Question about unlocking the bootloader and password at the startup. - Nexus 5X Q&A, Help & Troubleshooting

Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!

thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
You can access without password.

Thanks Oblox. Then I think I'm keeping a locked bootloader for now!
I don't understand why they don't request a password to access the bootloader.... it could be much more secure.
Sent from my E5823

thesebastian said:
Thanks Oblox. Then I think I'm keeping a locked bootloader for now!
I don't understand why they don't request a password to access the bootloader.... it could be much more secure.
Sent from my E5823
Click to expand...
Click to collapse
Agreed in principal, security concerns raised by unlocking the bootloader would be much less of an issue if they allowed it to be password protected.
However id imagine it would cause headaches when flashing new bootloader (Where does the unlock info sit?) and when ADB'ing via usb etc that are too much effort to address. Id imagine most users dont ever unlock so dont suffer and 'developers' who do are suitably warned.

thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
It depends what you are trying to protect.
When you boot the phone it will pick some random key and encrypt your user partition, so your user partition is ALWAYS encrypted using a private randomly generated key.
Then if you don't select a pattern, pin, or password, that random key is (rather than being stored in plaintext) encrypted using the default string "password" plus some phone specific information accesible on the phone itself.
If you do select a pattern, pin, or password, then the random key is reencrypted with a process that includes your pattern, pin, or password.
In this way, when you change your pattern, pin, or password, the whole user partition does not need to be re-encrypted, just the random private key used to encrypt your user partition needs to be re-encrypted.
The password you enter upon startup is to unlock/decrypt the user partition.
So if you have unlocked bootloader, someone can steal your phone but can't get access to your data easily unless you leave the phone with no pattern, pin, or password.
They can overwrite your system and boot partitions, but if you have pattern, pin, or password when they try to factory reset your phone there is some Android factory reset protection that will ask them to enter your pattern, pin, or password when the phone connects to Google. This actually often locks users out of their own phones when they forget the pattern they used because it was just temporary when they entered it or it was an old pattern they used a long time ago and it comes back on factory restore.
The best they can hope for would be to install custom boot/system images and trick you into giving them your pattern, pin, or password, prior to stealing your phone.
So it really depends what you are trying to protect.
Locked bootloader, on the other hand, if you mess things up, can be a big impediment to fixing your phone.
My suggestion would be to unlock your bootloader, create a pattern/pin/password, and leave Nexus factory reset protection turned on.
Good flexibility with reasonable protection.
The password you enter at startup is so the kernel can finish the boot process, otherwise it cannot read your user partition.
You'd need to enter that password when running TWRP custom recovery as well or it won't be able to read your user partition.

thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
Just one thing to add onto the words of everyone else. This is my first Nexus but it is my understanding that previous Nexus devices have allowed users to lock/unlock the bootloader on the fly via an app. If this is something you intend to do, you should be aware that does not exist on the 5X. The bootloader must be unlocked after enabling OEM Unlock in Developer Settings. You can now install sideload OTAs from Google's website though.
Sent from my Nexus 5X using Tapatalk

Thanks you very much for all your posts.
I think I'll stay with a locked bootloader for now. At the end of my N5 2013 life I wasn't really using root features. Later I spent too much time with a Z5 Compact where opening a bootloader has bad consequences. So now I'm pretty much used to closed bootloaders.
So considering that fast boot and recovery mode don't need the startup PIN I'll stay with a locked bootloader.
However I already got a reason to unlock the bootloader. If there's any way to record videos in [email protected] I'd root the phone.
Sent from my Nexus 5X

I think sfhub said that you'd need a password to boot into the recovery as well. So unlocking your bootloader and leaving the phone encrypted with rest of the security features turned on does seem quite secure than i initially imagined. Too bad I never stayed encrypted long enough to play around with these.
But does it still ask for a password if you flash a different/custom recovery? I'm guessing it will, assuming the passwords are located on /data partition which is encrypted.
That said, someone in PN thread mentioned that knowledgeable hackers can still gain access to an unlocked, but encrypted phone via methods I'm unaware of. But I'd say it is very unlikely that my phone will end up in the hands of someone with such abilities.
The conversation is here: http://forum.xda-developers.com/nex...nexus-layers-fi-wifi-calling-t3244601/page351

roofrider said:
I think sfhub said that you'd need a password to boot into the recovery as well. So unlocking your bootloader and leaving the phone encrypted with rest of the security features turned on does seem quite secure than i initially imagined.
Click to expand...
Click to collapse
You don't need a password to boot into Recovery. You need to enter a pattern/PIN/password into TWRP (TWRP's UI is the one presenting the UI to ask for your password) to allow TWRP to mount your user partition as without that information the user partition is just gibberish.
roofrider said:
But does it still ask for a password if you flash a different/custom recovery? I'm guessing it will, assuming the passwords are located on /data partition which is encrypted.
Click to expand...
Click to collapse
Whether the different custom recovery asks you a password or not will depend on the custom recovery, but if your recovery doesn't ask for a password, then that recovery has no ability to access your user partition as it won't be able to decrypt the contents. Even if it does ask for a password, sometimes it can't access due to mismatch in decryption procedures. Some earlier versions of TWRP had this problem.
roofrider said:
That said, someone in PN thread mentioned that knowledgeable hackers can still gain access to an unlocked, but encrypted phone via methods I'm unaware of. But I'd say it is very unlikely that my phone will end up in the hands of someone with such abilities.
Click to expand...
Click to collapse
If you leave your bootloader unlocked (especially if a bad actor has physical access to your phone), if someone is determined enough they can eventually get access, but with current features it is significantly more difficult/annoying (compared to how trivial it was prior to encryption) to the point most normal people won't bother:
1) AES encrypted user partition
2) multiple password failure reset
3) mixing your pattern/PIN/password with phone specific salt
4) factory reset protection
5) remote reset
The easiest way for them to get access to your phone is to install a custom android or recovery that records your pattern/PIN/password and getting you to enter that information on your own, prior to stealing your phone.
I am guessing multiple password failure reset can be bypassed with bootloader unlocked, so brute force is likely easier.
Now if someone comes out with tools to automate brute force of phones with bootloader unlocked then you might only have real protection from brute force if you enter a complex password rather than pattern/PIN. This still wouldn't protect you from having someone replace your recovery or OS with something that records your pattern/PIN/password but it would protect against the most likely case of someone stealing your phone and trying to access your user data.

I have another question
Can you open the bootloader if the phone is encrypted and with startup pin/password?
If so (I assume yes) /data is wiped and then the phones encryption is reserved? (Just like out of the box)
Sent from my Nexus 5X

thesebastian said:
I have another question
Can you open the bootloader if the phone is encrypted and with startup pin/password?
If so (I assume yes) /data is wiped and then the phones encryption is reserved? (Just like out of the box)
Click to expand...
Click to collapse
I assume you mean "unlock" the bootloader.
The answer is yes and no.
You must first go into developer options to allow OEM unlocking.
If you have a locked bootloader and set up a pattern/PIN/password, then for somebody else (w/o your pattern/PIN/password) to enable OEM unlocking would prove to be a challenge since they can't easily get past your Android login and I haven't an easy way for them to enable it through other means.
Assuming they can get past your pattern/PIN/password (or you just left OEM unlocking enabled yourself) then yes, they can unlock the bootloader and it will enforce a data wipe in the process.
Android factory reset protection might also kick in after the phone connects to Google and they may be forced to enter your pattern/PIN/password to access your system.
I don't know what you mean by "encryption is preserved" The user partition starts off unencrypted. Upon first boot, the kernel will see it isn't encrypted and will encrypt it. From that point on the user partition is always encrypted.
If your data gets wiped due to bootloader unlock, the user partition will be erased, reformatted (at which point it'll be briefly unencrypted), then will be re-encrypted upon first boot of kernel.

sfhub said:
I assume you mean "unlock" the bootloader.
The answer is yes and no.
You must first go into developer options to allow OEM unlocking.
If you have a locked bootloader and set up a pattern/PIN/password, then for somebody else (w/o your pattern/PIN/password) to enable OEM unlocking would prove to be a challenge since they can't easily get past your Android login and I haven't an easy way for them to enable it through other means.
Assuming they can get past your pattern/PIN/password (or you just left OEM unlocking enabled yourself) then yes, they can unlock the bootloader and it will enforce a data wipe in the process.
Android factory reset protection might also kick in after the phone connects to Google and they may be forced to enter your pattern/PIN/password to access your system.
Click to expand...
Click to collapse
Oh yes sorry! I totally forgot about that option under dev settings when I asked the question. So fastboot oem unlock will never work without knowing my PIN (I never had this the Nexus 5 and older Nexus).
That means that a Nexus 5X with a locked bootloader and that option disabled is completely useless for a thief? (Without including advanced concepts like "change the internal memory") Or you can still rewrite /data with a locked bootloader and get rid of the encryption?
(This applies also for the stock recovery "wipe data" function?)
These last questions I've made are not about privacy, are more about anti-theft features.
Sent from my Nexus 5X

thesebastian said:
Oh yes sorry! I totally forgot about that option under dev settings when I asked the question. So fastboot oem unlock will never work without knowing my PIN! (I never had this the Nexus 5 and older Nexus).
That means that a Nexus 5X with a locked bootloader and that option disabled is completely useless for a thief? Or you can still rewrite data with a locked bootloader and get rid of the encryption?
Click to expand...
Click to collapse
I think "useless" is in the eye of the beholder.
IMO with locked bootloader, OEM unlock disabled, pattern/PIN/password created, standard encryption enforced, it would be extremely difficult to access your data.
They could boot into recovery and reset your user partition, but in that case, they wouldn't be accessing your data and upon connection to google will likely get hit with android factory reset protection and need to enter your pattern/PIN/password to access the phone.
They may be able to force LG recovery mode and rewrite your phone. I don't know what happens with Android factory reset protection in this case, but they won't be accessing your user data unless they can easily break AES-256 brute force (which is not really possible today unless your keys get compromised through social engineering)
I think worse case, with a bunch of work, they might have a functioning phone that will lock them out if they ever connect to a network. They can probably sideload some games and use it for that.
---------- Post added at 12:24 PM ---------- Previous post was at 12:08 PM ----------
One other thing, keep in mind this is how things are designed to work with all the chains being secure (bootloader, kernel, recovery, android, etc.)
There could always be some zero day bug that could be exploited to break the design. If there was a kernel memory overrun bug that wasn't patched, that could potentiall be exploited to replace the code that resets the phone upon too many mistaken password entries, and then that combined with a 4 digit PIN code might result in a brute force attack on your PIN being feasible, there are only 10,000 combinations to try.
That is similar to what happen with the San Bernardino iPhone case. They were able to disable the phone reset after incorrect PIN entry functionality then just brute force the PIN.

sfhub said:
I think "useless" is in the eye of the beholder.
IMO with locked bootloader, OEM unlock disabled, pattern/PIN/password created, standard encryption enforced, it would be extremely difficult to access your data.
They could boot into recovery and reset your user partition, but in that case, they wouldn't be accessing your data and upon connection to google will likely get hit with android factory reset protection and need to enter your pattern/PIN/password to access the phone.
They may be able to force LG recovery mode and rewrite your phone. I don't know what happens with Android factory reset protection in this case, but they won't be accessing your user data unless they can easily break AES-256 brute force (which is not really possible today unless your keys get compromised through social engineering)
I think worse case, with a bunch of work, they might have a functioning phone that will lock them out if they ever connect to a network. They can probably sideload some games and use it for that.
Click to expand...
Click to collapse
So if a thief get my phone and do a wipe data in the stock recovery. The phone is still encrypted? They can't add a new Google account and use it like an out of box Nexus?
I'm not concerned about privacy anymore (encryption seems to be good enough). Now I'm asking about how this device is protected against the black market
Sent from my Nexus 5X

Regarding privacy in Android N I just read this article that adds more (future) information to the topic:
http://m.androidcentral.com/how-android-n-addresses-security
Sent from my Nexus 5X

thesebastian said:
So if a thief get my phone and do a wipe data in the stock recovery. The phone is still encrypted? They can't add a new Google account and use it like an out of box Nexus?
I'm not concerned about privacy anymore (encryption seems to be good enough). Now I'm asking about how this device is protected against the black market
Click to expand...
Click to collapse
IIRC they may be able to factory reset using stock recovery (or Google could have enhanced stock recovery to ask for pattern/PIN/password as well) but upon connection to Google it'll reinstall pattern/PIN/password.
So they can probably get the phone to be usable until they connect to Internet at which point it isn't usable. How usable your phone is without a network connection is debatable.
If Google has enhanced recovery to ask for pattern/PIN/password then they couldn't even get that far, unless they somehow force LG recovery mode and use LGUP to overwrite the phone.
I would test this all out for you but I don't have a phone I can spare being used as a test right now.

sfhub said:
IIRC they may be able to factory reset using stock recovery (or Google could have enhanced stock recovery to ask for pattern/PIN/password as well) but upon connection to Google it'll reinstall pattern/PIN/password.
So they can probably get the phone to be usable until they connect to Internet at which point it isn't usable. How usable your phone is without a network connection is debatable.
If Google has enhanced recovery to ask for pattern/PIN/password then they couldn't even get that far, unless they somehow force LG recovery mode and use LGUP to overwrite the phone.
I would test this all out for you but I don't have a phone I can spare being used as a test right now.
Click to expand...
Click to collapse
No problem! Thanks for the answer. Really helpful.
This is also useful in case I wanted to buy a used Nexus phone. (Well I bought mine directly from "Amazon Warehouse deals" but I could had used Wallapop who knows!)
I assume that a Factory Reset made by the legit owner from the "Settings" menu and not from the "Recovery" is enough to make the Nexus "tradable" again.
Sent from my Nexus 5X

thesebastian said:
No problem! Thanks for the answer. Really helpful.
This is also useful in case I wanted to buy a used Nexus phone. (Well I bought mine directly from "Amazon Warehouse deals" but I could had used Wallapop who knows!)
I assume that a Factory Reset made by the legit owner from the "Settings" menu and not from the "Recovery" is enough to make the Nexus "tradable" again.
Click to expand...
Click to collapse
Ok, I think you jogged my memory.
I believe what happens is this.
When you tie a Google account to your phone, it sets some information in the UEFI bios storage area (or some other area that survives factory reset). When you factory reset from recovery, during the initial setup it'll force you to connect to the most recent account associated with the phone (normally upon initial boot, it won't force connection of Google account)
This tends to hit buyers of used phones when the seller factory resets their phone right before selling it without removing pattern/PIN/password and removing google accounts.
So the proper way to sell a phone is
1) remove pattern/PIN/password
2) remove all Google accounts associated with this device
3) factory reset phone
Every manufacturer might have slightly different factory reset protection routines. I believe some states passed laws that required devices have ability to be remotely locked in case stolen and all this is part of that infrastructure. You can look at that as government wanting control over locking your phone or government trying to reduce the value of stolen phones for your benefit.
I think even Factory Reset from settings can experience the problem of new buyer needing to connect to previous google account, so best to remove pattern/PIN/password and Google accounts. I believe just removing the pattern/PIN/password will remove factory reset protection and similarly removing Google account will to, but I am not absolutely sure, so best to remove both.
I know you asked from standpoint of buyer and I responded from standpoint of seller. If you purchased a used phone, you should remind the seller to do the proper steps to disable the factory reset protection. I think factory reset protection started in in devices that were pre-installed with 5.1 or higher.
If folks forget to remove factory reset protection, they'll need to contact the buyer and give them their Google account password so they can complete set up and un-associate the account from the phone. Also don't reset your Google password then give the other user the temporary password, hoping to then reset your Google password back to standard, because there is some freeze I think 24 or 72hours where you can't use the account for initial setup if your password just got changed.

@ sfhub It seems to be much more complex now. I have to sell my previous phone (Xperia Z5 Compact, shipped with lollipop, but not encrypted out of the box) one of these days. And I plan to sell this (amazing) Nexus 5X as soon as there is a new 2016 Nexus (specially if it's a bit smaller). So the tips are really welcome. Thanks

sfhub said:
Also don't reset your Google password then give the other user the temporary password, hoping to then reset your Google password back to standard, because there is some freeze I think 24 or 72hours where you can't use the account for initial setup if your password just got changed.
Click to expand...
Click to collapse
I asked a friend who went through this trauma and he confirmed that if you change your Google password, there is a 72hour (not 24hour) lock before that password can be used to unlock a phone that has been factory reset.
Further, everytime you enter the wrong Google account/password on the phone the 72hr timer is reset.
So if you are in this situation best to just let the 72hr cooldown period pass before attempting to get into the phone. Spend your initial time making sure you have the correct Google account and password that was associated with the phone in question, then just wait it out.

Related

Question on "Phone Encryption"

Hey guys, sorry if this has been answered somewhere else, but I just want to confirm my understanding about encryption.
I'm setting up MobileIron and TouchDown for my work email and paused when the IT policy asked me to encrypt my phone.
So, is doing encryption will make it impossible for us to flash rom, radio, any kind of flashing + impossible to do all other things in CWM - due to the partition is being locked and encrypted before the device boots up?
(I'm not good to explain it technically, hopefully you get what I mean).
Slower boot time? The only way to decrypt is to factory reset and wipe all data? Impossible to backup nandroid? etc etc...
Of course the device would be more secure from the company's security point of view, but is that it?
I'm pretty sure there's no other workaround if I want to setup my phone with work email, since of course the IT policy applies to all employees so I can't ask for an exception.
At the same time I don't want to lose my ability to flash just because of the work email, it defeats the purpose of me having Android (which is to tweak and mess with my phone).
I came from SGSII where the IT policy only enforces PIN/password/pattern requirement, or perhaps because SGSII doesn't have encryption capability.
Appreciate your comment and opinion guys.
Hopefully someone knows.
kisekio said:
Hey guys, sorry if this has been answered somewhere else, but I just want to confirm my understanding about encryption.
I'm setting up MobileIron and TouchDown for my work email and paused when the IT policy asked me to encrypt my phone.
So, is doing encryption will make it impossible for us to flash rom, radio, any kind of flashing + impossible to do all other things in CWM - due to the partition is being locked and encrypted before the device boots up?
(I'm not good to explain it technically, hopefully you get what I mean).
Slower boot time? The only way to decrypt is to factory reset and wipe all data? Impossible to backup nandroid? etc etc...
Of course the device would be more secure from the company's security point of view, but is that it?
I'm pretty sure there's no other workaround if I want to setup my phone with work email, since of course the IT policy applies to all employees so I can't ask for an exception.
At the same time I don't want to lose my ability to flash just because of the work email, it defeats the purpose of me having Android (which is to tweak and mess with my phone).
I came from SGSII where the IT policy only enforces PIN/password/pattern requirement, or perhaps because SGSII doesn't have encryption capability.
Appreciate your comment and opinion guys.
Click to expand...
Click to collapse
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
You can't remove the encryption through a factory reset if your device is rooted and running CWM recovery. It will fail and the phone just boots up as normal. The only way I was able to remove encryption was to ADB/Fastboot the stock images onto my Nexus.
Lastly, I noticed the phone being very slow to boot with encryption.
Until Google give the option to decrypt I won't go near encryption again. Hope this helps and answers some of your questions.
jd1001 said:
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
Click to expand...
Click to collapse
I assume any kind of flashing won't work with encryption, including rom, kernel, radio, circlesmod, and all other kinds of mods that require flashing from CWM.
Is that correct?
If that's the case looks like I'm not going to use my work email on my phone.
Yeah your assumptions are correct!
jd1001 said:
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
You can't remove the encryption through a factory reset if your device is rooted and running CWM recovery. It will fail and the phone just boots up as normal. The only way I was able to remove encryption was to ADB/Fastboot the stock images onto my Nexus.
Lastly, I noticed the phone being very slow to boot with encryption.
Until Google give the option to decrypt I won't go near encryption again. Hope this helps and answers some of your questions.
Click to expand...
Click to collapse
I'm in exactly the same situation, unfortunately found out that i can't decrypt it with factory reset after I'm already encrypted
Do you happen to know good tutorial for flashing via ADB/fastboot?
I flashed my CM10 4.1.1 using galaxy nexus toolkit
http://forum.xda-developers.com/showthread.php?t=1830108 You're welcome.

[Q] Wipe everything after failed decryption attempts, but make it usable?

Hi,
I have CM10 running on my rooted Galaxy Nexus and I just enabled the disk encryption. However, I can't find any options what happens after a few failed attempts? I would like to reset and wipe my phone so that it will be usable, but without any of my data. Cerberus is flashed, so I think I'll have a better chance at recovering my phone if it's usable and not completely locked.
I have set a profile with tasker + secure settings to shutdown after 3 failed PIN attempts (which is different than the encryption password), so I should be save there and a thief would be forced to guess my much safer encryption password.
I know that I can do it with cerberus, but only manually.
Bonus point: Is there any possibility to use a pattern instead of a PIN for the display lock? It's unavailable after encrypting..
Nobody?
Savaron said:
Hi,
I have CM10 running on my rooted Galaxy Nexus and I just enabled the disk encryption. However, I can't find any options what happens after a few failed attempts? I would like to reset and wipe my phone so that it will be usable, but without any of my data. Cerberus is flashed, so I think I'll have a better chance at recovering my phone if it's usable and not completely locked.
I have set a profile with tasker + secure settings to shutdown after 3 failed PIN attempts (which is different than the encryption password), so I should be save there and a thief would be forced to guess my much safer encryption password.
I know that I can do it with cerberus, but only manually.
Bonus point: Is there any possibility to use a pattern instead of a PIN for the display lock? It's unavailable after encrypting..
Click to expand...
Click to collapse
Only way to recover the phone after encryption is to do a factory reset, I don't think it does this by itself when x failed attempts.
the Pattern unlock is very low security and the encryption key is numeric (or so ive heard) so I'm guessing that is the reason it isn't available.
Swype'ed on my CM10 Galaxy Nexus
How would I do a factory reset after encryption without fastboot? Also, I already have a different PIN than my encrption key, so that should be of no concern.
couldnt you still get back into the stock recovery with encryption on and factory reset that way?
AFAIK the stock recovery is the only recovery, that can handle encryption. But I have clockword, so I think the only method to factory reset would be fastboot. I know how to do it, I don't think the average thief/user can do it, so thats not a security concern for me.
Twrp supports encryption.
Sent from my i9250
Alright, just installed it. But what about the automatic wipe? Couldn't find anything yet
Seriously, why is a remote wipe so easy and an automatic wipe seemingly impossible? I even wonder, why this isn't a standard feature..

Is my phone currently encrypted? [Pure Nexus ROM]

I have a Nexus 5x that I rooted. For a brief time, whenever I booted into TWRP, it would ask for my pin to decrypt the phone and access data. Now however, it does not. Under security settings, it still says the phone is encrypted. I'm not sure if it's still encrypted or not at this point, and I'm not sure what I might have done to disable the encryption. I used to have to enter a pin when I turn it on before it fully boots, like it wouldn't even get to my proper lock screen before I entered it. Now it'll boot to my lock screen, but if I try to use my finger print scanner to unlock it, it'll prompt me for my pin the first time.
Any advice on finding out if it's truly encrypted or not, and if not, how to renable the encryption? If there's any other info needed please let me know.
EDIT: Issue was solved by turning off Taskers accessibility service.
Boot into twrp. Does it ask for your pin? If so, encrypted. If not, unencrypted.
My phone is unencrypted and requires me to enter my password at the lockscreen on a cold boot. In pretty sure that is expected behavior.
Sent from my Nexus 5X using Tapatalk
PiousInquisitor said:
Boot into twrp. Does it ask for your pin? If so, encrypted. If not, unencrypted.
My phone is unencrypted and requires me to enter my password at the lockscreen on a cold boot. In pretty sure that is expected behavior.
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
It doesn't ask for my pin... but it does say it's encrypted under the security settings. How do I go about reactivating encryption this case? Any ideas? Thanks for the reply.
Flashing the stock boot image will then encrypt data on next boot.But I have no idea if your rom works with stock kernel.
Search your rom's thread
PiousInquisitor said:
Boot into twrp. Does it ask for your pin? If so, encrypted. If not, unencrypted.
My phone is unencrypted and requires me to enter my password at the lockscreen on a cold boot. In pretty sure that is expected behavior.
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
So the phone showing a status of "Encrypted" inside android security is inaccurate if we're on the PureNexus ROM?
IamFuzzles said:
I have a Nexus 5x that I rooted. For a brief time, whenever I booted into TWRP, it would ask for my pin to decrypt the phone and access data. Now however, it does not. Under security settings, it still says the phone is encrypted. I'm not sure if it's still encrypted or not at this point, and I'm not sure what I might have done to disable the encryption. I used to have to enter a pin when I turn it on before it fully boots, like it wouldn't even get to my proper lock screen before I entered it. Now it'll boot to my lock screen, but if I try to use my finger print scanner to unlock it, it'll prompt me for my pin the first time.
Any advice on finding out if it's truly encrypted or not, and if not, how to renable the encryption? If there's any other info needed please let me know.
Click to expand...
Click to collapse
I would guess that you are encrypted with the default password. If you change the password, TWRP would probably ask you for a PIN/password.
So I looked into it some more, and it seems that because I granted Tasker accessibility access, it prevented proper encryption. Turning off Taskers accessibility access fixed the issue. Thanks for the help all.

Root and Security / Prevent Flash Recovery / Prevents to Decrypt Data

Hello.
I search for a way to hold my HTC 10 safe if someone sholud take my phone.
Actually i am able to read all my data over the TWRP, doesn't matter if i use the safest security things, like the phone goes back to facroty reset after to much wrong password tries.
No one should be able to Flash a recovery oder take my data out, actually you just need to flash TWRP to uncrypt the Data Partition.
Is there any way to make my phone with root really safe?
Does it affect something if the Option "Unlock OEM" in the Developer Settings ist checked or not?
Thank you
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
CrazyCypher said:
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
Click to expand...
Click to collapse
I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed.
purple patch said:
I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed.
Click to expand...
Click to collapse
Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to
CrazyCypher said:
Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to
Click to expand...
Click to collapse
Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt?
purple patch said:
Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt?
Click to expand...
Click to collapse
I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone:
http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE
I get this window, but I have pattern..this is picture from web
CrazyCypher said:
I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone:
http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE
I get this window, but I have pattern..this is picture from web
Click to expand...
Click to collapse
Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now.
purple patch said:
Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now.
Click to expand...
Click to collapse
Try to boot in TWRP... I am being asked to input pattern to decrypt data before I can enter TWRP... I wasn't always being asked, before I selected the setting in "Settings->Security->Screen lock" TWRP just said it decrypted data with default passowrd... now that I enabled in "Settings->Security->Screen lock", also TWRP ask me to input before it can decrypt.
ALSO be sure you have latest TWRP installed, previous version were not able to decrypt data no matter what setting you had.
CrazyCypher said:
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
Click to expand...
Click to collapse
Thank you for this Information, if this is really safe it would be really nice.
I will try it as soon as possible after i backed my device up.
And it is still save, doesn't matter which TWRP version (or maybe other recovery) you will flash?
I like the idea to still use TWRP. Could it be still possible to have root with the strok recovery?
USB Debugging is still off since i got my device and i flashed it already back to stock recovery for the OTA and again to TWRP, i never enablet USB Debuging, i think this option does not affect anything?
Or do you mean i shold disable "OEM Unlock" or what will happen if you set disable to this option?
Nobody who steals a phone is too interested in your data unless that is the sole reason why they took your phone.
Sent from my HTC 10 using XDA-Developers mobile app
Thank you, it seems like it works if you choose "Require pattern to start device"
Actually i didn't try to flash, wipe, format or something else but i guess whatever you will do, its not possible to decript the internal storage again?
@Android The Greek.. yes this is the reason for this thread, because if you took a rooted phone, i guess you always will be able to flash them so that you can use it again?.. If its not rooted, you should not be able to use this phone again if you choose this security.
I actually got another question. What is if someone does flash another backup to system and more, but just let "data" stay.
Is the encryption still save and all the keys stored in the "data" partition or its possible to get access to data?

Just got the LG Wing, and i love it, however..

Just got it and been messibg with it for an hour or so(had to order from the states to Norway), unlocked, regocnized the carrier and all. However, the boatware is extensive, due to this is an AT&T phone, non delete&trashable.
This phone is OEM unlocked, so if i factory reset this baby does the ohone get locked? Asking before i do anything that might put it at risk of being locked.
Hopefully, with the tools provided by xda for the wing(ive been lurking for the past 15 days) id get this unlocked with bootloader and i can remove the bloatware.
Thank you for reading, and your help!
(First post on xda)
Before you do a factory reset remove all Google accounts from the phone!
Not sure if LG's have anything else but Google's FRP will bone you without the correct password.
Reboot and verify there are no Google accounts present. Do the factory reset then from settings as opposed to the boot menu if you have that option.
A factory reset will not remove the AT&T apps if it's an AT&T phone as they are part of the rom. They can be disable from running at boot with a adb edit or a package disabler. They won't impact phone operations at all then. These are the easiest and safest options.
Thank you for the answer. Yeah its a very neato phone for sure.
Its still stuck on An10, so i just hope it'll get An11 (As ive found out An10 is very restrictive, cant even open\extract zip files on it)

Categories

Resources