Related
Couldn't find much about this varient just wanted to ask a few questions.
1. Do I treat it like every other google play nexus? Unlock boot loader, flash twrp, boot, backup, reboot, wipe, install ROM? No different partition weirdness?
2. Cm12, are the hotspot checks removed? Fiance is limited data plan I'm not so while out she normally uses my data via hotspot.
3. Cm12 have notification light activated and customizable?
Don't really care about the Sim lock honestly. Been with ATT forever and poor so not leaving the country anytime soon.
Thanks, sorry for repeat questions just didn't get solid answers from things I found.
No partition weirdness. Root as normal. It does have its own boot logo-thing though, which is lame.
Unfortunately I don't know about CM12. Sorry
squattingdonkey said:
No partition weirdness. Root as normal. It does have its own boot logo-thing though, which is lame.
Unfortunately I don't know about CM12. Sorry
Click to expand...
Click to collapse
At least you answered my bricking level question! Thanks!
CM 12 does have working hot spot on AT&T and customizable notification light. And, boot logo is easily removed after root.
Somehow I soft bricked my n6. I unlocked boot loader, installed twrp, went to backup and it couldn't find any partitions. Tried the flash all script from google factory image and that failed as well. Had to flash boot radio recovery etc images each manually to get back to a booting phone. Then installed twrp again and backup and flashing worked.
It was an adventure but I'm good now. Weird not sure why it did that. Must have been an encryption issue.
On the stock ROM you have to tick a box in developer options to enable OEM unlock. I forgot to mention that earlier. That may have been the issue.
ajjames01 said:
On the stock ROM you have to tick a box in developer options to enable OEM unlock. I forgot to mention that earlier. That may have been the issue.
Click to expand...
Click to collapse
Oops yeah that may have been it. I just did the usual fastboot OEM unlock code. Mild panic attack but when I saw I could get to the bootloader I knew I could save it.
I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Some ROMs do not force encryption. They can still be encrypted. It depends on the kernel. You will need to perform a wipe to unencrypt
stevew84 said:
I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Click to expand...
Click to collapse
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
cam30era said:
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
Click to expand...
Click to collapse
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Encryption depends on the kernel or more accurately the fstab, so it depends what kernel is supplied with the ROM or which kernel you plan on flashing with the ROM.
There are 2 types of ROM. Stock based and AOSP based. I find it hard to believe any AOSP ROM dev would turn on force encryption, but with a stock ROM, it could be on or off - depending. Read each thread to find out.
All ROMs and kernels are encryption enabled by the way. Turning off force encryption inky prevents first boot from encrypting your data partition. You can still turn on encryption yourself in settings and if you're already encrypted, turning off force encryption will not unencrypt your data, so it will still be on. Once force encryption has been turned off, you must then format /userdata to remove encryption
stevew84 said:
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Click to expand...
Click to collapse
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
cam30era said:
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
Click to expand...
Click to collapse
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
It says in my post
Encryption will stay on unless you completely wipe the device and have a kernel installed that doesn't force you to encrypt. So you'll never see an option for decrypting your device. This comes with a huge warning that ANYTHING on the internal storage will be lost, that goes for the ROM and your files, including your ROM zip files for flashing. If you want to decrypt the device I suggest you first practice by flashing a ROM that you copy into your phone while in recovery so you know you can do it.
Guide: http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
This will get you to a clean slate, make sure you test MTP (file transfer over usb from computer) in recovery and verify that you can move files over to your device in recovery. You should already have a custom recovery installed such as TWRP. If you are considering disabling make sure you know exactly what is going on first, its not as straight forward as it seems. Goodluck
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
If you are on stock, rooted, or a non-CM12 based ROM, one way is to go here > http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
Remember, after flashing the boot.img, you need to "fastboot format userdata" to unencrypt. This will wipe your SDcard.
rootSU said:
It says in my post
Click to expand...
Click to collapse
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
stevew84 said:
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
Click to expand...
Click to collapse
Because you were already encrypted.
stevew84 said:
I don't know the pros/cons of having it that way, or not.
Click to expand...
Click to collapse
Pros for encryption;
- security. This is pretty obvious, if somebody hostile gets their hands on your phone, your data will not be obtained by them.
Cons;
- performance and battery life. There is indication in AOSP that google *intends* to activate hardware crypto, but as of yet, have not. That means that the crypto function is done on your main CPU, which is (a) not as fast as the hwcrypto block, and (b) takes up valuable CPU cycles from other software that is running, and (c) anything that uses CPU heavily will consume battery.
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
rootSU said:
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
Click to expand...
Click to collapse
That isn't a con of encryption. That's a con of using broken software to perform your backup.
doitright said:
That isn't a con of encryption. That's a con of using broken software to perform your backup.
Click to expand...
Click to collapse
The con of encrypting data is that it may not always decrypt-able. Regardless of the root cause being Android, Windows, Linux or "broken software". If doing something to your data leads to it being useless via whatever means, then there is a negative effect of doing that something to your data
My last phone (Nexus 4) was stolen. My new device, the Nexus 6, as you all know comes with enhanced security measures, requiring authentication even after a factory reset. Now, I had grown accustomed to playing around with wiping, rooting, custom roms, kernels, radios, etc with my Nexus 4. Now that I have had my Nexus 6 for a bunch of months, I am starting to think about rooting my device (so I can install an SSH server and have my phone automatically open a tunnel back to my server). My only hesitation is turning the OEM unlocking switch to on. See, I am a big fan of the new security measures that require authentication after a device reset, and would much prefer to keep that feature enabled. I've searched around on Google and XDA, and I haven't been able to find any definitive answers on how unlocking the bootloader in order to root the device will affect these security mechanisms.
My understanding is this: in order to root the Nexus 6, you need to enable OEM unlocking, which allows flashing pretty much any image onto the phone. If any image can be flashed to the phone, this security mechanism can be circumvented.
Two questions:
1. (pretty sure the answer to this is no) Can I root my phone and prevent flashing of images that would circumvent the security feature
2. Will rooting my phone make it easier for an unknown party to gain access to the device via another route
Unlocking the bootloader really only allows you to flash unsigned images, and root provides you with the option to grant administrative access to applications.
Neither one of those has anything to do with encrypted data, or in any way makes encrypted data readable without the key.
The bootloader unlock will make it easier for a thief to wipe all the data on the device without reading it, so he can use the device or sell it as functioning... Even then, you may be able to factory reset an encrypted device without the key anyways... At which point I would think they could make a new key for the freshly wiped partition?
Anything that is going to run unauthorised code at root level is likely going to use other exploits to achieve root on their own, like users do to gain root on devices that are locked down. You having root access doesn't give the right for anything to run as root unless you approve it (or if someone managed to find some exploit in the version of supersu your running, but this is not likely... and if we are assuming any code may have holes in it you're not safe no matter what you do). It does give you the possibility of being tricked into running malicious code that is disguised as some utility... But that is a risk your going to take running any software that isn't from a stable corperation you can take legal action against. Trust who wrote the code or don't use it.
If in question number 1 "the security feature" is encryption, then yes having and unlocked bootloader means if someone takes your phone they can flash a kernel that does not force encryption, they would then have to format the userdata partition to encrypt the phone. Without luck, guessing the password, or discovering some amazing undocumented flaw in the encryption algorithm they will not being able to read your data with out having the key, or guessing it.
@scryan
If you have unlocked the bootloader and have installed a custom recovery (TWRP), are you able to see the list of files in the file manager of TWRP, if the device is encrypted?
Nikos2k said:
@scryan
If you have unlocked the bootloader and have installed a custom recovery (TWRP), are you able to see the list of files in the file manager of TWRP, if the device is encrypted?
Click to expand...
Click to collapse
Yes. Otherwise couldn't pick a file to flash. It actually only encrypts user data. Apps, zips ect are not encrypted or we couldn't pull and modify them.
prdog1 said:
Yes. Otherwise couldn't pick a file to flash. It actually only encrypts user data. Apps, zips ect are not encrypted or we couldn't pull and modify them.
Click to expand...
Click to collapse
the user data that are encrypted include files on the sdcard folder? (e.g. pdfs, images in DCIM folder etc)
i am asking because in my device in Settings -> Security -> Encryption it shows that it is encrypted, in TWRP however i can see all the files
Can i make the custom recovery to ask for the pin? do I have to enable PIN as a screen lock?
What happens if i use an unlock pattern or just swipe for unlock?
Nikos2k said:
the user data that are encrypted include files on the sdcard folder? (e.g. pdfs, images in DCIM folder etc)
i am asking because in my device in Settings -> Security -> Encryption it shows that it is encrypted, in TWRP however i can see all the files
Can i make the custom recovery to ask for the pin? do I have to enable PIN as a screen lock?
What happens if i use an unlock pattern or just swipe for unlock?
Click to expand...
Click to collapse
TWRP will use same pin as Device lock. Only thing I have seen if you use pinlock have to convert 5x5 to 4x4. There's a way to convert it located in this forum somewhere. Swipe to unlock has no pin so TWRP is open. Unlock pattern works also. Either pin or swipe has to be converted don't remember which. I run wide open encrypted so have never played with it.
prdog1 said:
TWRP will use same pin as Device lock. Only thing I have seen if you use pinlock have to convert 5x5 to 4x4. There's a way to convert it located in this forum somewhere.
Click to expand...
Click to collapse
By pinlock you mean the pattern screen lock?
I think it is 3 x 3, not 4x4 or 5x5
And since I use this pattern screen lock, which cannot be input in TWRP, this means that I have to disable it b4 I need to enter recovery?
This makes me a bit uncomfortable since I may need to enter recovery because of a problem with the system
Nikos2k said:
By pinlock you mean the pattern screen lock?
I think it is 3 x 3, not 4x4 or 5x5
And since I use this pattern screen lock, which cannot be input in TWRP, this means that I have to disable it b4 I need to enter recovery?
This makes me a bit uncomfortable since I may need to enter recovery because of a problem with the system
Click to expand...
Click to collapse
Start with this thread. It explains TWRP.
http://forum.xda-developers.com/nexus-6/help/twrp-2-8-5-0-password-help-t3046630
prdog1 said:
Start with this thread. It explains TWRP.
http://forum.xda-developers.com/nexus-6/help/twrp-2-8-5-0-password-help-t3046630
Click to expand...
Click to collapse
thank you it worked!
scryan said:
Unlocking the bootloader really only allows you to flash unsigned images, and root provides you with the option to grant administrative access to applications.
Neither one of those has anything to do with encrypted data, or in any way makes encrypted data readable without the key.
The bootloader unlock will make it easier for a thief to wipe all the data on the device without reading it, so he can use the device or sell it as functioning... Even then, you may be able to factory reset an encrypted device without the key anyways... At which point I would think they could make a new key for the freshly wiped partition?
Anything that is going to run unauthorised code at root level is likely going to use other exploits to achieve root on their own, like users do to gain root on devices that are locked down. You having root access doesn't give the right for anything to run as root unless you approve it (or if someone managed to find some exploit in the version of supersu your running, but this is not likely... and if we are assuming any code may have holes in it you're not safe no matter what you do). It does give you the possibility of being tricked into running malicious code that is disguised as some utility... But that is a risk your going to take running any software that isn't from a stable corperation you can take legal action against. Trust who wrote the code or don't use it.
If in question number 1 "the security feature" is encryption, then yes having and unlocked bootloader means if someone takes your phone they can flash a kernel that does not force encryption, they would then have to format the userdata partition to encrypt the phone. Without luck, guessing the password, or discovering some amazing undocumented flaw in the encryption algorithm they will not being able to read your data with out having the key, or guessing it.
Click to expand...
Click to collapse
Ok, so for encryption, "Allow OEM Unlocking" allows flashing of unsigned images (such as the one used for root), which means if someone gets a hold of my phone, they can put whatever they want on it, including flashing a custom rom.
So my next question is, what about being required to sign into the last Google account used on the phone even after a factory reset (device protection / factory reset protection / not sure what it's called exactly)? Is that area of the bootloader / rom / memory / wherever it lives flashable? If you have an unlocked bootloader, is it possible to flash some image to the device that disables this? Hah, that sounds bad. Really, I want to root my Nexus 6, but I haven't decided if it would be worth giving up the anti-theft required login after reset.
I guess really, I'm curious about how it works, is it part of the Android image delivered by Google? Is it part of the bootloader? Is it possible to release a rom without this feature? I'm not a thief, I swear I'm just curious.
quickdry21 said:
Ok, so for encryption, "Allow OEM Unlocking"
encryption and oem unlock ar 2 entirely different things
allows flashing of unsigned images
allows you to unlock the boottloader, which allows you to flash unsigned img's. the setting itself does nothing but enable the ability. to unlock
(such as the one used for root), which means if someone gets a hold of my phone, they can put whatever they want on it, including flashing a custom rom.
yes
So my next question is, what about being required to sign into the last Google account used on the phone even after a factory reset (device protection / factory reset protection / not sure what it's called exactly)? Is that area of the bootloader / rom / memory / wherever it lives flashable? If you have an unlocked bootloader, is it possible to flash some image to the device that disables this? Hah, that sounds bad. Really, I want to root my Nexus 6, but I haven't decided if it would be worth giving up the anti-theft required login after reset.
i think if someone were to completely wipe the phone, use a different gmail and sim, the google protection would be gone, but i could be wrong. im not positive on that one.
I guess really, I'm curious about how it works, is it part of the Android image delivered by Google? Is it part of the bootloader? Is it possible to release a rom without this feature? I'm not a thief, I swear I'm just curious.
some extremely savvy person "may" be able to make a rom without the google protection, but i have never seen it tried.it may be a core feature that cant be removed.
i really wouldnt worry about that. the likelihood that someone would steal or find your device and have the skills to do all you asked above, is very remote.
Click to expand...
Click to collapse
in red above.
bweN diorD said:
in red above.
Click to expand...
Click to collapse
protection will be gone if you flash android 5.0.1. if you wipe and flash android 5.1.1, the protection will still be there and will ask for your password first.
bweN diorD said:
in red above.
Click to expand...
Click to collapse
Thanks, that does seem to make sense.
I know this comes across as overly paranoid, but I ask also because I'm a curious developer. I'm interested in understanding how android's insides work in general as well as how the new device protection fits in with rooting, custom roms, unlocking the bootloader, etc. (just how well does it prevent unauthorized use of devices)
Interesting, that says to me there is a relatively easy way to get around the reset protection if a phone has an unlocked bootloader. Albeit, relatively easy is relative.
quickdry21 said:
Interesting, that says to me there is a relatively easy way to get around the reset protection if a phone has an unlocked bootloader. Albeit, relatively easy is relative.
Click to expand...
Click to collapse
easy, yes, for one of us. but for a typical user, very hard. anyways, i dont like letting out the secret of how to bypass it, so keep it quiet please
simms22 said:
easy, yes, for one of us. but for a typical user, very hard. anyways, i dont like letting out the secret of how to bypass it, so keep it quiet please
Click to expand...
Click to collapse
Yes, agreed. I'm going to edit out that quote.
quickdry21 said:
Ok, so for encryption, "Allow OEM Unlocking" allows flashing of unsigned images (such as the one used for root), which means if someone gets a hold of my phone, they can put whatever they want on it, including flashing a custom rom.
So my next question is, what about being required to sign into the last Google account used on the phone even after a factory reset (device protection / factory reset protection / not sure what it's called exactly)? Is that area of the bootloader / rom / memory / wherever it lives flashable? If you have an unlocked bootloader, is it possible to flash some image to the device that disables this? Hah, that sounds bad. Really, I want to root my Nexus 6, but I haven't decided if it would be worth giving up the anti-theft required login after reset.
I guess really, I'm curious about how it works, is it part of the Android image delivered by Google? Is it part of the bootloader? Is it possible to release a rom without this feature? I'm not a thief, I swear I'm just curious.
Click to expand...
Click to collapse
Maybe someone could figure out something?
But if your device is wiped, and basically all the partitions are re-written.... Where do you want to store the last google account information to check against?
No one is going to plan on stealing your phone, ask you if the bootloader is unlocked, then decide not to if they say no. None of the security really prevents your phone from being stolen. Nothing just looking at your phone lets a would be thief know that its encrypted and not unlocked...
The encryption and locked bootloader will not prevent your phone from being stolen. The encryption will protect your data, and the locked booloader will make it harder to reset the device (though does factory recovery have a factory reset option? I would think this would allow the device to be wiped and encryption key to be reset anyways?)
I guess really, I'm curious about how it works, is it part of the Android image delivered by Google? Is it part of the bootloader? Is it possible to release a rom without this feature? I'm not a thief, I swear I'm just curious.
Click to expand...
Click to collapse
What? You keep talking about this single security device? What are you talking about?
Do you mean encryption?
encryption is just how the data is stored on the device.
Say you have the word "Duck"
And we want to store that word in a safe way. As a VERY VERY basic method, we will encrypt this by shifting each letter of the alphabet a certain number of letters. This number will be something YOU give, so that others do not know how many letters we have shifted over.
So lets say you give us "5" as your key.
so the alphabet
abcdefghijklmnopqrstuvwxyz we will shift 5 letters over, starting on the fifth letter and wrapping around...
fghijklmnopqrstuvwxyzabcde so each letter matches up with a new letter.
D is the 4th letter of the alphabet, so we will use the 4th letter of of shifted alphabet, i
u is the 21st letter of the alphabet so we will use the 21st letter of our shifted alphabet, z
ect, ect... so Duck becomes Izho, and with out knowing how many letters to shift over, know one will know what that means (ok, obviously due to the simplicity of our encryption algorithm, anyone who is smart and cares can likely try different numbers until the output is a coherent word. the actual method of encryption is significantly more complex, and the key is more then one characters
See here for more intellegent details: https://wiki.archlinux.org/index.php/Disk_encryption#How_the_encryption_works
quickdry21 said:
Yes, agreed. I'm going to edit out that quote.
Click to expand...
Click to collapse
na, it ok, you can leave it here. that way if someone really needs to, theyll find the answer here. just dont go around spreading it around i meant
scryan said:
Maybe someone could figure out something?
But if your device is wiped, and basically all the partitions are re-written.... Where do you want to store the last google account information to check against?
No one is going to plan on stealing your phone, ask you if the bootloader is unlocked, then decide not to if they say no. None of the security really prevents your phone from being stolen. Nothing just looking at your phone lets a would be thief know that its encrypted and not unlocked...
The encryption and locked bootloader will not prevent your phone from being stolen. The encryption will protect your data, and the locked booloader will make it harder to reset the device (though does factory recovery have a factory reset option? I would think this would allow the device to be wiped and encryption key to be reset anyways?)
Click to expand...
Click to collapse
I'm not expecting this "Device Protection" feature to prevent my phone from being stolen, I'm more interested in the **** you aspect to someone who tries, and maybe them returning it to me for some money.
scryan said:
What? You keep talking about this single security device? What are you talking about?
Do you mean encryption?
Click to expand...
Click to collapse
I'm not sure if you are aware, but with the release of 5.1, there is a new security feature (think it's called Device Protection, but that seems to encompass some other things) that requires you to login to the last Google account attached to the phone after a factory reset (whether done from the settings UI, or from recovery mode). If you are unable to login to a Google account that was attached to the phone, the phone becomes worthless (there have been some posts on xda about people "acquiring" a Nexus 6 and being unable to use it), some details here: https://support.google.com/nexus/answer/6172890
A quote from that link sums it up:
Important: You can enter information for any Google account that has been added to the device. If you can't provide this information during the setup process, you won't be able to use the device at all after the factory reset.
Click to expand...
Click to collapse
Now, this security feature is only available on new phones that are released with 5.1 (with the exception of the newest round of Nexus devices, which received it with the update to 5.1). This leads me to believe that some aspect is baked into the device. Separate encrypted partition maybe? Part of the bootloader software? I don't know, that's what I'm curious about.
scryan said:
encryption is just how the data is stored on the device.
Say you have the word "Duck"
And we want to store that word in a safe way. As a VERY VERY basic method, we will encrypt this by shifting each letter of the alphabet a certain number of letters. This number will be something YOU give, so that others do not know how many letters we have shifted over.
So lets say you give us "5" as your key.
so the alphabet
abcdefghijklmnopqrstuvwxyz we will shift 5 letters over, starting on the fifth letter and wrapping around...
fghijklmnopqrstuvwxyzabcde so each letter matches up with a new letter.
D is the 4th letter of the alphabet, so we will use the 4th letter of of shifted alphabet, i
u is the 21st letter of the alphabet so we will use the 21st letter of our shifted alphabet, z
ect, ect... so Duck becomes Izho, and with out knowing how many letters to shift over, know one will know what that means (ok, obviously due to the simplicity of our encryption algorithm, anyone who is smart and cares can likely try different numbers until the output is a coherent word. the actual method of encryption is significantly more complex, and the key is more then one characters
See here for more intellegent details: https://wiki.archlinux.org/index.php/Disk_encryption#How_the_encryption_works
Click to expand...
Click to collapse
Yes, I was not very clear in my original post about what security feature I was inquiring about. I'm aware of what encryption is. Part of the reason I am interested in rooting my phone is to reverse tunnel a SSH server on the phone, or possibly netcat, via SSH to my server, so I will be able to open up a shell on my phone from anywhere I desire.
Ahh yes, apologies, was unaware they implemented that feature. A bit dense this morning.
I would imagine unlocked bootloader/custom recovery would DEFINITELY negate this feature.
No one gonna give your phone back, particularly after you use this as a "**** you" While its just IMO, its better to enjoy your phone now. Screwing yourself out of features only to attempt to limit the phone once you don't have anything to do with it anymore does not seem to be particularly productive.
I upgraded from 5.1.1 to 6.0 by flashing the factory image without flashing userdata. Everything worked perfectly, but, as many people have noted, I get a "Your device is corrupt" message briefly on startup, before having the opportunity to enter my encryption code. Again, the phone functions just fine despite this.
I'm wondering what it is about my phone that causes this message to display. My bootloader is unlocked, though I don't think this alone should be a problem. I am completely stock, unrooted (though I was rooted on previous versions). As such, I don't think it can be a problem with the system or boot partitions, since, again, I have flashed and re-flashed these directly from the factory image. I don't see how it can be problem with userdata, since this isn't even decrypted when I get the "corrupt" message (i.e., I haven't entered the encryption code yet). Perhaps it's some problem with how userdata is encrypted?
Any logs that might give insight into where the fault is occurring?
Verity is the cause. That post should answer your question.
cupfulloflol said:
Verity is the cause. That post should answer your question.
Click to expand...
Click to collapse
Thanks for the link. I'm still not sure this explains my situation. I get a red "corrupt" warning telling me my device is actually corrupt, which should mean that system files have been modified. However, my system is unmodified; I know this because I have flashed it directly (multiple times).
Although it is extremely unlikely and might be a unique situation, Verity might have actually worked for what it was designed for, for once, and your system might actually be corrupted by either persistent malware or bad memory.
I would warranty return the phone, if possible.
Sent from my VS985 4G using Tapatalk
Wipe data factory reset from stock recovery.
trent999 said:
Although it is extremely unlikely and might be a unique situation, Verity might have actually worked for what it was designed for, for once, and your system might actually be corrupted by either persistent malware or bad memory.
I would warranty return the phone, if possible.
Sent from my VS985 4G using Tapatalk
Click to expand...
Click to collapse
droidstyle said:
Wipe data factory reset from stock recovery.
Click to expand...
Click to collapse
Thanks. I'm not looking really looking for a radical solution (wiping phone, returning it); I'm looking for an explanation (which might guide me to a less radical solution). Again, I wonder whether Verity makes a log somewhere. As I mentioned, my phone is working perfectly.
Hard to imagine it's persistent malware, since I've flashed every partition other than userdata (which is still encrypted when I get the "corrupt" message). Moreover, I'm by no means the first person to report this behavior.
NYZack said:
Thanks. I'm not looking really looking for a radical solution (wiping phone, returning it); I'm looking for an explanation (which might guide me to a less radical solution). Again, I wonder whether Verity makes a log somewhere. As I mentioned, my phone is working perfectly.
Hard to imagine it's persistent malware, since I've flashed every partition other than userdata (which is still encrypted when I get the "corrupt" message). Moreover, I'm by no means the first person to report this behavior.
Click to expand...
Click to collapse
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I didn't notice mine until I installed a custom recovery. Hrm..maybe I just didn't pay attention lol
Tower1972 said:
I didn't notice mine until I installed a custom recovery. Hrm..maybe I just didn't pay attention lol
Click to expand...
Click to collapse
i didnt get it either. but i flashed a custom kernel as well, which gets rid of that message.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I'm unlocked, stock and get no such message(s). Expecting it when I install a recovery though
Larzzzz82 said:
I'm unlocked, stock and get no such message(s). Expecting it when I install a recovery though
Click to expand...
Click to collapse
So I can't figure out what the true story is. Some people say that it happens to everybody with an unlocked bootloader, but, according to what you say, this isn't the case. I am stock in every way - recovery, bootloader, boot image, system image - and yet I get this warning. It's not a big deal, but it eats at me and makes me wonder whether there really is something corrupt about some aspect of my system.
NYZack said:
So I can't figure out what the true story is. Some people say that it happens to everybody with an unlocked bootloader, but, according to what you say, this isn't the case. I am stock in every way - recovery, bootloader, boot image, system image - and yet I get this warning. It's not a big deal, but it eats at me and makes me wonder whether there really is something corrupt about some aspect of my system.
Click to expand...
Click to collapse
It has to be changes to recovery. I'm running stock 6.0 with an unlocked bootloader and root and I have no such message on startup. Rooted and unlocked through Wugfresh NexusTool and temporary modified recovery option (non-persistent).
dasDestruktion said:
It has to be changes to recovery. I'm running stock 6.0 with an unlocked bootloader and root and I have no such message on startup. Rooted and unlocked through Wugfresh NexusTool and temporary modified recovery option (non-persistent).
Click to expand...
Click to collapse
No, if you're rooted, it's a different story. The modified boot image installed when you root disables verity checking.
I got the message after rooting my phone with CFRoot. Have done that before, always worked. But now the phone stops working after that boot message, I have reinstalled the stock image.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I can confirm that this is not true. I ultimately factory-reset my phone from Recovery (it was acting strangely in other ways - Contacts crashing, for instance). My bootloader remains unlocked, but I no longer get the "Corrupt" message on startup.
I'm unlocked on marshmallow also and have never had that message
Take a look at here, it was my experience and solution.
https://productforums.google.com/forum/m/#!topic/nexus/sTu8Bdc1GLA;context-place=topicsearchin/nexus/category$3Adevice-security
Sent from my Nexus 6 using XDA Free mobile app
Semseddin said:
Take a look at here, it was my experience and solution.
https://productforums.google.com/forum/m/#!topic/nexus/sTu8Bdc1GLA;context-place=topicsearchin/nexus/category$3Adevice-security
Sent from my Nexus 6 using XDA Free mobile app
Click to expand...
Click to collapse
A simple factory reset in Recovery was all I needed. But I was hoping for a solution that didn't involve wiping my phone, ... and some insight into why so many of us are getting this message with stock systems.
NYZack said:
A simple factory reset in Recovery was all I needed. But I was hoping for a solution that didn't involve wiping my phone, ... and some insight into why so many of us are getting this message with stock systems.
Click to expand...
Click to collapse
Glad you could fix yours with a simple factory reset. Mine was in a much worse situation where i immediately got the corrupted message once i entered gmail account into phone. Google reps couldnt find the answer to the issue but advised me to downgrade to previous os and take OTA to marshmallow, that definitly fixed the issue for me.
Sent from my Nexus 6 using XDA Free mobile app
Device verification on Android and Nexus can be a bit of an interesting subject.
In theory, dm-verity on a Nexus will ONLY validate the system image, and nothing else.
This is the key description that Google made regarding verified boot;
http://source.android.com/devices/tech/security/verifiedboot/verified-boot.html
The key takeaways from that are;
1) an enforcing secure boot chain will involve validating each of the bootloader/boot partitions from the previous level, up to and including the boot.img.
2) The boot image contains the linux kernel and the verity_key file.
3) The verity_key file is the public key used to validate the contents of the metadata partition, which stores the hash tree for the system partition and is used to validate the contents of the system partition *on the fly*.
4) When dm-verity detects a change, it causes an I/O error.
5) On Nexus devices, the validation of the boot partition can be disabled.
The part that is interesting, is figure 2.
The part where it verifies metadata signature files --> no, causes it to reboot in logging mode and gives you the big ugly warning page.
Note that an unlocked Nexus 6 does NOT implement the yellow or orange warning states in its default configuration - see the description of "Class A". I'm not entirely sure if they can be enabled or not, but I've heard chatter of something to the effect of fastboot oem verify, which might enable validation of the boot partition.
So what happens during a dm-verity?
Well, when init tries to mount the system partition using dm-verity, it fails signature check. When it fails signature check, it sets a boot flag that it failed signature check, and *reboots*. The bootloader picks up this boot flag, and loads the error. If dm-verity PASSES signature check, it just continued boot as normal -- no rebooting.
So the approach for getting rid of that error message is actually this; if you tell init not to apply dm-verity, then the signature check is never even applied, so it continues boot as normal.
What isn't clear, is how it could be even remotely possible for a corrupt boot or cache partition to trigger a bootloader error. The only thing I can imagine, is maybe there is some additional check that isn't documented, or a bug in the bootloader that gets triggered when some boot flag is set wrong.
After installing the latest Concept (3571), I unlocked my bl (which I'd locked previously), installed TWRP and then flashed the DRM-fix for Concept. My phone's working fine, but now when I power up I get a red warning with the wording: "Your device is corrupt. It can't be trusted and may not work properly."
How serious is this? Is this just the way that MM reacts to unlocked boot loaders, non-stock recovery or other such mods?
If it's just a warning message, I'm not worried, but I thought I'd check with you folks.
Thanks.
varxx said:
After installing the latest Concept (3571), I unlocked my bl (which I'd locked previously), installed TWRP and then flashed the DRM-fix for Concept. My phone's working fine, but now when I power up I get a red warning with the wording: "Your device is corrupt. It can't be trusted and may not work properly."
How serious is this? Is this just the way that MM reacts to unlocked boot loaders, non-stock recovery or other such mods?
If it's just a warning message, I'm not worried, but I thought I'd check with you folks.
Click to expand...
Click to collapse
Relocking the boot loader did not get rid of the message. For now, I'm going to live with it, as I'm hoping it's an inconsequential warning.
Unless someone knows better, I don't plan to remove TWRP or undo the DRM fix, one or both of which are probably what's prompting this message.
[Aside: Looks like I've become my own best friend. Now if I can get myself to pick myself up at the airport next week....]
I found this:
http://www.droid-life.com/2015/07/27/operating-system-warnings-may-soon-come-to-your-boot-screen/
which suggests that this is just a routine warning that tweakers should expect to encounter.
After I blew away my DRM keys because of ignoring this sort of warning, I've become a little more paranoid.
Still, I'd like to hear anyone's thought. Actually, I don't want to hear your thoughts. That sounds horrifying. I'd like to read your opinions on this matter.
Thanks.
varxx said:
I'd like to read your opinions on this matter.
Thanks.
Click to expand...
Click to collapse
I guess it's because TWRP has modified /system partition on it's first boot. Upon my first flashing of Concept rom (~2 months ago) and flashing TWRP along with SuperSU it did show that warning, but that's because I let TWRP modify /system partition rather than keeping it read-only.
Just yesterday I went on to flash Concept again (coming from 5.1.1 which was flashed through Flashtool as well) when I booted into recovery (flashed using fastboot) I denied TWRP's request to modify /system, and before flashing anything in recovery I have made sure that /system is read-only (In TWRP -> Mount), that was highlighted by Russel in Concept rom thread.
No warning for now, and I guess it won't show up anyway. I don't think you should worry about it though.
Cirra92 said:
I guess it's because TWRP has modified /system partition on it's first boot. Upon my first flashing of Concept rom (~2 months ago) and flashing TWRP along with SuperSU it did show that warning, but that's because I let TWRP modify /system partition rather than keeping it read-only.
Just yesterday I went on to flash Concept again (coming from 5.1.1 which was flashed through Flashtool as well) when I booted into recovery (flashed using fastboot) I denied TWRP's request to modify /system, and before flashing anything in recovery I have made sure that /system is read-only (In TWRP -> Mount), that was highlighted by Russel in Concept rom thread.
No warning for now, and I guess it won't show up anyway. I don't think you should worry about it though.
Click to expand...
Click to collapse
O.K., that makes sense. I guess MM has added security features, because I've been using TWRP off and on for a long time but have never seen this. I'm reassured that someone else feels it's not serious.