Hello everybody,
I created a tool - initially for the nexus 9 (flounder|flounder_lte) - that gets rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.
I enhanced that tool to make it work for nexus 6 (shamu) too.
Background
The Android CDD (Compatibility Definition Document) suggests that all devices SHOULD enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. FDE comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in the case of the nexus 6 (aka shamu) it's the CPU's task. Even though the nexus 6's CPU has 4 quite fast cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any measurements)
There is an ongoing discussion about this topic in cyanogenmod's gerrit for the nexus 9. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome.
Because performance is important to me and my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher)
How does it work?
FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP or CWM). This is what it does:
Checks if your device is compatible
Dumps the currently installed boot.img.
Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
Then it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
Flashes the modified boot.img
Supported devices
HTC Nexus 9 WiFi (flounder)
HTC Nexus 9 LTE (flounder_lte)
Motorola Nexus 6 (shamu)
Version History
v1 - Initial version with HTC Nexus 9 WiFi (flounder) support
v2 - Added Motorola Nexus 6 (shamu) support
v3 - Added support for HTC Nexus 9 LTE (flounder_lte)
v4 - Added support for signed boot-images
v5 - Changed error handling to compensate for missing fstab files. Some roms seem not to ship with the complete set of boot-files from AOSP.
v6 - FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
v7 - FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.
What do I need to make this work?
A supported device (Your nexus 6)
An unlocked bootloader
An already installed ROM with forceencrypt flag. (like cyanogenmod CM12.1)
A recovery that includes busybox (TWRP, CWM)
How do I use it?
Make a thorough, conservative backup of your data if there is any on your device
Go into your recovery (TWRP, CWM)
Flash fed_patcher-signed.zip
If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama.
How do I know if it worked?
Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.
IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on CM12.1 for example and you used my patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.
Is it dangerous?
Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.
Screenshot
Scroll down to the attached thumbnails.
Credits
* pbatard for making (un)mkbootimg (dunno if he is on xda)
* @rovo89 for his xposed framework - I used some of his ideas by reading the source of his xposed installer flashable ZIP for FED-Patcher.
Thank you for this!
I can easily extend support for more devices. Do you guys know of some that have forceencrypt enabled?
Excellent work.
Hello everybody,
I just released version 6!
In this release, FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
Enjoy
Edit: Confirmed as working for latest Chroma build. (9/18)
Can anyone confirm this working for Chroma? Truly don't want to deal with starting from scratch ...
Hello everybody,
just to let you guys know - I just checked the new marshmallow factory image for shamu (MRA58K) => FED-Patcher should work for this new image too.
Enjoy!
This worked perfect for me just flashed then formatted data and boom I'm unencrypted again thank you op
Hello everybody,
I just released v7!
FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.
Enjoy!
gladiac said:
Hello everybody,
I just released v7!
FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.
Enjoy!
Click to expand...
Click to collapse
This is incredible news! Using this alongside SuperSU, is R/W access accessible on the system partition? (build.prop mods)
spunks3 said:
This is incredible news! Using this alongside SuperSU, is R/W access accessible on the system partition? (build.prop mods)
Click to expand...
Click to collapse
Yes that should work!
//EDIT: No it does not. It keeps looping after installing SuperSU with the following error:
Code:
avc: denied { execute_no_trans } for path="/system/xbin/daemonsu" dev="mmcblk0p29" ino=104419 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=0
Probably some selinux problem :/. I might dive into this later this week. Sorry.
//EDIT #2: Now that I think about it... Doesn't the SuperSU flashable ZIP take care of the needed policy rules so the error that I posted above does not happen? IMHO it is SuperSU's task to take care of these things.
I might have to retest with the actual SuperSU installer. I had used TWRP's SuperSU installer. Maybe that one is broken somehow...
//EDIT #3: Nope! Supersu definitely does not work. I just tried with BETA-SuperSU-v2.50.zip. The SELinux policy-set that comes with the stock marshmallow factory images lacks the necessary rules to enable SuperSU to work.
However, adding these rules is something FED-Patcher was not designed to do. IMHO the SuperSU flashable ZIP should take care of this.
FYI: Nexus 6 is a QUAD core. Not just 2.
doitright said:
FYI: Nexus 6 is a QUAD core. Not just 2.
Click to expand...
Click to collapse
Thanks, I just fixed it. Shame on me.
Thanks for your work. Please can you take moment to answer my question? I am using an Android 6 ROM, however, due to my original configuration, device encryption is active.
I will try as listed below, please critique, I am not sure if I need to wipe the phone after backing up?
1. Back up device
2. Wipe device (data, internal storage and system.)
3. Flash FED patcher
4. Flash suitable Andriod 6 boot loader and radio
5. Flash suitable rom (with encryption disabled)
Thanks
finesse said:
Thanks for your work. Please can you take moment to answer my question? I am using an Android 6 ROM, however, due to my original configuration, device encryption is active.
I will try as listed below, please critique, I am not sure if I need to wipe the phone after backing up?
1. Back up device
2. Wipe device (data, internal storage and system.)
3. Flash FED patcher
4. Flash suitable Andriod 6 boot loader and radio
5. Flash suitable rom (with encryption disabled)
Thanks
Click to expand...
Click to collapse
Hi @finesse,
FED patcher must be run after installing a rom in order to disable the forced encryption flag. If the rom does not have forced encryption enabled (pretty common on non-stock and non-cm12.1 roms) you do not need to run FED patcher at all. Background: What FED-Patcher does is that it just takes the boot-partition of the currently installed rom and modifies it.
Wiping (in TWRP: "Wipe" - "Factory reset") is essential after backing up if the phone is currently encrypted. Sadly, you cannot simply just disable the encryption. Only formatting the partition (=wiping) will get rid of it.
I hope I could help .
Hey everybody!
This project has been moved to HERE! Please post your problems, success stories and so on there from now on.
Cheers, gladiac
Will this work on anyother device having Marshmallow... Its a MY6753 device.
or any way to edit you patch and make it work on my device....
gladiac said:
Hey everybody!
This project has been moved to HERE! Please post your problems, success stories and so on there from now on.
Cheers, gladiac
Click to expand...
Click to collapse
rawdealer said:
You didn't Format the Data It's quite a large button in twrp
Click to expand...
Click to collapse
Emilius said:
OMG, please don't tell anyone
Click to expand...
Click to collapse
rawdealer said:
FORMAT DATA, the extra large button
http://forum.xda-developers.com/and...v8-forceencrypt-disable-t3234422/post63810702
Click to expand...
Click to collapse
haibane said:
Rawdealer, I got it to work lol. Just seemed odd that you had to Format Data instead of doing a full wipe of everything. I'm guessing the Format Data just had to occur after CM was installed.
Click to expand...
Click to collapse
SamS1989 said:
it does not working on my n6 (7.1.1 stock)
what i do :
- flash 7.1.1 factory image
- turned off after the flash, reboot in fastboot
- boot twrp (without flash)
- flashed the V8 fed
- wipe data/cache (in twrp)
and after the reboot the phone stil decrypted
should i do the factory reset from settings or it's good from twrp ?
Click to expand...
Click to collapse
rewrite the instructions in both threads:
flash FED-Patcher.zip
use the Format Data button!!! neither Swipe to Factory Reset! nor Advanced Wipe!
v8 works well for nexus 6 stock 7.1.1, thanks to the op @gladiac and the discoverer @rawdealer, would better someone quote this in the other thread since New members (those with few posts) are not permitted to post to development-related forums
Bump
Thanks for this.
Does FED-Patcher still not work with Nougat?
I tried to use the detailed instructions here:
https://forum.xda-developers.com/nexus-6/general/how-to-disable-force-encryption-nexus-6-t3220273
I am not a pro at any of this, including TWRP.
I downloaded the Factory Image from Google (7.1.1 July for Shamu , Nexus 6)
https://dl.google.com/dl/android/aosp/shamu-n6f27h-factory-718e138f.zip?hl=vi
I unlocked and rooted my N6, flashed TWRP.
I followed all the instructions. When I got to step 8: Flash your ROM, it wouldn't work. I kept getting Zip verification errors in TWRP. I also tried to do it in NRT.
I was told that you can't install a Google factory image via TWRP. I guess the factory image would overwrite the recovery with stock. (my guess)
And when I used NRT, I got a hash mismatch when I tried to flash the factory image it as a ZIP.
NRT would only install the factory image via "Flash Stock and Unroot" which I guess defeats the purpose of this.
So I can go back to those instructions but am unclear which Android ROM to flash at step 8.
Using Samsung note 4 samsung uses a proprietary system for encryption that twrp won't support so no access to /data using latest twrp
As i would like to keep my phone this way and use magisk root and custom modifications ect im wondering in what ways this will cause me problems or limit how many mods can be flashed ect
When i first start twrp brings up screen asking if i want to keep it read only or allow system modification it never remembers my choice asks at each start up
conversly clicking reboot system or download mode ect happens immediately without waiting for me to swipe the button accross screen which normally is required
also noticed i can't wipe cache/dalvikcache i believe wiping this is required with certain mods that can occasionally cause system instability and that fixes it.
believe backups won't work want to stick with it have my doubts about long term suitibility of it however.
Appreciate any help.
Thanks.
Hey guys! I was wondering why can't we encrypt /sdcard as we do for /data?... In my opinion my files/documents/photos are sensitive information as my data partition is...
Up?
Seriously, no one?
Unipo said:
Seriously, no one?
Click to expand...
Click to collapse
Little late... Anyways, I too am wondering all the time why encryption seems to be relevant for only a really small number of users.
Since you can only encrypt your SD Card with LOS when formatting it as internal storage via assistant, I chose to go this way:
https://guardianproject.info/2011/02/02/create-an-encrypted-file-system-on-android-w-luks/
Did you find another solution?
@two_handed
Sorry I moved to CopperheadOs, my Mi5 was only pure lineage with F-Droid as system app.
I noticed that you don't have access to /data on you encrypted lineageOs phone which means apps data, pictures, music, etc... But you still have access to everything else (/system included) through adb/fastboot.
I wanted a secure phone without google crap, only FLOSS apps, and CopperheadOs is one of the few allowing you (more like forcing you) to relock you bootloader to activate boot secure and prevents anyone to use fastboot/adb shell if your phone gets stollen.
Concerning your question, maybe this http://sovworks.com/eds/ ? Sort of veracrypt for android, also working with veracrypt containers.
I got my Honor 9 set up with the all in one guide (https://forum.xda-developers.com/honor-9/how-to/one-guide-recovery-os-roms-t3661829). Except I could not flash supersu because in the data/data folder, I just got some weird named folders and could not find my file.
That tells me I am encrypted, right?
Now I entered TWRP and sideloaded supersu via adb - and I got root. So now my question is, am I encrypted AND got root running? Can you confirm this? I found no way inside Android on how to see if I am actually encrypted or not.
I didn't flash anything with fileencryption disabled in fstab etc...
I believe the latest version of EMUI encrypts your device by default to protect your personal data. You would probably decrypt your device yourself in the Settings > Security
But how can I check if I'm really encrypted or decrypted? What I can tell for sure is that I got root. But that would mean that the root guide can be updated to read supersu is working with data encrypted
Rommco05, I already know that I'm definitely rooted, but unsure on how to check the encryption status.
If I remeber good, there's an option in settings when you encrypt the phone (I don't remember where exactly)
This may help you
Ok so I sideloaded beta SuperSU 2.82 SR3 and I am rooted now. And I would say encrypted as if I browse /data/data through TWRP everything is just a bunch of random characters. Also phone is locked by fingerprint and password.
It can be correct
Zuzler said:
I got my Honor 9 set up with the all in one guide (https://forum.xda-developers.com/honor-9/how-to/one-guide-recovery-os-roms-t3661829). Except I could not flash supersu because in the data/data folder, I just got some weird named folders and could not find my file.
That tells me I am encrypted, right?
Now I entered TWRP and sideloaded supersu via adb - and I got root. So now my question is, am I encrypted AND got root running? Can you confirm this? I found no way inside Android on how to see if I am actually encrypted or not.
I didn't flash anything with fileencryption disabled in fstab etc...
Click to expand...
Click to collapse
Could you please tell me what you did in detail after you unlocked your phone? At the moment i have the eu version but the b180 version with unlocked bootloader. Do you think it also works with the b180? And can you provide the links where you downloaded it, because there are like 10 Million different Versions of supersu and twrp. i bless you if you tell me
I soft bricked my H9 many times, so can you confirm me pls if :
- My H9 has the stock rom
- Bootloader unlocked and frp unlocked
- TWRP is installed but i see sdcard with encrypted names
If i used "adb sideload SuperSU-v2.82-201705271822.zip" in TWRP, i will have root and i loose nothing in the phone?
Thnaks for answer
i need this information too.
if i install by twrp the file SR3-SuperSU-v2.82-SR3-20170813133244.zip , i have root but i lose navigation button and camera flash...
now i have B183 version....
which version and how have to install Supersu for have root and all working?
im tired to go back everytime to b120....
A couple of days ago I flashed Lineageos 16 onto my Pocophone F1 with the opengapps package (MTG was giving problems).
Now the main issue I have is that my banking apps, Netflix and 1 or 2 other apps won't work because it says the device is rooted. This is actually incorrect , just the bootloader is unlocked. But I realise this is the new security system of Android.
However, here are the problems that I found while investigating for a solution to the root problem:
1. Trust security system says, "This build was signed with public keys". How to I get a build with a private key? I have never compiled my own build.
2. TWRP 3.2.3 is installed, but the pin/pattern/no password etc does not allow twrp to decrypt the phone. I can use the "cancel" option to get to the menu but then twrp has limitations, see point 3.
3. I am trying to install Magisk on the phone to see if that is a solution for the non-working apps. But after I have transferred the zip file onto /sdcard I cannot see it it when I am in recovery. I guess because of the decrypt issue in point 2.
I have tried to Google for solutions to these issues, but no answers see to be clear as to what the solution is.
So can somebody advise what my best course of action is to get the apps complaining about root to work? Back to the stock android with all the bloatware?
Thanks a million in advance to the person who can help with this.