Related
As has been mentioned in the thread, I have my one plus 3 encrypted ( Oxygen OS 4.1.6 ) encrypted, Can I flash lineage OS or RR without unencrypt my phone?
Sure. I've tried many ROMs and always kept encryption.
Sent from my OnePlus 3 using Tapatalk
Yes, as long as you remember the encryption key.
Yeah, absolutely.
To keep OOS encryption DO NOT wipe data via fastboot format/erase command, but ONLY via recovery (like in 99.9% of scenarios).
Unlike @Ozone74 said, there's no encryption key to remember, since Android encryption is based on the used pattern/PIN/password.
I highly suggest, both for security and compatibility reasons, to enable authentication request at bootup.
Otherwise:
1) Recovery could be accessible for everyone;
2) Recovery could be still protected, but unable to unlock.
Simone98RC said:
Yeah, absolutely.
To keep OOS encryption DO NOT wipe data via fastboot format/erase command, but ONLY via recovery (like in 99.9% of scenarios).
Unlike @Ozone74 said, there's no encryption key to remember, since Android encryption is based on the used pattern/PIN/password.
I highly suggest, both for security and compatibility reasons, to enable authentication request at bootup.
Otherwise:
1) Recovery could be accessible for everyone;
2) Recovery could be still protected, but unable to unlock.
Click to expand...
Click to collapse
Well, AFAIK you can change your device PIN/Pattern as many times as you like but the encryption key cannot be change after the initial setup. So he might have changed his PIN/Pattern after encrypting the device but the encryption key will stay the same as the original PIN/Pattern.
Ozone74 said:
Well, AFAIK you can change your device PIN/Pattern as many times as you like but the encryption key cannot be change after the initial setup. So he might have changed his PIN/Pattern after encrypting the device but the encryption key will stay the same as the original PIN/Pattern.
Click to expand...
Click to collapse
You're absolutely wrong!
The encryption is based on latest PIN/pattern/password.
Have you never tried to change authentication method on encrypted phone?
Simone98RC said:
You're absolutely wrong!
The encryption is based on latest PIN/pattern/password.
Have you never tried to change authentication method on encrypted phone?
Click to expand...
Click to collapse
I gave it a test run, since you sounded so confident but it only proved what I already knew.
You cannot decrypt the device with your new PIN and can only be done if the original pin.
My device was originally encrypted with the PIN 1234 and it was the same to unlock my phone too. I changed my device PIN to 0000 and rebooted into TWRP where I was met with the the decryption page. I entered my new PIN 0000 and it failed to decrypt. I then entered my original pin of 1234 and it decrypted.
I think you need to check it out for yourself too.
Simone98RC said:
You're absolutely wrong!
The encryption is based on latest PIN/pattern/password.
Have you never tried to change authentication method on encrypted phone?
Click to expand...
Click to collapse
More than 3 months and still no reply. I think you stand corrected.
For some reason I prefer FBE rather than FDE. I used it on custom roms that "don't support it", actually they do, it's TWRP that can't convert FDE to FBE - it just display given commands and reboot (obviously). There was a script that patched boot.img to use FBE by default, but I can't find it. I bet it was somewhere on this sub-forum... Does anyone have this script, or know how to patch it manually?
I'm asking because I can't permanently unlock bootloader, so even if I convert it I wont be able to put TWRP back without unlocking bootloader and that will remove encryption.
Hi,
I have a friend who buy a oneplus 3T (second hand), and I have a oneplus 5.
I noticed a strange difference between these both devices. Indeed, when oneplus 5 is booting, there is the oneplus logo, then the oxygenos logo, then the lockscreen (normal).
But when the oneplus 3t is booting, there is the oneplus logo, then the oos logo, then we need to enter password, then there is oxygenos logo again, and finally there is the lockscreen and we need to re-enter the password (pin).
Futhermore when open twrp on the OP3T, we need the password, then we can read "fail to mount storare" and twrp boot up and works fine after that.
Both of them are secure with pin and sim card pin are disabled.
OP 3T : oos 5.0.7, magisk 18.0, encrypted
OP5 : OB22, magisk 18.0, encrypted
So I dont understand what goes wrong on the 3T, is it normal or do I need a factory on something else?
Sorry for my bad English,
Thanks
Androrax said:
So I dont understand what goes wrong on the 3T, is it normal or do I need a factory on something else?
Thanks
Click to expand...
Click to collapse
Perfectly normal.
OP3/T uses Full Disk Encryption (FDE). OP5 uses File Based Encryption (FBE). The latter is also known as Direct Boot, and for good reason. As the name implies Direct Boot allows you to get straight to the Lockscreen before having to enter any security. That's because with FBE the files needed to Boot the phone don't need Decrypting. As you can see, it's more convenient that way and the startup procedure is less janky.
With FDE on the OP3 you can't do anything until security is entered so you get the Boot prompt to Decrypt and then a Fingerprint on the Lockscreen to unlock the device. (You'll notice on the OP5 you always have to enter a PIN/Password on the Lockscreen after a reboot. That step is on Boot with the OP3).
For Encryption to be secure with the OP3, you have to have your security, whether a PIN or Password, set to prompt you at Boot. This is an option during the Initial Setup of the device when you set your security stuff. It always prompts you to add that security at Boot. Same too if you now remove your PIN in settings and set a new one. You obviously said yes to this prompt as you have on-boot security.
If you had said 'No' you would Boot straight to the Lockscreen, same as the OP5, and would have to enter PIN/Password instead of just Fingerprint on the Lockscreen. It's a big security hole that way though as someone could remove your Lockscreen security from TWRP and gain full access to your phone. This is why you need on-boot security with FDE.
With TWRP:
OP5 - You should get prompted for security by TWRP when you try to load it. If not, something is wrong.
OP3 - With on-boot security:
You will have already entered your security so you are decrypted and TWRP will then load without additional prompt.
OP3 - Without on-boot security:
TWRP will use default_password to decrypt and load automatically. This is a problem as anyone with physical access to your device can use TWRP to remove your Lockscreen security and boot into your phone.
TL;DR:
1) On-boot security is essential when using FDE, even if the bootup sequence is horrible.
2) FBE is superior in that you can boot straight to Lockscreen and TWRP is protected if someone boots to Recovery.
Wow, thank you very much for this very comprehensive answer.
I am reassured now
Has anyone experienced freezing screen on their pixel 6 pro?
I just faced the issue and force rebooted by holding power and volume up until it rebooted.
I have darkliv substratum theme, latest canary magisk on latest Jan update.
I got a bootloop after installing a magisk module 'nabarswap' and had to wipe the device with Android flashtool
You should not have wiped. If you boot your phone in safe mode, no magisk modules will be activated and you can remove them.
I could be wrong here, but I believe that you need to disable verity and verification for most Magisk Modules so that this doesn't occur.
NippleSauce said:
I could be wrong here, but I believe that you need to disable verity and verification for most Magisk Modules so that this doesn't occur.
Click to expand...
Click to collapse
You don't need to disable verity & verification as long as you use Canary Magisk 23016 or later. Most Magisk mods won't modify the boot image header, at least that I know of.
fil3s said:
I got a bootloop after installing a magisk module 'nabarswap' and had to wipe the device with Android flashtool
Click to expand...
Click to collapse
In addition to what @foobar66 said about safe mode, you can also remove modules by this method, but it's easier just to disable them in safe mode like foobar66 said:
1. Turn off device
2. adb wait-for-device shell magisk --remove-modules in command prompt
3. Connect your phone to computer and turn it on.
4. Phone tries to boot and the command should be accepted
5. Wait until the command worked and the phone boots up without issues
Also, there is a Magisk Mod that will automatically disable mods if you are in a bootloop. I have it installed but haven't tested it since I haven't been in a bootloop. The developer said it supports Android 12. I've seen at least 1 person who said it works.
GitHub - Magisk-Modules-Alt-Repo/HuskyDG_BootloopSaver: Protect your system from bootloop caused by Magisk modules.
Protect your system from bootloop caused by Magisk modules. - GitHub - Magisk-Modules-Alt-Repo/HuskyDG_BootloopSaver: Protect your system from bootloop caused by Magisk modules.
github.com
Thanks for the replies. Didn't receive any notification from the XDA app.
NippleSauce said:
I could be wrong here, but I believe that you need to disable verity and verification for most Magisk Modules so that this doesn't occur.
Click to expand...
Click to collapse
No apparently you just flash normally , no need to disable verification etc , then fastboot flash boot the magisk boot image.
foobar66 said:
You should not have wiped. If you boot your phone in safe mode, no magisk modules will be activated and you can remove them.
Click to expand...
Click to collapse
I tried to not wipe but android flashtool wouldn't proceed, atleast the phone wouldn't , it just got stuck on a screen asking me to factory reset. I figured the only fix was to wipe. And since I've cloud backups of my data, it was no big deal to wipe
Cheers
I now use 'bootloop saver' which can be found on this app
Forgive me, If I am asking something that was previously answered.
I have been looking around this community, also did some homework, but I am still confused and need double-check.
It seems that fastboot flashing is getting more and more complicated these days. I always just did a flash-all bat (after removing -w) and flashed the patched img for my previous Pixel 1 and 3.
I have flashed my Pixel 6 to November firmware, January firmware, patched with the latest magisk without disabling any flags for now.
Everything goes well until I happen to flash several third-party kernels using EXKM. I am not very sure whether flashing a kernel or recovering to magisk patched stock kernel via EXKM causes the issue.
Now every time I boot the phone, the annoying corrupted message shows up. I was stupid that when I saw that message, I immediately flashed the stock boot.img, then the full firmware. It turned out that I can move forward by pressing the power button after the corrupted message appeared. You must know, that annoying message is still there.
To cut a long story short,
Now I need your help to confirm before proceeding.
1. If I try to live with this corrupted message, is there any further potential damage to my phone, will it become soft-bricked even bricked?
2. If I am going to disable these flags, will it be a must to disable them every time I monthly flash the google firmware?
3. For now my phone is with the latest January firmware and that annoying corrupted message is rooted. How can I proceed? just
Code:
fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
then, reboot the bootloader and do a flash-all without removing -w
then flash patched boot image.
Will the above operations get rid of the corrupted message and bring my phone back to normal?
Thanks very much in advance for your attention and I appreciate your comments pretty much
Stay safe
OK, I have finally managed to flashed January firmware with flags disabled, skipping reboot, and patched again.
For now, the annoying message disappeared. That is to say question 3 get answered
I do like this
Code:
PATH=%PATH%;"%SYSTEMROOT%\System32"
fastboot flash bootloader bootloader-oriole-slider-1.0-8013568.img
fastboot reboot-bootloader
ping -n 5 127.0.0.1 >nul
fastboot flash radio radio-oriole-g5123b-93368-211225-b-8029609.img
fastboot reboot-bootloader
ping -n 5 127.0.0.1 >nul
fastboot --disable-verity --disable-verification --skip-reboot update image-oriole-sq1d.220105.007.zip
fastboot reboot-bootloader
ping -n 5 127.0.0.1 >nul
fastboot flash boot root24001.img
fastboot reboot
echo Press any key to exit...
pause >nul
exit
credit to @guruoop
Answeres to question 1 & 2 still welcomed
Sorry, but I read Oriole... Do you have a P6 or a P6 Pro? P6 Pro is Raven, not Oriole... Oriole is P6.
Could you have the wrong firmware?
bush911 said:
Answeres to question 1 & 2 still welcomed
Click to expand...
Click to collapse
1. That corrupt message means you have a dm verity corruption. Because there is a corruption, you are in eio dm verity mode. A clean flash (or factory reset) without corruption errors will allow the bootloader to see that a new OS has been installed and will switch back to restart mode and remove that warning. Apparently the root hash of the hash tree and the expected root hash aren't matching up, thus triggering this warning. See documentation below.
Also, pressing the power button puts the phone in restart mode and will allow you to boot up in this circumstance. I don't believe "living" with this corruption message will lead to any further damage to your phone, but can't be 100% sure of this.
2. Depends. You no longer have to have them disabled if using Canary 23016 or newer to boot a Magisk-patched boot image. However, some custom kernels may still require them to be disabled, depending on whether they have updated the Magiskboot binary to Magisk 23016 or later. Others that provide a boot image (among other images) you can probably just patch the provided boot image with Magisk 23016 or later without having to disable verity and verification. Best to check with the custom kernel developer beforehand (or check in their OP and threads).
So, depending on whether you are using a custom kernel that may require these 2 flags to be disabled will determine whether you need to keep those flags disabled when updating to a new monthly security build. If just updating, then you don't have to keep these flags disabled. If you decide to keep these flags enabled, and then later decide to disable them you will have to perform a factory reset after disabling them again.
Boot Flow | Android Open Source Project
source.android.com
that's also the issue I run into
Lughnasadh said:
1. That corrupt message means you have a dm verity corruption. Because there is a corruption, you are in eio dm verity mode. A clean flash (or factory reset) without corruption errors will allow the bootloader to see that a new OS has been installed and will switch back to restart mode and remove that warning. Apparently the root hash of the hash tree and the expected root hash aren't matching up, thus triggering this warning. See documentation below.
Also, pressing the power button puts the phone in restart mode and will allow you to boot up in this circumstance. I don't believe "living" with this corruption message will lead to any further damage to your phone, but can't be 100% sure of this.
2. Depends. You no longer have to have them disabled if using Canary 23016 or newer to boot a Magisk-patched boot image. However, some custom kernels may still require them to be disabled, depending on whether they have updated the Magiskboot binary to Magisk 23016 or later. Others that provide a boot image (among other images) you can probably just patch the provided boot image with Magisk 23016 or later without having to disable verity and verification. Best to check with the custom kernel developer beforehand (or check in their OP and threads).
So, depending on whether you are using a custom kernel that may require these 2 flags to be disabled will determine whether you need to keep those flags disabled when updating to a new monthly security build. If just updating, then you don't have to keep these flags disabled. If you decide to keep these flags enabled, and then later decide to disable them you will have to perform a factory reset after disabling them again.
Boot Flow | Android Open Source Project
source.android.com
Click to expand...
Click to collapse
Thank you very much for your detailed explanation, it really helped.
To conclude:
Once these flags are disabled, every time flashing a full image will re-enable them again if I don't add "--disable-verity --disable-verification --skip-reboot" to the flash-all.bat.
Once the flags are enabled again, next time if I disable them again, it will lead to a factory data reset again.
Am I right?
gpvecchi said:
Sorry, but I read Oriole... Do you have a P6 or a P6 Pro? P6 Pro is Raven, not Oriole... Oriole is P6.
Could you have the wrong firmware?
Click to expand...
Click to collapse
Thank you for your attention. I mean to post here as it is more active here
bush911 said:
Thank you very much for your detailed explanation, it really helped.
To conclude:
Once these flags are disabled, every time flashing a full image will re-enable them again if I don't add "--disable-verity --disable-verification --skip-reboot" to the flash-all.bat.
Once the flags are enabled again, next time if I disable them again, it will lead to a factory data reset again.
Am I right?
Click to expand...
Click to collapse
Correct. Although you don't need to add the --skip-reboot unless you are doing something else like flashing the patched boot image during the same flashing session, which it appears you are doing, so yeah, all good