Related
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
You can access without password.
Thanks Oblox. Then I think I'm keeping a locked bootloader for now!
I don't understand why they don't request a password to access the bootloader.... it could be much more secure.
Sent from my E5823
thesebastian said:
Thanks Oblox. Then I think I'm keeping a locked bootloader for now!
I don't understand why they don't request a password to access the bootloader.... it could be much more secure.
Sent from my E5823
Click to expand...
Click to collapse
Agreed in principal, security concerns raised by unlocking the bootloader would be much less of an issue if they allowed it to be password protected.
However id imagine it would cause headaches when flashing new bootloader (Where does the unlock info sit?) and when ADB'ing via usb etc that are too much effort to address. Id imagine most users dont ever unlock so dont suffer and 'developers' who do are suitably warned.
thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
It depends what you are trying to protect.
When you boot the phone it will pick some random key and encrypt your user partition, so your user partition is ALWAYS encrypted using a private randomly generated key.
Then if you don't select a pattern, pin, or password, that random key is (rather than being stored in plaintext) encrypted using the default string "password" plus some phone specific information accesible on the phone itself.
If you do select a pattern, pin, or password, then the random key is reencrypted with a process that includes your pattern, pin, or password.
In this way, when you change your pattern, pin, or password, the whole user partition does not need to be re-encrypted, just the random private key used to encrypt your user partition needs to be re-encrypted.
The password you enter upon startup is to unlock/decrypt the user partition.
So if you have unlocked bootloader, someone can steal your phone but can't get access to your data easily unless you leave the phone with no pattern, pin, or password.
They can overwrite your system and boot partitions, but if you have pattern, pin, or password when they try to factory reset your phone there is some Android factory reset protection that will ask them to enter your pattern, pin, or password when the phone connects to Google. This actually often locks users out of their own phones when they forget the pattern they used because it was just temporary when they entered it or it was an old pattern they used a long time ago and it comes back on factory restore.
The best they can hope for would be to install custom boot/system images and trick you into giving them your pattern, pin, or password, prior to stealing your phone.
So it really depends what you are trying to protect.
Locked bootloader, on the other hand, if you mess things up, can be a big impediment to fixing your phone.
My suggestion would be to unlock your bootloader, create a pattern/pin/password, and leave Nexus factory reset protection turned on.
Good flexibility with reasonable protection.
The password you enter at startup is so the kernel can finish the boot process, otherwise it cannot read your user partition.
You'd need to enter that password when running TWRP custom recovery as well or it won't be able to read your user partition.
thesebastian said:
Hi
My Nexus 5X is arriving this week. I had many nexus devices before, but now I saw that you can add a password at the startup of the phone and I wanted to know how this is working with an unlocked bootloader.
In the Nexus 5 (2013) I used to keep my bootloader closed because with the bootloader open there was a risk: you were able to install (fastboot flash) or boot (fastboot boot) a CUSTOM recovery and flash things without wiping data, or even, access the internal memory of the phone from the custom bootloader. (This didn't happen with the locked bootloader because you were forced to wipe /data before flash a custom bootloader).
So now, with the 5X and the startup password, how does it works with an open bootloader? If I open the bootloader, the only way to flash anything is knowing the startup password? Or you can access fastboot mode without any password and good to go?
If that's the case, then I think I'll keep my bootloader locked!
I'm asking this prematurely because I don't want to install everything, and then wipe to open the bootloader, and start from scratch again.
Thanks
Sebastian!
Click to expand...
Click to collapse
Just one thing to add onto the words of everyone else. This is my first Nexus but it is my understanding that previous Nexus devices have allowed users to lock/unlock the bootloader on the fly via an app. If this is something you intend to do, you should be aware that does not exist on the 5X. The bootloader must be unlocked after enabling OEM Unlock in Developer Settings. You can now install sideload OTAs from Google's website though.
Sent from my Nexus 5X using Tapatalk
Thanks you very much for all your posts.
I think I'll stay with a locked bootloader for now. At the end of my N5 2013 life I wasn't really using root features. Later I spent too much time with a Z5 Compact where opening a bootloader has bad consequences. So now I'm pretty much used to closed bootloaders.
So considering that fast boot and recovery mode don't need the startup PIN I'll stay with a locked bootloader.
However I already got a reason to unlock the bootloader. If there's any way to record videos in [email protected] I'd root the phone.
Sent from my Nexus 5X
I think sfhub said that you'd need a password to boot into the recovery as well. So unlocking your bootloader and leaving the phone encrypted with rest of the security features turned on does seem quite secure than i initially imagined. Too bad I never stayed encrypted long enough to play around with these.
But does it still ask for a password if you flash a different/custom recovery? I'm guessing it will, assuming the passwords are located on /data partition which is encrypted.
That said, someone in PN thread mentioned that knowledgeable hackers can still gain access to an unlocked, but encrypted phone via methods I'm unaware of. But I'd say it is very unlikely that my phone will end up in the hands of someone with such abilities.
The conversation is here: http://forum.xda-developers.com/nex...nexus-layers-fi-wifi-calling-t3244601/page351
roofrider said:
I think sfhub said that you'd need a password to boot into the recovery as well. So unlocking your bootloader and leaving the phone encrypted with rest of the security features turned on does seem quite secure than i initially imagined.
Click to expand...
Click to collapse
You don't need a password to boot into Recovery. You need to enter a pattern/PIN/password into TWRP (TWRP's UI is the one presenting the UI to ask for your password) to allow TWRP to mount your user partition as without that information the user partition is just gibberish.
roofrider said:
But does it still ask for a password if you flash a different/custom recovery? I'm guessing it will, assuming the passwords are located on /data partition which is encrypted.
Click to expand...
Click to collapse
Whether the different custom recovery asks you a password or not will depend on the custom recovery, but if your recovery doesn't ask for a password, then that recovery has no ability to access your user partition as it won't be able to decrypt the contents. Even if it does ask for a password, sometimes it can't access due to mismatch in decryption procedures. Some earlier versions of TWRP had this problem.
roofrider said:
That said, someone in PN thread mentioned that knowledgeable hackers can still gain access to an unlocked, but encrypted phone via methods I'm unaware of. But I'd say it is very unlikely that my phone will end up in the hands of someone with such abilities.
Click to expand...
Click to collapse
If you leave your bootloader unlocked (especially if a bad actor has physical access to your phone), if someone is determined enough they can eventually get access, but with current features it is significantly more difficult/annoying (compared to how trivial it was prior to encryption) to the point most normal people won't bother:
1) AES encrypted user partition
2) multiple password failure reset
3) mixing your pattern/PIN/password with phone specific salt
4) factory reset protection
5) remote reset
The easiest way for them to get access to your phone is to install a custom android or recovery that records your pattern/PIN/password and getting you to enter that information on your own, prior to stealing your phone.
I am guessing multiple password failure reset can be bypassed with bootloader unlocked, so brute force is likely easier.
Now if someone comes out with tools to automate brute force of phones with bootloader unlocked then you might only have real protection from brute force if you enter a complex password rather than pattern/PIN. This still wouldn't protect you from having someone replace your recovery or OS with something that records your pattern/PIN/password but it would protect against the most likely case of someone stealing your phone and trying to access your user data.
I have another question
Can you open the bootloader if the phone is encrypted and with startup pin/password?
If so (I assume yes) /data is wiped and then the phones encryption is reserved? (Just like out of the box)
Sent from my Nexus 5X
thesebastian said:
I have another question
Can you open the bootloader if the phone is encrypted and with startup pin/password?
If so (I assume yes) /data is wiped and then the phones encryption is reserved? (Just like out of the box)
Click to expand...
Click to collapse
I assume you mean "unlock" the bootloader.
The answer is yes and no.
You must first go into developer options to allow OEM unlocking.
If you have a locked bootloader and set up a pattern/PIN/password, then for somebody else (w/o your pattern/PIN/password) to enable OEM unlocking would prove to be a challenge since they can't easily get past your Android login and I haven't an easy way for them to enable it through other means.
Assuming they can get past your pattern/PIN/password (or you just left OEM unlocking enabled yourself) then yes, they can unlock the bootloader and it will enforce a data wipe in the process.
Android factory reset protection might also kick in after the phone connects to Google and they may be forced to enter your pattern/PIN/password to access your system.
I don't know what you mean by "encryption is preserved" The user partition starts off unencrypted. Upon first boot, the kernel will see it isn't encrypted and will encrypt it. From that point on the user partition is always encrypted.
If your data gets wiped due to bootloader unlock, the user partition will be erased, reformatted (at which point it'll be briefly unencrypted), then will be re-encrypted upon first boot of kernel.
sfhub said:
I assume you mean "unlock" the bootloader.
The answer is yes and no.
You must first go into developer options to allow OEM unlocking.
If you have a locked bootloader and set up a pattern/PIN/password, then for somebody else (w/o your pattern/PIN/password) to enable OEM unlocking would prove to be a challenge since they can't easily get past your Android login and I haven't an easy way for them to enable it through other means.
Assuming they can get past your pattern/PIN/password (or you just left OEM unlocking enabled yourself) then yes, they can unlock the bootloader and it will enforce a data wipe in the process.
Android factory reset protection might also kick in after the phone connects to Google and they may be forced to enter your pattern/PIN/password to access your system.
Click to expand...
Click to collapse
Oh yes sorry! I totally forgot about that option under dev settings when I asked the question. So fastboot oem unlock will never work without knowing my PIN (I never had this the Nexus 5 and older Nexus).
That means that a Nexus 5X with a locked bootloader and that option disabled is completely useless for a thief? (Without including advanced concepts like "change the internal memory") Or you can still rewrite /data with a locked bootloader and get rid of the encryption?
(This applies also for the stock recovery "wipe data" function?)
These last questions I've made are not about privacy, are more about anti-theft features.
Sent from my Nexus 5X
thesebastian said:
Oh yes sorry! I totally forgot about that option under dev settings when I asked the question. So fastboot oem unlock will never work without knowing my PIN! (I never had this the Nexus 5 and older Nexus).
That means that a Nexus 5X with a locked bootloader and that option disabled is completely useless for a thief? Or you can still rewrite data with a locked bootloader and get rid of the encryption?
Click to expand...
Click to collapse
I think "useless" is in the eye of the beholder.
IMO with locked bootloader, OEM unlock disabled, pattern/PIN/password created, standard encryption enforced, it would be extremely difficult to access your data.
They could boot into recovery and reset your user partition, but in that case, they wouldn't be accessing your data and upon connection to google will likely get hit with android factory reset protection and need to enter your pattern/PIN/password to access the phone.
They may be able to force LG recovery mode and rewrite your phone. I don't know what happens with Android factory reset protection in this case, but they won't be accessing your user data unless they can easily break AES-256 brute force (which is not really possible today unless your keys get compromised through social engineering)
I think worse case, with a bunch of work, they might have a functioning phone that will lock them out if they ever connect to a network. They can probably sideload some games and use it for that.
---------- Post added at 12:24 PM ---------- Previous post was at 12:08 PM ----------
One other thing, keep in mind this is how things are designed to work with all the chains being secure (bootloader, kernel, recovery, android, etc.)
There could always be some zero day bug that could be exploited to break the design. If there was a kernel memory overrun bug that wasn't patched, that could potentiall be exploited to replace the code that resets the phone upon too many mistaken password entries, and then that combined with a 4 digit PIN code might result in a brute force attack on your PIN being feasible, there are only 10,000 combinations to try.
That is similar to what happen with the San Bernardino iPhone case. They were able to disable the phone reset after incorrect PIN entry functionality then just brute force the PIN.
sfhub said:
I think "useless" is in the eye of the beholder.
IMO with locked bootloader, OEM unlock disabled, pattern/PIN/password created, standard encryption enforced, it would be extremely difficult to access your data.
They could boot into recovery and reset your user partition, but in that case, they wouldn't be accessing your data and upon connection to google will likely get hit with android factory reset protection and need to enter your pattern/PIN/password to access the phone.
They may be able to force LG recovery mode and rewrite your phone. I don't know what happens with Android factory reset protection in this case, but they won't be accessing your user data unless they can easily break AES-256 brute force (which is not really possible today unless your keys get compromised through social engineering)
I think worse case, with a bunch of work, they might have a functioning phone that will lock them out if they ever connect to a network. They can probably sideload some games and use it for that.
Click to expand...
Click to collapse
So if a thief get my phone and do a wipe data in the stock recovery. The phone is still encrypted? They can't add a new Google account and use it like an out of box Nexus?
I'm not concerned about privacy anymore (encryption seems to be good enough). Now I'm asking about how this device is protected against the black market
Sent from my Nexus 5X
Regarding privacy in Android N I just read this article that adds more (future) information to the topic:
http://m.androidcentral.com/how-android-n-addresses-security
Sent from my Nexus 5X
thesebastian said:
So if a thief get my phone and do a wipe data in the stock recovery. The phone is still encrypted? They can't add a new Google account and use it like an out of box Nexus?
I'm not concerned about privacy anymore (encryption seems to be good enough). Now I'm asking about how this device is protected against the black market
Click to expand...
Click to collapse
IIRC they may be able to factory reset using stock recovery (or Google could have enhanced stock recovery to ask for pattern/PIN/password as well) but upon connection to Google it'll reinstall pattern/PIN/password.
So they can probably get the phone to be usable until they connect to Internet at which point it isn't usable. How usable your phone is without a network connection is debatable.
If Google has enhanced recovery to ask for pattern/PIN/password then they couldn't even get that far, unless they somehow force LG recovery mode and use LGUP to overwrite the phone.
I would test this all out for you but I don't have a phone I can spare being used as a test right now.
sfhub said:
IIRC they may be able to factory reset using stock recovery (or Google could have enhanced stock recovery to ask for pattern/PIN/password as well) but upon connection to Google it'll reinstall pattern/PIN/password.
So they can probably get the phone to be usable until they connect to Internet at which point it isn't usable. How usable your phone is without a network connection is debatable.
If Google has enhanced recovery to ask for pattern/PIN/password then they couldn't even get that far, unless they somehow force LG recovery mode and use LGUP to overwrite the phone.
I would test this all out for you but I don't have a phone I can spare being used as a test right now.
Click to expand...
Click to collapse
No problem! Thanks for the answer. Really helpful.
This is also useful in case I wanted to buy a used Nexus phone. (Well I bought mine directly from "Amazon Warehouse deals" but I could had used Wallapop who knows!)
I assume that a Factory Reset made by the legit owner from the "Settings" menu and not from the "Recovery" is enough to make the Nexus "tradable" again.
Sent from my Nexus 5X
thesebastian said:
No problem! Thanks for the answer. Really helpful.
This is also useful in case I wanted to buy a used Nexus phone. (Well I bought mine directly from "Amazon Warehouse deals" but I could had used Wallapop who knows!)
I assume that a Factory Reset made by the legit owner from the "Settings" menu and not from the "Recovery" is enough to make the Nexus "tradable" again.
Click to expand...
Click to collapse
Ok, I think you jogged my memory.
I believe what happens is this.
When you tie a Google account to your phone, it sets some information in the UEFI bios storage area (or some other area that survives factory reset). When you factory reset from recovery, during the initial setup it'll force you to connect to the most recent account associated with the phone (normally upon initial boot, it won't force connection of Google account)
This tends to hit buyers of used phones when the seller factory resets their phone right before selling it without removing pattern/PIN/password and removing google accounts.
So the proper way to sell a phone is
1) remove pattern/PIN/password
2) remove all Google accounts associated with this device
3) factory reset phone
Every manufacturer might have slightly different factory reset protection routines. I believe some states passed laws that required devices have ability to be remotely locked in case stolen and all this is part of that infrastructure. You can look at that as government wanting control over locking your phone or government trying to reduce the value of stolen phones for your benefit.
I think even Factory Reset from settings can experience the problem of new buyer needing to connect to previous google account, so best to remove pattern/PIN/password and Google accounts. I believe just removing the pattern/PIN/password will remove factory reset protection and similarly removing Google account will to, but I am not absolutely sure, so best to remove both.
I know you asked from standpoint of buyer and I responded from standpoint of seller. If you purchased a used phone, you should remind the seller to do the proper steps to disable the factory reset protection. I think factory reset protection started in in devices that were pre-installed with 5.1 or higher.
If folks forget to remove factory reset protection, they'll need to contact the buyer and give them their Google account password so they can complete set up and un-associate the account from the phone. Also don't reset your Google password then give the other user the temporary password, hoping to then reset your Google password back to standard, because there is some freeze I think 24 or 72hours where you can't use the account for initial setup if your password just got changed.
@ sfhub It seems to be much more complex now. I have to sell my previous phone (Xperia Z5 Compact, shipped with lollipop, but not encrypted out of the box) one of these days. And I plan to sell this (amazing) Nexus 5X as soon as there is a new 2016 Nexus (specially if it's a bit smaller). So the tips are really welcome. Thanks
sfhub said:
Also don't reset your Google password then give the other user the temporary password, hoping to then reset your Google password back to standard, because there is some freeze I think 24 or 72hours where you can't use the account for initial setup if your password just got changed.
Click to expand...
Click to collapse
I asked a friend who went through this trauma and he confirmed that if you change your Google password, there is a 72hour (not 24hour) lock before that password can be used to unlock a phone that has been factory reset.
Further, everytime you enter the wrong Google account/password on the phone the 72hr timer is reset.
So if you are in this situation best to just let the 72hr cooldown period pass before attempting to get into the phone. Spend your initial time making sure you have the correct Google account and password that was associated with the phone in question, then just wait it out.
Hey Guys,
When I got my OP3 I unlocked the bootloader right away and installed FreedomOS to get rid of the bloatware. As this is my first device, which comes with a locked bootloader and decryption, I have some questions about this topic. I was wondering that the encryption does not make any sense when you unlock your bootloader, because if somebody steals your phone, he can just enter twrp and access all your data. Then I flashed CM and after that TWRP was asking me to set a pin or pattern to lock my phone. Now I've to unlock my phone every time I want to enter the recovery or boot the system with a pattern, which is great, because now the encryption is not worthless anymore. Now I'm asking myself if this feature is somehow integrated into CM or was it just random that I found this feature? Is there any way to get this also with OOS installed? What things do I have to note to not accidentally make my phone unencryptable with the pattern? Is this even possible, maybe by flashing a new recovery or so?
Thanks in advance
Gerrit507 said:
Hey Guys,
When I got my OP3 I unlocked the bootloader right away and installed FreedomOS to get rid of the bloatware. As this is my first device, which comes with a locked bootloader and decryption, I have some questions about this topic. I was wondering that the encryption does not make any sense when you unlock your bootloader, because if somebody steals your phone, he can just enter twrp and access all your data. Then I flashed CM and after that TWRP was asking me to set a pin or pattern to lock my phone. Now I've to unlock my phone every time I want to enter the recovery or boot the system with a pattern, which is great, because now the encryption is not worthless anymore. Now I'm asking myself if this feature is somehow integrated into CM or was it just random that I found this feature? Is there any way to get this also with OOS installed? What things do I have to note to not accidentally make my phone unencryptable with the pattern? Is this even possible, maybe by flashing a new recovery or so?
Thanks in advance
Click to expand...
Click to collapse
If your phone is encrypted, TWRP has to prompt you to decrypt the /data partition before it can be mounted. This isn't a CM feature, it should act like this with any ROM if phone encryption is enabled. I've flashed most every rom and version of twrp in this forum and they all seem to work fine with the encryption enabled. I have not flashed multiboot yet as that requires your phone to be completely unencrypted. Not sure if that answers your question.
If security is your concern though, I would recommend switching to a passphrase instead of pattern for encryption unless your pattern is very long and complex. I recommend a passphrase of at least 16 characters.
kennonk said:
If your phone is encrypted, TWRP has to prompt you to decrypt the /data partition before it can be mounted. This isn't a CM feature, it should act like this with any ROM if phone encryption is enabled. I've flashed most every rom and version of twrp in this forum and they all seem to work fine with the encryption enabled. I have not flashed multiboot yet as that requires your phone to be completely unencrypted. Not sure if that answers your question.
If security is your concern though, I would recommend switching to a passphrase instead of pattern for encryption unless your pattern is very long and complex. I recommend a passphrase of at least 16 characters.
Click to expand...
Click to collapse
Ok I see, than I was getting something wrong there, thank you. The thing is FreedomOS stated that the phone is encrypted but I was never asked for the pattern by TWRP...
Gerrit507 said:
Ok I see, than I was getting something wrong there, thank you. The thing is FreedomOS stated that the phone is encrypted but I was never asked for the pattern by TWRP...
Click to expand...
Click to collapse
When you first booted up your stock phone and went through setup it asks if you want to secure the phone using pin/pattern/passphrase. I think that is where it is created then that key is written somewhere, not on the data or system partitions because is persists between wipes, and that is where TWRP and all future roms are authenticating you.
kennonk said:
When you first booted up your stock phone and went through setup it asks if you want to secure the phone using pin/pattern/passphrase. I think that is where it is created then that key is written somewhere, not on the data or system partitions because is persists between wipes, and that is where TWRP and all future roms are authenticating you.
Click to expand...
Click to collapse
Ok, I can not remember this... Then I guess the phone just stated it was encrypted and wasn't... And how can I change this pattern or unencrypt the phone?
Gerrit507 said:
Ok, I can not remember this... Then I guess the phone just stated it was encrypted and wasn't... And how can I change this pattern or unencrypt the phone?
Click to expand...
Click to collapse
Here is how to decrypt without losing data. http://forum.xda-developers.com/oneplus-3/how-to/unencrypt-oxygenos-loosing-data-t3412228
There is another article I think I saw it on the OnePlus forums about how to decrypt and wipe which will let you change the passphrase I think.
Basically if you decrypt, then flash Oxygen or Hydrogen without SuperSU it will force you to re-encrypt. At least that is my understanding as I haven't decrypted yet.
Good luck
kennonk said:
Here is how to decrypt without losing data. http://forum.xda-developers.com/oneplus-3/how-to/unencrypt-oxygenos-loosing-data-t3412228
There is another article I think I saw it on the OnePlus forums about how to decrypt and wipe which will let you change the passphrase I think.
Basically if you decrypt, then flash Oxygen or Hydrogen without SuperSU it will force you to re-encrypt. At least that is my understanding as I haven't decrypted yet.
Good luck
Click to expand...
Click to collapse
As far as I understood it, it's all about wiping userdata, which I did before flashing Freedom OS. This might explain why I had no encryption... Still strange that it did not prompt me again to set a new one...
edit: FreedomOS has supersu, but systemless... I also flashed supersu right after CM which is even more strange...
Gerrit507 said:
As far as I understood it, it's all about wiping userdata, which I did before flashing Freedom OS. This might explain why I had no encryption... Still strange that it did not prompt me again to set a new one...
Click to expand...
Click to collapse
Yeah I have wiped userdata and system and clean reflashed like 20-30 times in the last few weeks and I've never been prompted to recreate the initial passphrase I set for encryption.
kennonk said:
Yeah I have wiped userdata and system and clean reflashed like 20-30 times in the last few weeks and I've never been prompted to recreate the initial passphrase I set for encryption.
Click to expand...
Click to collapse
But I never had to decrypt in TWRP... It's mysterious As far as I understand the guide he just wipes userdata and the encryption is gone... Is there somebody who knows for sure where the key is located actually?
edit: Seems like the encryption key is coupled to your password
When a user elects to change or remove their password in settings, the UI sends the command cryptfs changepw to vold, and vold re-encrypts the disk master key with the new password.
Click to expand...
Click to collapse
https://source.android.com/security/encryption/
I can confirm that. I changed my pattern and unlocked the phone with it at booting.
If I remove my password it still says "encrypted" in security but I don't have to enter any pattern at boot.
Mine says "Encrypted" under Settings > Security & Fingerprint > Encryption but I can boot into TWRP and browse the entire file system without ever entering my pin code.
dcdruck1117 said:
Mine says "Encrypted" under Settings > Security & Fingerprint > Encryption but I can boot into TWRP and browse the entire file system without ever entering my pin code.
Click to expand...
Click to collapse
Sounds like you have the same issue like I had. It seems to me like an issue in OOS.
This is awesome. I thought rooting and unlocking the bootloader to install custom ROMs would need the phone to be decrypted -- great, great news!
So without knowing the passphrase a possible attacker can't get to the data even when the bootloader is unlocked and OS rooted?
kanttii said:
This is awesome. I thought rooting and unlocking the bootloader to install custom ROMs would need the phone to be decrypted -- great, great news!
So without knowing the passphrase a possible attacker can't get to the data even when the bootloader is unlocked and OS rooted?
Click to expand...
Click to collapse
Yes, all your data is being decrypted after your enter the passphrase.
Does anyone have any idea how I can encrypt my phone if it already says Settings > Security & fingerprint > Encryption > Encrypt phone = "Encrypted"? It's clearly not actually encrypted because I do not have to enter any pin to boot or read data in TWRP.
dcdruck1117 said:
Does anyone have any idea how I can encrypt my phone if it already says Settings > Security & fingerprint > Encryption > Encrypt phone = "Encrypted"? It's clearly not actually encrypted because I do not have to enter any pin to boot or read data in TWRP.
Click to expand...
Click to collapse
Go to lock screen settings and set it up again. You will be prompted if you want to enter pin every reboot.
proag said:
Go to lock screen settings and set it up again. You will be prompted if you want to enter pin every reboot.
Click to expand...
Click to collapse
Hey, thanks! The "require PIN to start device" screen doesn't make any mention of encryption, so I was under the impression that it was far more basic and wasn't at all related to encryption. I tried it though and now TWRP does ask me to decrypt my data partition, so it does work. Thanks for the assist!
been following this thread and i had a quick questions - so it looks like if you unlock BL and run a custom ROM, you can still have the security of encryption, but does this ONLY apply to the USERDATA partition?
for example, could someone launch TWRP recovery on your phone and flash something into the SYSTEM partition without ever touching your userdata partition (ie, a keylogger or malware)?
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
dcdruck1117 said:
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
Click to expand...
Click to collapse
so system is never encrypted? i guess at that point the stock recovery stops you from flashing malware but \TWRP wont
dcdruck1117 said:
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
Click to expand...
Click to collapse
Your internal storage is mounted into your data partition actually. I think this means it's also encrypted.
2x4 said:
so system is never encrypted? i guess at that point the stock recovery stops you from flashing malware but \TWRP wont
Click to expand...
Click to collapse
I see no reason behind encrypting system, it's used read-only anyway as long as you don't flash something to it.
edit: Ah I see now what you mean. But if you have stock recovery you can also simply flash twrp over it or flash something to system via adb... I don't know if it would even be possible technically to encrypt system. Anyway I think the only solution would be to lock the bootloader I think. I don't know what actually happens if you lock your bootloader again while on twrp and custom rom, might brick your device
Since this is my first phone with encryption and fingerprint reader after my Nexus 5, I am a tad bit confused about the whole topic. So here are a few questions about it:
I currently have ressurection remix installed and in security settings it says my phone would be encrypted. If I click on this, nothing happens, so I guess I cannot change the encrypted state?
When I boot into TWRP, I am asked to decrypt data with my passkey, which I set up while OOS was still installed. So does this persist through system and data wipes?
If so, how can I actually change this passphrase? Might be kind of similar to question 1.
What would be the right way to relock the bootloader without bricking the phone if this passphrase is not stored in data or system partition?
With every factory reset and flashing a new rom, does everything get encrypted with the passphrase I have setup before?
So I kind of like the fact encryption is turned on automatically by Nextbit (and I did figure out how to get out of my encryption loop)
And I have tried to encrypt the disk with
-Pacman ROM
-Reserrection ROM
-Paranoid Android
and all of them bootloop and never actuall boot up once you press "encrypt".... so is it impossible to encrypt once you have an unlocked bootloader and recovery installed? I get its detrimental to the whole process of flashing incessantly but still
Grrrrrrr
Can sum1 confirm
tlxxxsracer said:
If you unlock the bootloader,that alone won't cause encryption issues. You have to flash a specific boot.img or zip that will disable encryption.
Don't unencrypt and should be fine.
Not sure why you'd want to encrypt if your BL is unlocked. Encryption only hurts performance
Click to expand...
Click to collapse
thanks for the reply
I wanted to encrypt my current ROM to just get the extra protection from theft or lost device.
I really like the current ROM im using and dont need to flash anymore currentlty, so i would be fine locking it down with encryption
But i cant get ANY of the ROMS to encrypt like they normally do say compared to the G3
So there is a solution to this. Basically, when you encrypt the file system on one rom, even when you wipe the data certain things are still tied to the old file system. That's why when you go to encrypt the encryption fails, because the remnant stuff from the other rom is in the way. The solution is to completely reformat the data partition (using TWRP, select format data, or change the data file system to F2FS and then back to ext4.). This will clear the conflicts causing encryption to bootloop. However, this process will need to be repeated every single time you switch roms (updating a rom is fine).
I believe Cyanogenmod supports encryption, though I have never tried it.
yanowman said:
So I kind of like the fact encryption is turned on automatically by Nextbit (and I did figure out how to get out of my encryption loop)
And I have tried to encrypt the disk with
-Pacman ROM
-Reserrection ROM
-Paranoid Android
and all of them bootloop and never actuall boot up once you press "encrypt".... so is it impossible to encrypt once you have an unlocked bootloader and recovery installed? I get its detrimental to the whole process of flashing incessantly but still
Click to expand...
Click to collapse
If you flashed the custom boot image, you CANNOT re encrypt your phone. Won't work.
Hey there,
let me start off by saying that I don't own an XL, but a non-XL 3a. Since my question seems to apply to both devices (similar/same components), I'll try my luck here.
Recently, my 3a got stuck in SystemUI crashes and I tried every solution that came to mind and others suggested over at the 3a section (check my profile if curious, basically locked BL, fully stock, no ADB), but nothing solved the issue.
However, I didn't factory reset yet, but I'm confident that it would fix it. On the other hand, It'll also wipe my storage.
----
Long story short, the only option I can think of is to recover my files with a data recovery app/program after I have wiped/factory reset my phone.
Did anybody ever successfully used such an app on a Pixel or similar (A/B) partition layout? Is it even possible/viable? Are there special prerequisites to consider?
It goes without saying I'll make sure to overwrite as few sectors as possible, if any. I can accept some files getting lost in the process, but want to keep whatever I can recover.
Thank you for reading.
Your biggest issue is going to be the fact that the storage is encrypted. So even if you do wipe the phone, I don't think anything will be recoverable since it won't be readable.
Your data will not be recoverable after the factory reset... because it was encrypted. Part of the factory reset will wipe the encryption key (that will not be recoverable since it will be regenerated on the first boot) so your data is surely lost. You are in the worst possible scenario for data recover, honestly your best bet is probably just factory reset and accept that the data is gone forever.
xnifex said:
Your biggest issue is going to be the fact that the storage is encrypted. So even if you do wipe the phone, I don't think anything will be recoverable since it won't be readable.
Click to expand...
Click to collapse
acejavelin said:
Your data will not be recoverable after the factory reset... because it was encrypted. Part of the factory reset will wipe the encryption key (that will not be recoverable since it will be regenerated on the first boot) so your data is surely lost. You are in the worst possible scenario for data recover, honestly your best bet is probably just factory reset and accept that the data is gone forever.
Click to expand...
Click to collapse
Well, damn. Thanks nonetheless, I didn't even think about that.
I'll try to fiddle with the phone one last time, maybe I'll get it unlocked somehow (I can only get 7 or 8 dots
of my pattern connected before the UI crash kicks in...). This is literally the only thing that separates me from the storage.
This has to be the most infuriating small obstacle with the biggest effect for me.
Since you're stock, might get lucky if your software is good on your second slot. You'll have boot into fastboot mode abs try the command "fastboot continue" from command line on a computer. Plenty of fastboot guides online if you've never used it.
Credit to this thread: https://www.reddit.com/r/GooglePixel/comments/5cbc9m/bricked_pixel_xl/
brandontowey said:
Since you're stock, might get lucky if your software is good on your second slot. You'll have boot into fastboot mode abs try the command "fastboot continue" from command line on a computer. Plenty of fastboot guides online if you've never used it.
Credit to this thread: https://www.reddit.com/r/GooglePixel/comments/5cbc9m/bricked_pixel_xl/
Click to expand...
Click to collapse
Man, if that works out, I'd be insanely glad. Have to get my hands on my friend's laptop first though.
I mean, the UI just started crashing after I checked for an OTA without downloading, then changing the wallpaper. That was literally it. Hadn't I rebooted, I would have been able to still unlock with my fingerprint between each crash.
Here's hoping that ADB sideloading OTAs left that slot option intact.
Will definitely update this post; at the very least, thank you for your suggestion.
Update: "fastboot continue" as well as switching boot slot parameters aren't allowed on this locked bootloader.
ADB sideloading caused slots to switch anyway, and both slots seemed to be affected from the SystemUI crashing. Will edit my original thread with a conclusion now.