Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
a tiny ant said:
Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
Click to expand...
Click to collapse
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
steadfasterX said:
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Thanks! Very informative post. I think the risks of having an unlocked bootloader are acceptable if the phones' data can be encrypted.
I have tried encrypting on stock Nougat and then flashing LineageOS over it, however it resulted in the LineageOS installation not recognizing my pattern and refusing to boot past the boot prompt. Maybe deleting the keyguard files right after flashing? I will try this later.
So the next step was disabling the pattern altogether and then trying to use TWRP again, but then it asks for a password, which technically shouldn't exist since there isn't any lock on the screen.
**Well I've actually figured this one out, apparently Android defaults to "default_password". It almost seems too silly to be true but it has to be something I guess. Will try flashing LOS later over an encrypted storage.
steadfasterX said:
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Click to expand...
Click to collapse
I've actually tried this, encrypting from stock Nougat and flashing Lineage over it, except then Lineage refuses to boot, asking for a password instead. "default_password" doesn't work even though no actual password is set.
It seems to be dependant on what setting it was on stock nougat, as it could also ask for a pattern which then won't be accepted.
I also cannot find any lockscreen or keyguard related files in /data/system after flashing stock Nougat. Are there any other options I could try? The device is decrypted in TWRP before rebooting, but afterwards the encryption activates making it no longer possible to enter the system.
Another bit of a strange/interesting thing. The only way out was to format data, thus removing encryption. I then restore a TWRP backup where encryption was enabled, deleted the lockscreen files and upon booting the device appeared to be fully encrypted again. Is this a bug or something?
Related
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
It is possible to remove encryption but you will lose all data on the phone. You see OxygenOS has this very annoying force encryption. It basically means whenever you boot you phone and force encryption is on it will automatically encrypt. What I usually do is go to Fastboot then type "fastboot erase userdata" then I boot straight into TWRP and wipe every partition. After that I flash the rom and encryption should be gone (no more boot password).. If you have any more questions be sure to ask.
¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
1) It depends by the pattern/password/PIN you're using.
Android encryption is based on internal keys, do not consider it like Dm-crypt or BitLocker, they are quite different.
2) I discourage it.
Without bootup authentication, recovery is fully accessible, anyone can access/transfer data or wipe device.
3) I've read nothing about that.
4) Encryption is upper to /data: the only way to remove it is doing fastboot format userdata via ADB.
To make decryption permanent, you've to unlock bootloader, flash TWRP recovery, then install (at the same time) OxygenOS and Magisk.
Magisk will prevent the force encryption.
After first boot, you can remove Magisk.
Thanks, guys! Not the answers I hoped for, but good answers nonetheless.
Hello,
Whenever i encrypt my phone on DU, when i set the lock screen Password it asks me if i want the phone to ask it to be able to boot, but then, the phone refuses to boot and says that the Password is wrong.
But when i boot into twrp the Password works and i can decrypt the data partition.
I already had the issue but with the phone accepting the boot pin but twrp not.
This is on a fresh DU install with previously formated data partition.
DO NOT encrypt via custom roms: it's cause of troubles and compatibility issues, especially when returning to OxygenOS.
So:
1) Put device in bootloader mode, plug it to computer, type fastboot format userdata via ADB terminal.
2) Go in TWRP and wipe all the partitions (be sure to have /cache formatted in ext4, otherwise change its filesystem):
3) Always from TWRP, flash latest OOS firmware (4.1.6 or OB19);
3) Reboot and configure setup with your PIN required at bootup;
4) After completing wizard, reboot in TWRP;
5) Now you can wipe anything and flash your rom.
Now device should require your PIN even at first boot of DU.
Ps until doing another fastboot format userdata, device will keep encryption.
Simone98RC said:
DO NOT encrypt via custom roms: it's cause of troubles and compatibility issues, especially when returning to OxygenOS.
So:
1) Put device in bootloader mode, plug it to computer, type fastboot format userdata via ADB terminal.
2) Go in TWRP and wipe all the partitions (be sure to have /cache formatted in ext4, otherwise change its filesystem):
3) Always from TWRP, flash latest OOS firmware (4.1.6 or OB19);
3) Reboot and configure setup with your PIN required at bootup;
4) After completing wizard, reboot in TWRP;
5) Now you can wipe anything and flash your rom.
Now device should require your PIN even at first boot of DU.
Ps until doing another fastboot format userdata, device will keep encryption.
Click to expand...
Click to collapse
Thanks for the answer, do you know why custom rom encryption doesnt work ? I used to to this on my old s5 and it worked perfectly
nikexv2 said:
Thanks for the answer, do you know why custom rom encryption doesnt work ? I used to to this on my old s5 and it worked perfectly
Click to expand...
Click to collapse
Maybe if you give his post a thumbs up he might continue helping you out , I mean that's the least you could do ......
Xceeder said:
Maybe if you give his post a thumbs up he might continue helping you out , I mean that's the least you could do ......
Click to expand...
Click to collapse
If members had to wait for thumbs up before they answer to someone's post then they wouldn't answer most of them.
What kind of **** philosophy is this, i hope for you that's not your way of thinking everyday.
And even, that's none of your business, maybe i forgot to like his post ?
Come on, do not vent on XDA, do not make useless quarrels ?
@nikexv2 sorry, but technically speaking, I don't know the reason of problematic encryption on custom roms.
Just enable encryption with official firmware and there's no other compatibility issue.
Encryption still remains when you full wipe device via recovery.
Have a good day.
nikexv2 said:
If members had to wait for thumbs up before they answer to someone's post then they wouldn't answer most of them.
What kind of **** philosophy is this, i hope for you that's not your way of thinking everyday.
And even, that's none of your business, maybe i forgot to like his post ?
Click to expand...
Click to collapse
It works like this - you ask for help and if someone gives you good advice or helps you out in any way then a quick thumbs up is appreciated , it's just courtesy but anyway I hope you get your phone sorted out ...
nikexv2 said:
Hello,
Whenever i encrypt my phone on DU, when i set the lock screen Password it asks me if i want the phone to ask it to be able to boot, but then, the phone refuses to boot and says that the Password is wrong.
But when i boot into twrp the Password works and i can decrypt the data partition.
I already had the issue but with the phone accepting the boot pin but twrp not.
This is on a fresh DU install with previously formated data partition.
Click to expand...
Click to collapse
Not sure what's wrong with your set up but I came from OOS OB19 to DU, wiped userdata to switch data to ext4, flashed DU + beans gapps (recommended for DU) then booted up, encrypted my phone via Settings > Security and set ask pin on booting device, same pin has worked on all ROMs, even tried some OOS based ones like Freedom OS CE, now on Omni + open gapps, I'm using blu spark latest recovery.
My goal is to create a system backup (including Android OS) of my Galaxy S9 (SM-G960F), just like I can do on my PC using Acronis True Image or other similar programs, because now I have Pie but Android 10 is available, and I want to be able to roll back in case of bugs.
I've found out one of the best ways of doing this is using TWRP. Flashing a custom recovery means making changes (editing recovery partition), but some say TWRP can be run even without being installed, and that was my intent. I tried on my old Galaxy S5 mini and I could successfully run TWRP without rewriting recovery partition.
However, it turned out that bootloader unlocking is needed. No problem, I thought: I'll unlock it, backup system, and lock it again. But when I tried to switch the 'OEM unlock' item, a dialog appeared saying that my device would have been formatted and Samsung Knox services would stop working.
I was wondering:
- if I do enable OEM unlock and erase data, setting OEM unlock to off would reactivate Knox services?
- is there a way to actually unlock bootloader without erasing data?
- is there any hidden method to boot TWRP without unlocking bootloader?
- is there any better way to backup whole system and data?
I may have already partially answered the last question: using adb backup I backup as much data as possible, and by downloading OS image from Sammobile.com I have an OS backup. Can it work? If I decide to "restore" that kind of backup there would be any kind of data that would be lost during this particular roll back procedure?
Thanks in advance.
If my English is odd or incorrect, that's because it isn't my primary language. I'm from Italy - land of Pizza and Coronavirus.
Hello everybody,
I started encryption on my Magisk rooted crDroid 6.13. I saw the encryption screen for maybe 15 seconds, then a black screen. I expected it to have failed, but I waited for about 30 minutes to see if anything would happen and then restarted the phone, being prepared to flash the rom again.
After restart it actually asked me for my password in the same way I would expect in any encrypted android and in the settings it claims to be encrypted. My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
mxb93 said:
My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
Click to expand...
Click to collapse
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
So maybe, your phone was just registering that you had to enter a password to boot it up? (ie. encrypting the encryption key, not the actual data)
Is there a way for a user to tell if their Android device is encrypted or not?
There is a semi-relevant thread on SO https://stackoverflow.com/questions/12640708/check-if-android-filesystem-is-encrypted that explains how a developer would determine if full-disk encryption is
android.stackexchange.com
a1291762 said:
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
Click to expand...
Click to collapse
That's exactly what i did, but after a new TWRP was released, which promised access to encrypted data, I wanted to encrypt again. So before I tried encrypting again, my data was definitly not encrypted.
I followed your link and tried those adb command:
daisy:/ $ getprop ro.crypto.type
block
daisy:/ $ getprop ro.crypto.state
encrypted
It seems from there it's encrypted, but it's using block-mode instead of file based encryption. I would expect an android 10 rom to use file based encryption. I'm starting to think it might be better if I flash official again and then start the process of flashing crDroid etc again.
I am on OOS12 rooted with twrp. I elected to do the OTA update method where you disable magisk modules, go into magisk and uninstall images, install the update, and then restore images and reboot. I have no idea why, but now my phone is in Qualcomm Crashdump mode. I have a lot of valuable things on my internal storage that I need to save or backup somehow.
Now, I can fastboot boot twrp.img and have that work, but in order to decrypt my userdata, it's asking for a pin, and I don't believe my pin is working. I'm wondering if this issue also affects what the pin code would be.
Is there any way at all to retrieve my data? Never would I expect an OTA to cause this and hence, there was no need to backup anything beforehand. Also, isn't the other a/b partition supposed to be available as a failsafe? My other partition should be just fine, although I have a feeling that assumption is because I don't understand the full gravity of this Qualcomm Crashdump mode.
bulletbling said:
As stated, there will be a reward for someone who has a solution that works.
I am on OOS12 rooted with twrp. I elected to do the OTA update method where you disable magisk modules, go into magisk and uninstall images, install the update, and then restore images and reboot. I have no idea why, but now my phone is in Qualcomm Crashdump mode. I have a lot of valuable things on my internal storage that I need to save or backup somehow.
Now, I can fastboot boot twrp.img and have that work, but in order to decrypt my userdata, it's asking for a pin, and I don't believe my pin is working. I'm wondering if this issue also affects what the pin code would be.
Is there any way at all to retrieve my data? Never would I expect an OTA to cause this and hence, there was no need to backup anything beforehand. Also, isn't the other a/b partition supposed to be available as a failsafe? My other partition should be just fine, although I have a feeling that assumption is because I don't understand the full gravity of this Qualcomm Crashdump mode.
Click to expand...
Click to collapse
As a follow-up, I am wondering if the latest twrp-3.7.0_11-0 I am temporarily booting is not allowing my pin to work correctly because it doesn't support decryption / breaks my pin for OOS 12.1 C.69, which is what the OTA wanted to update to.
---UPDATE---
I downloaded the latest Stock Firmware and extracted the payload.bin and manually flashed everything from this thread below.
Restore OnePlus 9 to Stock via Fastboot Commands
This guide assumes you have the SDK Platform Tools installed and working, along with USB drivers for your device (if needed), and have your full update zip which you've already extracted the payload.bin from, and then dumped the images using...
forum.xda-developers.com
And now...instead of it going to the Qualcomm crashdump, it goes right to fastboot. I don't know if this is progress, but at least with boot slot b it's currently on, there is no more crashdump occurring. The problem now is that it still wont boot with a fresh manual install of all stock images in the payload.bin. I'm wondering if this is related to my internal storage, but that wouldn't make any sense. TWRP is still telling me my pin is incorrect, even though it's correct.
---UPDATE 2---
I had tried everything I could think of and ended up resorting to the MSM tool. I don't have any recent backups but have some things saved. It appears that no one responded meaning this is likely impossible, short of a forensics lab that can crack encryption like this.