Is the phone really secure? - OnePlus 3T Questions & Answers

So if I shut my phone off and turn it back on into fastboot mode and then flash TWRP to boot into TWRP recovery, I can then see all my files and sideload or USB Mass storage status etc.... Doesn't that mean it's not secure?
Secondly I installed TWRP, but now when I reboot it's back in stock recovery. Any idea why that is? Do I have to "install TWRP" Everytime I want to use it?

After some research I discovered that requiring pin at boot fixes this issue. If you don't require pin at boot then your phone really isn't encrypted. Like I read it's like having a bike lock with the password taped to the seat.

Yes, because most Android devices are using FDE encryption. Newer devices running Nougat are using file based encryption, eliminating the need of entering pin at startup while still making your data still pretty secure. For example, iPhone is using both file based encryption and full disk encryption, but I like Android's implementation better, it is more secure imho. In iPhone developer can choose NOT to encrypt app data, idiotic.

Related

[UNOFFICIAL] TWRP 3.0.0-0 for the Pixel C (dragon-ryu) :: Current: 02-11-2016-1

This is UNOFFICIAL TWRP for the Pixel C. That said, the TeamWin team greatly helped me in getting this working. But at the same time, neither TeamWin nor me take any responsibility whatsoever for any undesired outcome resulting from any kind of use of this project and project files! If you don't exactly know what you're doing then just walk away and do something good. Don't touch any options of which you don't exactly know what they're for!
What works:
* So far, everything; encryption support should work, but some feedback on this would be welcome
Problems:
* The GUI will be sometimes slow, sometimes super slow. This is probably due to the high screen resolution of the Pixel C.
How to install:
- Unlock bootloader
- In the bootloader, run "fastboot flash recovery <.img file>"
- Reboot into Pixel C bootloader
- Boot into recovery (or later on/from Android through "adb reboot recovery")
If the recovery doesn't stick after booting into Android:
- Do the install procedure as above
- Do NOT reboot into Android
- Press Vol-Down + Power until you see the bootloader menu
- Select "Boot into Android Recovery"
- When in TWRP, mount system
- Using TWRP's File Manager, or using adb, delete the file "/system/bin/install-recovery.sh"
- Reboot
After doing this, OTAs won't work any longer, but they wouldn't work anyway after installing TWRP. Just so you know
DOWNLOAD
twrp-3.0.0-0-dragon-ryu-02-11-2016-1.img
SHA1 hash: 3e97aae6cc18975683eda2bd3732faaecec14166
Changelog
:: 01-19-2016-1
- Removed screen timeout by default, since the GUI is very slow and the screen unlock slider is very hard to use
- Added an option to fix the Fastboot Full Cap flag directly from TWRP; you find the option in "Advanced". If the Pixel C should ever not let you flash in fastboot, boot into TWRP, select Advanced -> Fix Fastboot, swipe to confirm, and you're set.
:: 02-11-2016-1
- Rebased on twrp/android-6.0 branch (i.e. upgraded to TWRP 3.0.0-0)
The recovery is based on the Pixel C stock kernel.
Awesome! I can survive without root for the time being but being able to enable multiwindow would be amazing!
Thanks!
Edit: I am getting a FAILED (remote: unsupported command) error and cant flash this. Anyone know a work around?
Worked fine for me with "fastboot flash recovery [image name]" did you unlock your bootloader? Also root works just fine, you just have to boot from your PC.
Sent from my Pixel C using Tapatalk
brando56894 said:
Worked fine for me with "fastboot flash recovery [image name]" did you unlock your bootloader? Also root works just fine, you just have to boot from your PC.
Sent from my Pixel C using Tapatalk
Click to expand...
Click to collapse
I did unlock my bootloader but can't get anywhere. Tried updating my sdk, drivers everything. I guess I will have to keep playing with it.
Edit: I relocked my bootloader, and then unlocked it again and now it is working. If anyone else runs into this give it a try.
it successfully installed on my pixel c. is reachable as the Android Recovery option. and boots to bootloader to allow boot of boot.img
this is a good thing. thanks to all involved.
it's been 1 month since release and good way to celebrate.
Good work. Thanks you
hooray thanks! just to clarify: I need encryption disabled to use twrp or just to flash SuperSU?
I'm currently using phhusson's noverity boot-img to boot and with a modified vendor img root is working fine while encryption is enabled ... just having to boot via fastboot every time is a bit awkward. And since I don't know what happens if the device got stuck and reboots itselfe without the modfied boot it would be awesome to have at least a nandroid backup
doumer said:
hooray thanks! just to clarify: I need encryption disabled to use twrp or just to flash SuperSU?
I'm currently using phhusson's noverity boot-img to boot and with a modified vendor img root is working fine while encryption is enabled ... just having to boot via fastboot every time is a bit awkward. And since I don't know what happens if the device got stuck and reboots itselfe without the modfied boot it would be awesome to have at least a nandroid backup
Click to expand...
Click to collapse
Hey... You can use TWRP even with encryption enabled, you just can't write anything to /data.
However for the next build I'm going to enable TWRP's decryption option and see if it works with the Pixel C. If it does I'll post a new build this evening (European Time).
I tried the systemless SuperSU on a decrypted /data partition but it wouldn't work (bootloop), clearly there's a lot of ground to cover here, but like I said maybe the decryption functionality will help us here.
EDIT: I'm also working on a boot.img with disabled forced encryption. Looks like we're going to get proper root very soon.
cheep5k8 said:
This is UNOFFICIAL TWRP for the Pixel C. That said, the TeamWin team greatly helped me in getting this working. But at the same time, neither TeamWin nor me take any responsibility whatsoever for any undesired outcome resulting from any kind of use of this project and project files! If you don't exactly know what you're doing then just walk away and do something good. Don't touch any options of which you don't exactly know what they're for!
What works:
* Well, basically everything IN TWRP works, it's just that without a kernel that disables forced encryption this is not of very much use. I tried flashing SuperSU, but it wouldn't work properly.
Problems:
* The GUI will be sometimes slow, sometimes super slow. This is apparently still a problem with how TWRP uses the graphics mode that is used on the Pixel C. Best is if you immediately disable the screen lock once you boot into TWRP because the unlock slider is abysmally sluggish.
How to install:
- Unlock bootloader
- In the bootloader, run "fastboot flash recovery <.img file>"
- Reboot into Pixel C coreboot bootloader
- Boot into recovery (or later on/from Android through "adb reboot recovery")
DOWNLOAD
2.8.7.0-01082016-1
Click to expand...
Click to collapse
Hello thank you for this. Yesterday I tried to build as well twrp but it wasn't fully working.
I just imported this config with TW_INCLUDE_L_CRYPTO := true && TW_INCLUDE_CRYPTO := true
I didnt copy paste the twrp.fstab I added but added its path to BOAR_smthing.
Also I used omnirom's android-6.0 revision with dragon's device tree.
The recovery seems to boot, as
Code:
adb devices
returns XXXXXx recovery.
Also I can reach the device's shell with adb shell. Just the screen stays black.
I was wondering if I missed something. Is your device tree available online ?
Khaon said:
Hello thank you for this. Yesterday I tried to build as well twrp but it wasn't fully working.
I just imported this config with TW_INCLUDE_L_CRYPTO := true && TW_INCLUDE_CRYPTO := true
I didnt copy paste the twrp.fstab I added but added its path to BOAR_smthing.
Also I used omnirom's android-6.0 revision with dragon's device tree.
The recovery seems to boot, as
Code:
adb devices
returns XXXXXx recovery.
Also I can reach the device's shell with adb shell. Just the screen stays black.
I was wondering if I missed something. Is your device tree available online ?
Click to expand...
Click to collapse
Not yet. I'm going to upload it later on to the TWRP devs for official inclusion.
You need to merge the minui patch so TWRP can use DRM for video on the Pixel C; there is no fb0 device.
there were some new boot images out today. i flashed one of them. when i boot to recovery the sdcard is not able to be mounted. do you have any suggestions on what i need to do or look at in order to get it fixed?
dkryder said:
there were some new boot images out today. i flashed one of them. when i boot to recovery the sdcard is not able to be mounted. do you have any suggestions on what i need to do or look at in order to get it fixed?
Click to expand...
Click to collapse
Because /data is (force-)encrypted. I uploaded a new TWRP build with various fixes but decryption doesn't work.
What I also found out is that the boot image for the Pixel C is NOT an Android boot image (!), but a ChromeOS one. This puts a lot of things in doubt, for example I am not sure if systemless SuperSU can handle this.
But, I'm working on all that (working on boot img without forced encryption right now, but so far it doesn't want to boot completely)
OK, so, I'm running the device unencrypted now, but there are many issues still to resolve.
OK guys, if you really want actual SuperSU, and other root stuff, and decrypted /data, here's how it works but it's complicated and will only work tethered as far as I can tell.
First, download this boot image: dragon-boot-encryptable-01092016-1.img
Now here are the steps:
- make sure you have a stock boot.img handy in case something goes wrong (as usual I can not take responsibility but chances of bricking are extremely slim if you know what you're doing)
- boot into fastboot
- flash the above boot image to boot ("fastboot flash boot dragon-boot....")
- flash the TWRP recovery (latest version) ("fastboot flash recovery twrp-dragon-...")
- hold power+vol down pressed.. the device will turn off, keep it pressed even as it turns off, it will turn on again and you are in the coreboot menu
- select "Android Recovery" which will start TWRP
- in TWRP, select system as read only when it asks ("never write onto the system partition").. my boot image does not disable dm-verity which seems to be still in effect, so if you change /system, the Pixel will refuse to boot (even though it's unlocked... no idea)
- once in TWRP, go to "Wipe" and then choose at the bottom "Format Data" (just wiping will not work)
- when that's done stay in the recovery
- get SuperSU 2.66 from somewhere and flash it through TWRP (using sideload for example)
- when it's done, go to "Backup" in TWRP and only backup boot (the kernel) - no password - no compression
- somehow copy the backed up kernel from the device to your computer ("adb pull" for example), but in no case let the Pixel boot into Android
- when that's done, tell TWRP to boot back into the bootloader
Now get ready to be real quick...
- boot (just boot, not flash) the TWRP backed up boot image (it's 32MB large and called boot.emmc.win, but it's all good): "fastboot boot boot.emmc.win" (and now you have to be rather quick)
- It will boot up for a second and then go back to the "The OS will boot in 30 seconds screen"
- Again press power+vol down and hold it, even as the device turns off, until you're in the coreboot bootloader
- There, choose fastboot again
- And once again boot the boot.emmc.win image ("fastboot boot boot.emmc.win")
- Now let it boot up
- If everything went OK you should be in Android, with decrypted /data, and SuperSU should be installed and working
If you want to avoid being encrypted again (although SuperSU should survive that) you will have to boot tethered everytime using that boot.emmc.win image.
Known Issues: Somehow because /data is decrypted, "Security" settings in Android will crash. Hopefully you don't need anything in there. You might also want to skip setting a lock pattern or pin when doing the initial setup, it might crash too.
So far, I tried installing AdAway using root which worked just fine.
If someone figures out how make this untethered: you da real MVP!
Thank you sir!! I will report back if I encounter any undocumented issues.
OK so I've managed to install Xposed, was pretty straightforward except for the tethered boot. Still looking into making it untethered.
since your modified boot and no encryption it seems to be smoother in graphics. in any event, the thing worked in format of data and install of the supersu zip. so, well done.
cheep5k8 said:
How to install:
- Unlock bootloader
- In the bootloader, run "fastboot flash recovery <.img file>"
- Reboot into Pixel C coreboot bootloader
- Boot into recovery (or later on/from Android through "adb reboot recovery")
DOWNLOAD
2.8.7.0-01082016-2 UPDATE: Includes various fixes from first build; decryption of data does NOT yet work
Click to expand...
Click to collapse
So, followed these instructions and whenever I try to reboot into recovery I get the no command screen. Am I missing something? lol
Edit: So figured thats the stock recovery stuff. Got to the stock recovery but can't get into twrp
2nd Edit: I redownloaded the file and didnt rename it shorter this time and now it works...weird
cheep5k8 said:
Not yet. I'm going to upload it later on to the TWRP devs for official inclusion.
You need to merge the minui patch so TWRP can use DRM for video on the Pixel C; there is no fb0 device.
Click to expand...
Click to collapse
Thank you for those informations .
Thank you so much for this! Aside from the laggy UI, which isn't an issue since we got TWRP (f yes!!!), this is amazing. Do you foresee any issues flashing fonts? I am not familiar with ChromeOS and Android structure combination as it seems there is a lot of talk about. Flashing a file that replaces the stock fonts with the ones of my choosing hypothetically should not pose a problem to /system/fonts/, correct? Thank you for your work

TWRP can't decrypt /data on CM12.1

I just decided to move to CM12.1 on my Droid Turbo (XT1254) after the 1/27 Snapshot (YOG7DAO3J1) was posted. I am running this with TWRP 2.8.7.0, BHB27 Kernel, and OpenGAPPS 5.1. So far, almost everything has been fantastic and the performance of the device is like night and day compared to the Verizon software.
My problem is that the CM12.1 ROM has my device encrypted to begin with, which is nice but giving me trouble. I can't get into TWRP to install Xposed framework or other .zips via ADB. I have tried the following:
Disabling require password on startup
Changing the password in Android
Changing the password from root ADB shell
Using a pin
Trying "default_password"
Can anyone give me a solution or some advice? Any help is greatly appreciated!
Having same issue with TWRP not recognizing any decryption password given... Any ideas out there? Is TWRP incompatible with Droid Turbo HW Encryption, or ?
P_6 said:
Having same issue with TWRP not recognizing any decryption password given... Any ideas out there? Is TWRP incompatible with Droid Turbo HW Encryption, or ?
Click to expand...
Click to collapse
This thread is kinda old and I assumed nobody really knew what was going on with it either. I ended up just not using the encryption. The first time around mine was encrypted without me knowing, which was the issue. I just wiped all partitions and flashed the ROM again...
I am having a similar issue so i thought i would chime in, despite the older thread. I had a stock ROM that was encrypted and I was able to unlock and root with SunShine fine. Flashed on TWRP 2.8.7 and ran into a "Unable to mount storage. Failed to decrypt data" error. Updated to TWRP 3.0.0 and still have the same issue. Still working through a resolution as the phone is still functional if I just boot normally. When you mentioned you wiped all partitions, what process did you use? If i can just get access to the interal storage I can flash a ROM and be good to go.
Asyt said:
I am having a similar issue so i thought i would chime in, despite the older thread. I had a stock ROM that was encrypted and I was able to unlock and root with SunShine fine. Flashed on TWRP 2.8.7 and ran into a "Unable to mount storage. Failed to decrypt data" error. Updated to TWRP 3.0.0 and still have the same issue. Still working through a resolution as the phone is still functional if I just boot normally. When you mentioned you wiped all partitions, what process did you use? If i can just get access to the interal storage I can flash a ROM and be good to go.
Click to expand...
Click to collapse
So far, the only way I have been able to get encryption working with CM12.1 on the Droid Turbo is to do the folllowing (Note: This assumes you have bootloader unlocked and TWRP installed as your recovery):
Part 0: Make sure you have what you need
1. Stock Droid Turbo Firmware SU4TL for your device
2. The version of CyanogenMod 12.1 that you need. I recommend a Snapshot, but it's up to you.
3. TWRP 3.0.0 or later for your Droid Turbo.
Part 1: Final set up (Yes, we do this first)
1. Download CM12.1 & Download OpenGapps arm for 5.1
2. Wipe device (system, data, cache, internal storage), copy CM12 install zip and opengapps install zip via USB to device.
3. Flash CM12 and OpenGapps in TWRP
4. Set up device how you want it to be (install your apps, set up your accounts, etc).
5. Set whatever lock-screen PIN / Password / Pattern you are going to want on your phone in general!
6. Make a Nandroid backup of your 100% set up phone in TWRP
7. Copy your backup TWRP folder to your PC.
Part 2: Encrypt device and put everything back how we want it.
1. Flash stock Verizon firmware (SU4TL) via Fastboot. Do not flash stock Recovery, but put back TWRP if you did somehow (I use a simple bash script I have attached below).
2. Boot device, go through initial set up, don't download apps (we're going to be wiping the device soon).
3. Make sure your battery is 80%+ charged, and your device is plugged in.
4. Set a password or PIN on your phone.
5. Encrypt your device (this will be fairly fast, as /data is empty, but you should be asked for your encryption password on boot.)
6. Reboot to recovery. TWRP will ask you for your password to decrypt. It should work with no problem.
7. Copy your backed-up TWRP folder with your CM12 install to your device via USB. The TWRP folder goes in the Internal Storage root directory.
8. Still in TWRP (Do not reboot), go to Restore, and select the backup you just copied over. This will replace the stock rom with your CM12 backup.
9. Your CM12 install will be restored, but your device will remain Encrypted.
10. Reboot into CM12. Win.
You will need to decrypt your device every boot with the password that you selected when you initially encrypted your device. Your lock-screen password CAN BE DIFFERENT. That is why I do it this way. I have a fairly long password to decrypt my device on boot-up, but a pattern as my lock screen. That way I can quickly get into my phone during daily use without having to constantly type in a fairly complicated password.

twrp failed to decrypt data

My Mi5 was on MoKee rom (mashmallow), with encryption on(it seems to do the encryption the first time I boot MoKee rom, as I input a pin at the time). It seems to work fine: I had a PIN (call it P) set to unlock device. I need to input it every time I reboot device, and TWRP can also use it to decrypt data.
But it turns out I don't like Mokee and would like to use CM 13 instead. So today I booted into TWRP, wiped everything, and flash CM 13 stable build from 12202016. That goes well. First time boot CM 13, it ask me to set a PIN. I just used the same PIN (P). Now CM 13 boots fine. It will ask me PIN once on during boot process, and once more for first time unlock screen (from then on I can use fingerprint to unlock). Not sure why it need PIN twice, but at least I can live with it.
The problem is: now if I boot into TWRP, it will tell me 'PIN incorrect, failed to decrypt data. So I can only go into TWRP without access to data partition, which means it's useless. I have never set a different PIN other than 'P' on this device, so I'm not sure how I could progress with TWRP. I'm using lastest official TWRP for gemini (3.0.2-3). Anyone with more experience, please help. Many thanks.
--EDIT--:
Turns out I need to set "lock screen - input pin when booting" to 'On'. Then I only need to input PIN once during normal boot, and can use that PIN in TWRP to decrypt. It's not intuitive at all, but that solves the problem.
****ing TWRP, i wasted a lot of time on this fking bug
Same issue after new ROM installation
I own a Redmi Note 4 and had a pin (call it Q) that decrypted the data with no issues on startup as well as in TWRP decrypt. Now, recently I installed Resurrection Remix v7.0.0 Android Pie from v6.x.
Now whenever I try to open TWRP and decrypt with the pin Q, it says "decrypt failed" but it works whenever I reboot the device and it asks me to enter pin before startup.
I also could not find "Input PIN while reboot" in the settings, maybe due to new android version policy or because device is already encrypted.
Please help.
TWRP Version: 3.2.1-0
Log:
Updating partition details...
done...
Unable to mount storage
Full SELinux support is present.
Failed to decrypt data.
--EDIT--:
Just downloaded the latest TWRP (3.2.3-1) image from the official site, used "adb push <TWRP image> <location in device>", then "Install" and "Install Image" in recovery and it solved the issue. I used "/sideload" as device location to "adb push" because "/sdcard" wasn't mounted maybe due to encryption.
mrmathematica said:
Turns out I need to set "lock screen - input pin when booting" to 'On'.
Click to expand...
Click to collapse
what are you trying to say on this part? sorry i am lost

password on startup while encrypted / secure startup option

Hi,
I finally could unlock my Mi 9 this week and flashed TWRP. Everything went fine, I am still fully encrypted and TWRP asks for my PIN and decrypts successful /data
What makes me curious is that the device doesn't ask for my PIN during startup and I can't find any Settings-Option to enable this.
Is my data secure? Does MIUI not mount /data until it is fully booted and asks for my password?
I want to be sure that my data is properly locked if my device gets out of hand.

Can not encrypt phone after rooting

Here are the details of my issue,
When trying to encrypt through "Settings > Biometrics & Security > Encrypt device"
It shows an "encrypting" screen
Keeps working on encryption for 1-2 minutes
then Reboots
When I check status, it's not encrypted
Please help.
Also, other than the encryption issue, phone is functioning normally.
Note 8 Model: SM-N950F/DS
Android Ver: 9
Build: PPR1.180610.011.N950FXXUFDUE4
Kernel: 4.4.111-21737876
Knox Ver: Knox 3.2.1, API level: 27, TIMA 3.3.0
Rooting method: (Magisk, Twrp, Force encrypt disabler, KG/RMM lock remover)
twrp: twrp-3.5.2_9-0-greatlte.img
I attached the files used during rooting process.
As a reference, I am also adding the rooting process I followed.
----------------------------------------------------------------
Enable OEM unlocking from dev menu
Shutdown
Reboot into bootloader mode (hold Bixby + VolDown, then Power, all concurrently)
When bootloader appears, press Vol up to enable flashing mode
Run Odin, and connect phone, wait until connected com port is displayed
On Odin, select twrp image in “AP” field
On Odin, from options, unselect “Auto Reboot”
Start flashing. Wait until flash is “Passed”
Disconnect phone and close odin.
Reboot the phone into recovery mode (Warning: Failure to do so may trigger KG/RMM lock, which will lock down the phone for 7 days. It’s a safeguard against phone theft)
Shutdown from flashing mode (hold Bixby + VolDown, then Power, all concurrently)
As soon as the screen goes dark, release VolDown, while still holding Bixby and Power button, and at this moment, pres VolUp.
This should boot phone into TWRP recovery mode
Format /data partition (Format > Format Data)
Reboot > Recovery
Once recovery is complete, connect phone to computer
From Mount, ensure that MTP is enabled, and data partition is mounted
Data partition should be available on computer
In data partition, add
KG/RMM lock remover
Magisk
Force encrypt disabler
From TWRP, flash files in provided order
Phone is rooted
----------------------------------------------------------------
jeredralph said:
Here are the details of my issue,
When trying to encrypt through "Settings > Biometrics & Security > Encrypt device"
It shows an "encrypting" screen
Keeps working on encryption for 1-2 minutes
then Reboots
When I check status, it's not encrypted
Click to expand...
Click to collapse
I think the DM-Verity zip that you flashed has got something to do with re-encrypting your device. The zip is supposed to prevent re-encryption every time you boot your device.
Also TWRP won't work properly if you device is encrypted.
If you really want a rooted device with encryption then use the patch method with magisk.
Finally got it working! Required some brute force and two days of my time.
Thanks @spawnlives for the hint about DM-Verity zip. But, only removing the zip was not enough.
Here's how things worked out so far.
Trial series 1
Flash stock sim inserted (BL > AP > CP > CSC)
Flash TWRP
Format /data
Flash zips (KG/RMM lock remover, Magisk)
Boot system
Issue: Encryption doesn't work. Same as before (system works on encryption for a bit, reboots, not encrypted)
Additional issue: Region code got corrupted (got //BRI, instead of my region code XXV/XXV/BRI). Samsung refused to check for update due to invalid code (don't remember the specifics).
Magisk status (preserve DM Verity: off, preserve Force Encrypt: on)
Trial series 2
Flash stock with sim inserted (BL > AP > CP > CSC)
Boot system
1 issue fixed: region code is now valid
Flash TWRP
Flash zips from microsd (KG/RMM lock remover, Magisk)
Format /data and /preload
Boot system
Initialize (greetings > connect wifi > choose security scheme (pattern), choose secure startup)
Magisk status (preserve DM Verity: off, preserve Force Encrypt: on)
Notes
I noticed something strange. The Encrypt device option is now gone, and instead there is Secure startup, while I am not sure about the specific differences between these two options, the device appears to be encrypted on boot. Cause, it's asking for pattern on every startup (before activating cellular and other core features). Also, TWRP can not decrypt /data partition anymore.
Trial series 2 resolved my issue of having a rooted Android while still having the /data partition encrypted.
I guess, at least now my data is secured against device theft or loss, considering, thief has to erase the /data partition to use the device again. Please correct me if I am wrong.
Issues yet to resolve
On my OnePlus 3t, TWRP has a cool feature enabled, that can decrypt /data partition using pattern. I am not sure why TWRP on Note 8 doesn't prompt pattern for decrypting /data partition.
I encountered an error, "unable to find crypto footer". Could it be the reason? How could it be mitigated?
Data partition is encrypted. I can flash zip from microsd. But, didn't yet have the chance to check whether flashing another zip will trigger integrity violation during secure startup check (the step where I enter secure startup pattern).
Please help me with these issues.

Categories

Resources