECUREBOOT: ENABLE
    Warranty Bit: 0
    BOOTLOADER RP SWREV: 1


    Thanks again for all the help!
    JCHammerPants
     
  18. upconvert

    upconvert Well-Known Member
    Rank:
    None
    Points:
    73
    Posts:
    231
    Joined:
    Sep 11, 2013

    Sep 11, 2013
    231
    89
    73
    I believe the fact that it says "Warranty bit" means that you have knox, and the fact that it is zero means you haven't tripped it. Someone correct me if I am wrong.
     
    jchammerpants likes this.
  19. jdsingle76

    jdsingle76 Android Enthusiast
    Rank:
    None
    Points:
    158
    Posts:
    483
    Joined:
    Dec 19, 2012

    Dec 19, 2012
    483
    544
    158
    Male
    USMC
    TN
    Your are correct. It'll change to 1 once you trip it.
     
  20. PlumBlossom13

    PlumBlossom13 Lurker
    Rank:
    None
    Points:
    5
    Posts:
    1
    Joined:
    Jul 5, 2014

    Jul 5, 2014
    1
    0
    5
    is knox used to prevent us from doing something? or is it a tracker app? does it peel info about your rom to who ever has that ability? to google? a hacker? something to block third party aps? why cant we choose to have it or not? what happens if you trip knox?
     
  21. christophocles

    Rank:
    None
    Points:
    5
    Posts:
    1
    Joined:
    Aug 30, 2011

    Aug 30, 2011
    1
    0
    5
    I don't care about the warranty. If I root and install custom recovery/rom/kernel, will it brick the phone? Or just trip this counter and void my warranty?
     
  22. Tokens210

    Tokens210 Android Expert
    Rank:
    None
    Points:
    93
    Posts:
    849
    Joined:
    Apr 3, 2012

    Apr 3, 2012
    849
    182
    93
    Male
    General Contractor
    Clifton Heights, PA (Just Outside Philadelphia)
    @Plumblossom- knox is a security program, was originally created if I recall correctly to enable ppl working for governments and other high security jobs to be able to use their phones for home and buissness instead of having a cell phone for each, but Knox doesn't work, reports online of folks getting spam thru Knox secure apps, issue is once installed it cannot be removed or altered or its designed to make the phone brick to an unrecoverable state

    @chris- as long as you follow directions to the T and ask questions and all that then your device should be fine, but there is always a chance to brick a device when installing/using custom Roms
     
  23. bads3ctor

    bads3ctor Well-Known Member
    Rank:
    None
    Points:
    108
    Posts:
    193
    Joined:
    Mar 3, 2012

    Mar 3, 2012
    193
    314
    108
    /dev/null
    This part is not true. I have flashed the stock Lollipop rom using Odin to my Galaxy S5 and my Knox flag is still 0x0. Might be true for the S3 but not for the S5.
     
    TheBritton likes this.
  24. mike lathrop

    mike lathrop Lurker
    Rank:
    None
    Points:
    15
    Posts:
    1
    Joined:
    Apr 11, 2015

    Apr 11, 2015
    1
    0
    15
    I am new to this thread...but why do I have the knox app on my phone. I didn't ask for it. But now I get reminders that it is open in the notification bar. I didn't install it. I don't have a password or pin.

    How is this possible. How can I get rid of it? Help please.
     

Share This Page

Loading...