I see this annoying error whenever i am in TWRP. I thought I had it resolved when I flashed the stock ROM then flashed my current run CM-12.1-20150902-NIGHTLY-shamu obtained from Cyanogens website.
Then today I let it run the latest OTA and forgot I would lose root. So I attempted to root again only get get stuck at the boot screen. I eventually did a dirty flash of the same CM 12.1 and now I am back to normal and I was able to root again. But I still get the error E: Unable to mount storage.
Also, I am now also unable to see my Nexus in Windows to explore Internal Storage but was able to before I tried rooting.
Thanks in advance.
Sounds like a good time to do full wipe and clean install. Including TWRP and root.
prdog1 said:
Sounds like a good time to do full wipe and clean install. Including TWRP and root.
Click to expand...
Click to collapse
That's the thing, I thought I did all that properly and then flashed the latest CM 12.1 but noticed last night after a failed root that it is now giving the error again.
Would using my backup after I flashed the stock ROM cause the error to come back? I am just looking for the easiest way to avoid reconfiguring my phone and apps again.
tjlmbklr said:
That's the thing, I thought I did all that properly and then flashed the latest CM 12.1 but noticed last night after a failed root that it is now giving the error again.
Would using my backup after I flashed the stock ROM cause the error to come back? I am just looking for the easiest way to avoid reconfiguring my phone and apps again.
Click to expand...
Click to collapse
Good chance it is that CM12 borking it. Flash anything you want. It either fixes it or it don't. Can always flash back to stock to troubleshoot.
Are you encrypted, with a password to decrypt on boot?
If you have like a swipe password , when rebooting into TWRP you will never the normal android to allow you to enter your password, instead you *should* get one in TWRP, however it will just prompt you for an alphanumeric password.
If you cancel out of that, or enter the wrong password (or don't have an alphanumeric password to enter), I believe it gives you this message... and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
scryan said:
Are you encrypted, with a password to decrypt on boot?
If you have like a swipe password , when rebooting into TWRP you will never the normal android to allow you to enter your password, instead you *should* get one in TWRP, however it will just prompt you for an alphanumeric password.
If you cancel out of that, or enter the wrong password (or don't have an alphanumeric password to enter), I believe it gives you this message... and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
Click to expand...
Click to collapse
I am not really sure what this is so my guess is now. I do have my phone set with a 'pattern unlock to boot and unlock the phone. How do I tell if I am encrypted?
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot,
The phone is encrypted by default.
the fact that your device requires pattern unlock at boot, and not just to unlock is a pretty good indicator, but try going into security and select encrypt phone. If it does not give you warnings, remind you to charge and offer to let you encrypt, it is because you already are. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
scryan said:
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot,
The phone is encrypted by default.
the fact that your device requires pattern unlock at boot, and not just to unlock is a pretty good indicator, but try going into security and select encrypt phone. If it does not give you warnings, remind you to charge and offer to let you encrypt, it is because you already are. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
Click to expand...
Click to collapse
Well I haven't changed my kernel and it says Encrypted in my settings. So I could potentially stay on my current setup and resolve my error if I install another kernel?
So here's what I hope will be an easy answer, what is the best method to flash a kernel? I have only tried it once and failed since my phone failed to boot afterwards.
Any recommendations on which kernel to use with CM?
Thanks for the help.
tjlmbklr said:
Well I haven't changed my kernel and it says Encrypted in my settings. So I could potentially stay on my current setup and resolve my error if I install another kernel?
So here's what I hope will be an easy answer, what is the best method to flash a kernel? I have only tried it once and failed since my phone failed to boot afterwards.
Any recommendations on which kernel to use with CM?
Thanks for the help.
Click to expand...
Click to collapse
No.
And CM comes with its own kernel, that does not force encryption.
The kernel is not "encrypted" or "decrypted", the stock kernel forces encryption, others don't. But if your encrypted, you are encrypted until you reformat userdata (obviously this wipes phone) so that it is not encrypted.
scryan said:
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot
Click to expand...
Click to collapse
scryan said:
...and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
Click to expand...
Click to collapse
scryan said:
. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
Click to expand...
Click to collapse
On encryption:
https://wiki.archlinux.org/index.php/Disk_encryption
(not related to nexus, other then it explains encryption, and nexus is encrypted)
You don't need to disable encryption, but obviously since you have your phone set up to require a pattern supply the decryption key to the system, and your booting into twrp BEFORE you can supply the key for decryption... twrp is not going to have any way to read the encrypted partition. Just turn the security off before rebooting to recovery.
Alternatively you can look up threads here on decrypting your phone, and follow those instructions. You will get a very minor performance boost too... but it does mean that if your phone is lost or stolen your data is a little more accessible.
scryan said:
No.
And CM comes with its own kernel, that does not force encryption.
The kernel is not "encrypted" or "decrypted", the stock kernel forces encryption, others don't. But if your encrypted, you are encrypted until you reformat userdata (obviously this wipes phone) so that it is not encrypted.
On encryption:
https://wiki.archlinux.org/index.php/Disk_encryption
(not related to nexus, other then it explains encryption, and nexus is encrypted)
You don't need to disable encryption, but obviously since you have your phone set up to require a pattern supply the decryption key to the system, and your booting into twrp BEFORE you can supply the key for decryption... twrp is not going to have any way to read the encrypted partition. Just turn the security off before rebooting to recovery.
Alternatively you can look up threads here on decrypting your phone, and follow those instructions. You will get a very minor performance boost too... but it does mean that if your phone is lost or stolen your data is a little more accessible.
Click to expand...
Click to collapse
Thanks. I hope to figure this all out tonight.
tjlmbklr said:
Thanks. I hope to figure this all out tonight.
Click to expand...
Click to collapse
The thread on it is a little confusing IMO, maybe just me.
Just remember encryption is about how the data is stored on the partition NOT a setting in the kernel. The kernel only comes into play because the kernel used stock on the nexus 6 has code to check if you are using encryption, and if you are not it forces you to encrypt your data before it boots.
So step one is make sure you have a kernel that does not force encryption. I have not seen a 3rd party nexus kernel with encryption set to enforced, that would be weird.
Step two is to actually go ahead and make your user data partition not encrypted. This has to be done by reformating in fastboot, see tutorial thread for commands. When you reformat, by default the partition will not be encrypted.
Just make sure that when you an update you don't flash the stock kernel and boot, because this will wipe your device when it forces you to encrypt (You could probably power down or cancel some how? Have never tried...)
This would most likely happen if you ran stock, and you fastboot flashed a new system and boot (boot contains kernel)
Alternatively, don't mess with any of this. You don't need to be unencrypted to mount your data in recovery, you just need to set up security in android to not require any kind of pin to boot (I used to just turn unlock to swipe instead of pattern before I wanted to use recovery). There is some performance lost with encryption, but they vastly improved encrypted performance with 5.1.1, and not being encrypted only gives you a tiny bump in performance. just A LITTLE more snappy imo.
scryan said:
The thread on it is a little confusing IMO, maybe just me.
Just remember encryption is about how the data is stored on the partition NOT a setting in the kernel. The kernel only comes into play because the kernel used stock on the nexus 6 has code to check if you are using encryption, and if you are not it forces you to encrypt your data before it boots.
So step one is make sure you have a kernel that does not force encryption. I have not seen a 3rd party nexus kernel with encryption set to enforced, that would be weird.
Step two is to actually go ahead and make your user data partition not encrypted. This has to be done by reformating in fastboot, see tutorial thread for commands. When you reformat, by default the partition will not be encrypted.
Just make sure that when you an update you don't flash the stock kernel and boot, because this will wipe your device when it forces you to encrypt (You could probably power down or cancel some how? Have never tried...)
This would most likely happen if you ran stock, and you fastboot flashed a new system and boot (boot contains kernel)
Alternatively, don't mess with any of this. You don't need to be unencrypted to mount your data in recovery, you just need to set up security in android to not require any kind of pin to boot (I used to just turn unlock to swipe instead of pattern before I wanted to use recovery). There is some performance lost with encryption, but they vastly improved encrypted performance with 5.1.1, and not being encrypted only gives you a tiny bump in performance.
Click to expand...
Click to collapse
LeanKernel decrypt is an option as it should be in all Kernels and is one of the better ones. The top kernel developers make it an option. Many noobs post unencrypted kernels where they only change the ramdisk and there is no other option. Can have performance and encryption as you say especially with the Google code updates.
prdog1 said:
LeanKernel decrypt is an option as it should be in all Kernels and is one of the better ones. The top kernel developers make it an option. Many noobs post unencrypted kernels where they only change the ramdisk and there is no other option. Can have performance and encryption as you say especially with the Google code updates.
Click to expand...
Click to collapse
Super random and unrelated plug for leankernel, but OK thanks. :good:
There are plenty of popular kernels, I have found Zen good, many like Elite and Hells Core as well.
Related
This may be a question that has been asked and answered numerous times. Just got my nexus 6 and want to root and slap custom recovery on it. Must I decrypt the phone before doing so on net or c.f. Auto root? I've tried to root it but something isn't right. That's why I'm asking if I need to decrypt it before rooting. And My boot loader is unlocked. Thanks.
Since you have a Nexus Device, there is really no point using auto root methods as it is a lot easier just to flash SuperSU in twrp.
Sent from my Nexus 6 using Tapatalk
And I can do all this encrypted? I had a nexus 5 previously and rooting that was easier. I want to keep encryption btw.
darklordofthesith said:
And I can do all this encrypted? I had a nexus 5 previously and rooting that was easier. I want to keep encryption btw.
Click to expand...
Click to collapse
Yes you can stay encrypted. I am, lots of us are. You dont have to do anything different to stay encrypted. Unlock it, flash TWRP then flash systemless root with TWRP.
Sent from my Nexus 6 using XDA Labs
Ill just grab The latest su beta. That should be sufficient. Also, if I want to change kernels, I'd need one that's encrypted right?
You mean one that supports device encryption, since an encrypted bootloader is a very bad thing. Just ask any AT&T device owner from the last two years.
To actually answer your question, I do believe that by default all kernels support device encryption. What is different in a custom kernel is whether that encryption is automatically applied or not.
unless you actively decrypt yourself, you are encrypted. to unencrypt, you have to flash a kernel that allows for decrypting, then format your whole phone/storage yourself. only then you will be decrypted. you can do any mod possible on a n6 while still encrypted.
So, if I want a new kernel, just find one that has forced encryption. I definitely want to keep my phone encrypted for safety reasons. Also, will that dreaded message pop up every time I reboot the phone about being corrupted? Also, what kernels force encryption. Thanks.
Very few custom kernels force encrypt, they leave the option to the end user like Simms said if you have a custom kernel and factory reset then it will unencrypt your phone.I'm encrypted and run stock Google images and Franco kernel
So, will I get that dreaded message of a corrupt device after doing everything? I
Well, tried to flash twrp 3.0.0.0 to no avail through nrt. It says it flashed it but every time I reboot to recovery, the stock recovery is still there. My boot loader is unlocked. What gives?
darklordofthesith said:
Well, tried to flash twrp 3.0.0.0 to no avail through nrt. It says it flashed it but every time I reboot to recovery, the stock recovery is still there. My boot loader is unlocked. What gives?
Click to expand...
Click to collapse
dont use toolkits. you learn nothing and occasionally they dont work. you need to flash twrp through fastboot, while youre in the bootloader. and the line you write is fastboot flash recovery recoveryname.img
It used to work through nrt for my nexus 5. So what makes this different? Also can I use the image from nrt or should I download a fresh one.
darklordofthesith said:
It used to work through nrt for my nexus 5. So what makes this different? Also can I use the image from nrt or should I download a fresh one.
Click to expand...
Click to collapse
many things could have broken the toolkit. that's why the far majority of people who actually know what they are doing say to not use toolkits. and why do you need another image? to root, you have to unlock your bootloader with fastboot, flash twrp with fastboot, then boot up with root.
darklordofthesith said:
So, will I get that dreaded message of a corrupt device after doing everything? I
Click to expand...
Click to collapse
Not if you use systemless root. Or a kernel that is modified to avoid that message with the older style root. I have run stock and with Franco's kernel, both with systemless. Never had the message.
Sent from my Nexus 6 using XDA Labs
I even tried to boot to twrp temporarily and it said that i had to modify the system because it was write protected. I never had this much issue with a nexus before.
when i boot into the temp twrp through nrt, i keep getting this keep system read only message. should i do what it says to do?
Do you want to keep it read only or do you want to modify it, your decision
Edit:
Just the system partition I should have been more specific
If I do that, it will still be encrypted and be able to root and install twrp? Without the dreaded corrupted message?
If you modify anything at all the message will show up,unless you run a custom kernel that disables it, and yes you will still be able to root and stay encrypted
I have my 3t unlocked and twrp flashed, but every time I boot into it, it indicates not able to decrypt data partition. Even after flashing with sideload, the pin which I set in preinstalled OS couldn't unlock it. Tried to disable boot up pin didn't help me out. Any hints?
Thankc
zphou said:
I have my 3t unlocked and twrp flashed, but every time I boot into it, it indicates not able to decrypt data partition. Even after flashing with sideload, the pin which I set in preinstalled OS couldn't unlock it. Tried to disable boot up pin didn't help me out. Any hints?
Thankc
Click to expand...
Click to collapse
Did you flashed dm-verity zip disabler or SuperSU zip before boot to system...?
cultofluna said:
Did you flashed dm-verity zip disabler or SuperSU zip before boot to system...?
Click to expand...
Click to collapse
It sounds like he just wants TWRP to be able to access his encrypted data, not to actually wipe and decrypt.
jcadduono said:
If your device isn't decrypting in TWRP, chances are you still have the old crypto key format from the 3.5.1 release firmware.
You can solve this by updating to 3.5.3 and changing your boot up password in your device OS's settings.
By changing your password after updating to 3.5.3 or newer, your OS will rewrite your crypto key to be compatible with TWRP.
You are free to disable your password after this if you don't want one, and TWRP will decrypt with the default password.
Click to expand...
Click to collapse
@zphou Did you do that stuff, like the TWRP thread tells you to?
Sounds like you need to factory reset. Thats how you remove encryption. Ive done it before on my other phone. Perhaps make a quick manual backup of the folders on your phone or use the splendid Huawei Backup app on the play store and throw that on your PC before resetting. You can restore apps to the exact state as before your reset. Encryption should be removed afterwards.
josephcsible said:
It sounds like he just wants TWRP to be able to access his encrypted data, not to actually wipe and decrypt.
@zphou Did you do that stuff, like the TWRP thread tells you to?
Click to expand...
Click to collapse
Yes. I followed the instructions and now with latest public beta, which is 7.0. I still can not access to data partition in recovery. Luckly, I could flash 3rd party rom with sideload, the only issue is not able to boot into system. So I have to flash the public 7.0 beta.
Alright y'all,
I'm confused as hell about this whole DM-Verity thing and I haven't found a clear explanation, so please help a brotha out.
And please feel free to add anything you'd like that I might be missing, but the questions below are what I'm confused on.
1. Da'fuq is DM-Verity?
2. So I get the notification when I boot up and I'm not overly worried about that annoyance, but still not sure if that notification is stating that I do have encryption turned on or if I do not have it turned on.
3. Flashing the "no-verity-opt-encrypt-5.1.zip...does that decrypt my data "permanently"?
4. Why is it that even after I flash that, when I go and do a backup with TWRP, then attempt to flash another ROM (after full wipe) I'm prompted for a password?
5. And obviously, like a lot of people, it won't accept the password that I set when I first setup the phone.
PLEASE help me to understand this so I don't have to keep wiping my phone completely, flashing stock rom and recovery, locking, unlocking, flashing recovery, rooting, etc....every time.
mrbigdrawsz said:
Alright y'all,
I'm confused as hell about this whole DM-Verity thing and I haven't found a clear explanation, so please help a brotha out.
And please feel free to add anything you'd like that I might be missing, but the questions below are what I'm confused on.
1. Da'fuq is DM-Verity?
2. So I get the notification when I boot up and I'm not overly worried about that annoyance, but still not sure if that notification is stating that I do have encryption turned on or if I do not have it turned on.
3. Flashing the "no-verity-opt-encrypt-5.1.zip...does that decrypt my data "permanently"?
4. Why is it that even after I flash that, when I go and do a backup with TWRP, then attempt to flash another ROM (after full wipe) I'm prompted for a password?
5. And obviously, like a lot of people, it won't accept the password that I set when I first setup the phone.
PLEASE help me to understand this so I don't have to keep wiping my phone completely, flashing stock rom and recovery, locking, unlocking, flashing recovery, rooting, etc....every time.
Click to expand...
Click to collapse
1) A service verifying that the system partition has not been tampered with, aka you cannot write to it, which is why there are "systemless" everything now.
2) That 5 seconds screen appears when your device is unlocked no matter what is on the system partition. Even if you are running full stock. Unlocked means your kernel partition will not be verified to be stock, allowing you to add root or patch out dm-verity.
3) I don't think so, as it is "opt"ional encrypt. It just makes sure that there will be no automatic reencryption of your partition.
Actually you cannot decrypt your partition, it might erase it instead.
4) yes you will be prompted for a pw even in twrp, so you can access the zip file from your encrypted partition. If you now were to wipe the entire /data partition including /data/media (aka /sdcard), and create a new ext4 fs on it and apply no-verity-opt-encrypt to your new custom rom (if it is not included), you will not be prompted for a password, but loose all your data.
5) ??? huh?? when you first set up the phone there is no password, you choose it afterwards.
Jo_Jo_2000 said:
1) A service verifying that the system partition has not been tampered with, aka you cannot write to it, which is why there are "systemless" everything now.
2) That 5 seconds screen appears when your device is unlocked no matter what is on the system partition. Even if you are running full stock. Unlocked means your kernel partition will not be verified to be stock, allowing you to add root or patch out dm-verity.
3) I don't think so, as it is "opt"ional encrypt. It just makes sure that there will be no automatic reencryption of your partition.
Actually you cannot decrypt your partition, it might erase it instead.
4) yes you will be prompted for a pw even in twrp, so you can access the zip file from your encrypted partition. If you now were to wipe the entire /data partition including /data/media (aka /sdcard), and create a new ext4 fs on it and apply no-verity-opt-encrypt to your new custom rom (if it is not included), you will not be prompted for a password, but loose all your data.
5) ??? huh?? when you first set up the phone there is no password, you choose it afterwards.
Click to expand...
Click to collapse
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
mrbigdrawsz said:
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
Click to expand...
Click to collapse
soemone on xda may has already found a fix for this, look in your rom thread or open a new one if you have to deal with such problems again.
mrbigdrawsz said:
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
Click to expand...
Click to collapse
Have you found the answer to question 5 ? It cost me to wipe my phone and I need to root it again but afraid of that password issue.
Discoreggae said:
Have you found the answer to question 5 ? It cost me to wipe my phone and I need to root it again but afraid of that password issue.
Click to expand...
Click to collapse
In my experience, it's only happened with certain ROM's. I've gone from Stock to Dirty U. and back to Stock with no issue. But I'll go from anything to Ressurection Remix and I run into this issue if I try and flash something else after flashing R.R. That's the only ROM that I've had the issue with and that's using multiple versions of TWRP. So I'm not sure exactly what's causing it, but I certainly haven't flashed R.R. since (granted it's a great ROM) because it's just a headache going through all the nonsense to get back to where I want to be.
Sorry I don't have a more definitive answer, but that's been my experience.
Quick question (at least I hope) on this no verity thing
I'm seeing a lot of no verity zip flashing these days. I've actually rooted an lg k20 doing it.
So to make it a simple root procedure, if I just flashed the normal rom+gapps and twrp of corse, but also flashed no verity zip file, will that give any issues, say if the phone really didn't need to have the no verity zip flashed......like would adding the no verity zip step in the rooting process as a norm, would there be any ill affects or bricking the phone and such?
I hope that all made sense.
easyrider77 said:
So to make it a simple root procedure, if I just flashed the normal rom+gapps and twrp of corse, but also flashed no verity zip file, will that give any issues, say if the phone really didn't need to have the no verity zip flashed......like would adding the no verity zip step in the rooting process as a norm, would there be any ill affects or bricking the phone and such?
Click to expand...
Click to collapse
I'd say "no". The "no verity" zip is just a patched boot.img, which is one of the files that gets modified with root, or flashing custom ROMs, and is easily fixed or turned back to stock.
On the other hand, if you are that concerned, flashing "no verity" just IMO is not a big benefit. All it does, is remove the verity warning screen when you reboot the phone, which goes away in 5 seconds, of if you press the power button (same as the unlocked bootloader warning screen). I've never bothered with the "no verity" as this little thing (the warning screen) doesn't bother me. But obviously, it bothers some folks. So the choice is yours.
Hi ,
I am not a noob, but yesterday out of curiosity flashed the flyme build in the unified section. However, after the TWRP reboot to system, it did not boot. So tried to reboot the recovery and success. But the villian was there, encryption password. I tried giving my phone PIN, it said wrong password.
After half an hour, i installed the stock image(3.5.1) using the msm tool. Well it booted fine and phone is usable. Unlocked the bootloader and flashed the latest TWRP,.
The villian is back, asking for password. Now it is taking any password, always say wrong password. Ok in case i skip the decrypt screen, i cannot access the sdcard to flash new rom.
Is this the end of story of my op3t?
Have you tried "default_password"?
Didgeridoohan said:
Have you tried "default_password"?
Click to expand...
Click to collapse
Tried everything. The phone boots into OOS 3.5.1 after msm tool flash without password. Even it behaves very well. Only after the TWRP installation. It is stuck for password. I think its end of story.
Prashanthme said:
Tried everything. The phone boots into OOS 3.5.1 after msm tool flash without password. Even it behaves very well. Only after the TWRP installation. It is stuck for password. I think its end of story.
Click to expand...
Click to collapse
Then I don't know... Usually if TWRP suddenly starts asking for a password without having set one, using "default_password" will work.
You could try flashing a kernel that disables forced encryption and then format data to unencrypt.
You have to make sure to restore system to the version using the same encryption libraries as used the last time you could decrypt the data partition. If all fails you will have to format your data partition and loose it all.
pitrus- said:
You have to make sure to restore system to the version using the same encryption libraries as used the last time you could decrypt the data partition. If all fails you will have to format your data partition and loose it all.
Click to expand...
Click to collapse
I have already lost the data. TWRP not allowing me to enter the sdcard storage to flash anything. Can u brief me how to format the data partition.
Just bootup phone into fastboot mode from the unlocked bootloader menu, then connect to PC and run "fastboot format userdata" from a path with either fastboot in or anywhere of you've added the folder with fastboot in you PATH variable.
pitrus- said:
Just bootup phone into fastboot mode from the unlocked bootloader menu, then connect to PC and run "fastboot format userdata" from a path with either fastboot in or anywhere of you've added the folder with fastboot in you PATH variable.
Click to expand...
Click to collapse
Did this. But after should i flash the stock image again? Because system is not booting and stuck in oneplus logo.
How about fastboot erase options?
I disabled encryption one year ago to avoid this problem, and therefore have never experienced it. But why don't you do a compete MSM restore? That should restore even the data partition.
pitrus- said:
I disabled encryption one year ago to avoid this problem, and therefore have never experienced it. But why don't you do a compete MSM restore? That should restore even the data partition.
Click to expand...
Click to collapse
Let me try once i go home and update u. Thanks for the response..
Will format the data from fastboot. and flash the stock image. Hope this works.
Finally happened to work.
Installed a different version twrp made the trick. But this time i erased the recovery and flashed again. After that wiped all the data and then sideloaded the rom from adb and it did the trick..
pitrus- said:
I disabled encryption one year ago to avoid this problem, and therefore have never experienced it. But why don't you do a compete MSM restore? That should restore even the data partition.
Click to expand...
Click to collapse
Can you please tell me how you disabled encryption?
Vidicgapi said:
Can you please tell me how you disabled encryption?
Click to expand...
Click to collapse
You do this by flashing the latest no-verity-opt-encrypt zip file after formatting the data partition and also after each update of the OS.
https://build.nethunter.com/android-tools/no-verity-opt-encrypt/no-verity-opt-encrypt-5.1.zip
Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.
PROS:
1. Virtually total protection of your data, especially if encrypted
2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
4. Inability to unlock bootloader in fastboot, see above
5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
6. You can still change/update roms, backup/restore data to your liking
7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone
CONS:
1. You would have to set up things once
2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).
The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him
THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows
Preliminary steps:
Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.
1. Create a directory on your PC named, let's say, Bootkeys.
2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory
4. Key Generation:
Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.
Code:
# private key
openssl genrsa -f4 -out custom.pem 2048
openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der
You don't need to use pem files and can delete them after key generation.
5. Signing:
Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal
Code:
java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
java -jar BootSignature.jar -verify recovery_signed.img
Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').
6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager
7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.
8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.
10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
Now, you are ready for the FUN PART: re-locking:
11. Boot in fastboot and execute fastboot oem lock
12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again
Screenshots
And you have already done it, right?
Sounds fun tbh, will try for sure.
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
Will this work if the phone is decrypted (using no verity)?
optimumpro said:
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
Click to expand...
Click to collapse
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?
obol2 said:
Will this work if the phone is decrypted (using no verity)?
Click to expand...
Click to collapse
I dont think, cause it is encrypted.
vdbhb59 said:
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?
Click to expand...
Click to collapse
obol2 said:
Will this work if the phone is decrypted (using no verity)?
Click to expand...
Click to collapse
Guys. Read 9-10 in the OP. Everything about encryption is there.
optimumpro said:
Guys. Read 9-10 in the OP. Everything about encryption is there.
Also, OEM option isn't available on custom roms. But you can modify build.prop for it to show up. Once everything is working, you can set oem unlock not allowed and remove the entry from build.prop.
Click to expand...
Click to collapse
Oops, my bad. I get your point.
Will try over the weekend. BTW, are you going for a release in the next 2-3 days? Then, I will clean flash once that is out.
vdbhb59 said:
Oops, my bad. I get your point.
Will try over the weekend. BTW, are you going for a release in the next 2-3 days? Then, I will clean flash once that is out.
Click to expand...
Click to collapse
I will update the rom once October security patches become available.
optimumpro said:
Screenshots
Click to expand...
Click to collapse
Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)
david19au said:
Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)
Click to expand...
Click to collapse
That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.
optimumpro said:
That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.
Click to expand...
Click to collapse
Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?
david19au said:
Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?
Click to expand...
Click to collapse
Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.
Haven't been using Windows for 10 years. So, can't help you.
optimumpro said:
Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.
Haven't been using Windows for 10 years. So, can't help you.
Click to expand...
Click to collapse
I have a Linux VM just in case this happens but maybe you should mention it in your thread as most users here use Windows.
Additional experience having a custom rom on locked bootloader:
It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
optimumpro said:
Additional experience having a custom rom on locked bootloader:
It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
Click to expand...
Click to collapse
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..
vdbhb59 said:
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..
Click to expand...
Click to collapse
So, were you able to encrypt on Jaguar?
Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
optimumpro said:
So, were you able to encrypt on Jaguar?
Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
Click to expand...
Click to collapse
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.
vdbhb59 said:
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.
Click to expand...
Click to collapse
Whatever rom you have, if you are encrypted (whether FDE or FBE), you must wipe encryption by doing factory reset in TWRP before re-locking. Otherwise, when you re-lock, your encryption key will be wiped, but encryption will stay, so, the phone will be useless. You can do encryption later, when you are successfully re-locked.