Alright y'all,
I'm confused as hell about this whole DM-Verity thing and I haven't found a clear explanation, so please help a brotha out.
And please feel free to add anything you'd like that I might be missing, but the questions below are what I'm confused on.
1. Da'fuq is DM-Verity?
2. So I get the notification when I boot up and I'm not overly worried about that annoyance, but still not sure if that notification is stating that I do have encryption turned on or if I do not have it turned on.
3. Flashing the "no-verity-opt-encrypt-5.1.zip...does that decrypt my data "permanently"?
4. Why is it that even after I flash that, when I go and do a backup with TWRP, then attempt to flash another ROM (after full wipe) I'm prompted for a password?
5. And obviously, like a lot of people, it won't accept the password that I set when I first setup the phone.
PLEASE help me to understand this so I don't have to keep wiping my phone completely, flashing stock rom and recovery, locking, unlocking, flashing recovery, rooting, etc....every time.
mrbigdrawsz said:
Alright y'all,
I'm confused as hell about this whole DM-Verity thing and I haven't found a clear explanation, so please help a brotha out.
And please feel free to add anything you'd like that I might be missing, but the questions below are what I'm confused on.
1. Da'fuq is DM-Verity?
2. So I get the notification when I boot up and I'm not overly worried about that annoyance, but still not sure if that notification is stating that I do have encryption turned on or if I do not have it turned on.
3. Flashing the "no-verity-opt-encrypt-5.1.zip...does that decrypt my data "permanently"?
4. Why is it that even after I flash that, when I go and do a backup with TWRP, then attempt to flash another ROM (after full wipe) I'm prompted for a password?
5. And obviously, like a lot of people, it won't accept the password that I set when I first setup the phone.
PLEASE help me to understand this so I don't have to keep wiping my phone completely, flashing stock rom and recovery, locking, unlocking, flashing recovery, rooting, etc....every time.
Click to expand...
Click to collapse
1) A service verifying that the system partition has not been tampered with, aka you cannot write to it, which is why there are "systemless" everything now.
2) That 5 seconds screen appears when your device is unlocked no matter what is on the system partition. Even if you are running full stock. Unlocked means your kernel partition will not be verified to be stock, allowing you to add root or patch out dm-verity.
3) I don't think so, as it is "opt"ional encrypt. It just makes sure that there will be no automatic reencryption of your partition.
Actually you cannot decrypt your partition, it might erase it instead.
4) yes you will be prompted for a pw even in twrp, so you can access the zip file from your encrypted partition. If you now were to wipe the entire /data partition including /data/media (aka /sdcard), and create a new ext4 fs on it and apply no-verity-opt-encrypt to your new custom rom (if it is not included), you will not be prompted for a password, but loose all your data.
5) ??? huh?? when you first set up the phone there is no password, you choose it afterwards.
Jo_Jo_2000 said:
1) A service verifying that the system partition has not been tampered with, aka you cannot write to it, which is why there are "systemless" everything now.
2) That 5 seconds screen appears when your device is unlocked no matter what is on the system partition. Even if you are running full stock. Unlocked means your kernel partition will not be verified to be stock, allowing you to add root or patch out dm-verity.
3) I don't think so, as it is "opt"ional encrypt. It just makes sure that there will be no automatic reencryption of your partition.
Actually you cannot decrypt your partition, it might erase it instead.
4) yes you will be prompted for a pw even in twrp, so you can access the zip file from your encrypted partition. If you now were to wipe the entire /data partition including /data/media (aka /sdcard), and create a new ext4 fs on it and apply no-verity-opt-encrypt to your new custom rom (if it is not included), you will not be prompted for a password, but loose all your data.
5) ??? huh?? when you first set up the phone there is no password, you choose it afterwards.
Click to expand...
Click to collapse
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
mrbigdrawsz said:
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
Click to expand...
Click to collapse
soemone on xda may has already found a fix for this, look in your rom thread or open a new one if you have to deal with such problems again.
mrbigdrawsz said:
First...THANK YOU FOR 1-4!
As for 5, when I'm initially setting up the Rom it asks for the fingerprint and if I say yes then I'm asking how I want to verify, because it forces me to do fingerprint + PIN or password. So when I set that and I'm asked for it in TWRP or if it comes up after flashing another ROM, it never accepts it. Keeps telling me it's wrong. This happens even if I set it up after I'm actually booted into the rom for the first time and then set it up through the settings menu.
Click to expand...
Click to collapse
Have you found the answer to question 5 ? It cost me to wipe my phone and I need to root it again but afraid of that password issue.
Discoreggae said:
Have you found the answer to question 5 ? It cost me to wipe my phone and I need to root it again but afraid of that password issue.
Click to expand...
Click to collapse
In my experience, it's only happened with certain ROM's. I've gone from Stock to Dirty U. and back to Stock with no issue. But I'll go from anything to Ressurection Remix and I run into this issue if I try and flash something else after flashing R.R. That's the only ROM that I've had the issue with and that's using multiple versions of TWRP. So I'm not sure exactly what's causing it, but I certainly haven't flashed R.R. since (granted it's a great ROM) because it's just a headache going through all the nonsense to get back to where I want to be.
Sorry I don't have a more definitive answer, but that's been my experience.
Quick question (at least I hope) on this no verity thing
I'm seeing a lot of no verity zip flashing these days. I've actually rooted an lg k20 doing it.
So to make it a simple root procedure, if I just flashed the normal rom+gapps and twrp of corse, but also flashed no verity zip file, will that give any issues, say if the phone really didn't need to have the no verity zip flashed......like would adding the no verity zip step in the rooting process as a norm, would there be any ill affects or bricking the phone and such?
I hope that all made sense.
easyrider77 said:
So to make it a simple root procedure, if I just flashed the normal rom+gapps and twrp of corse, but also flashed no verity zip file, will that give any issues, say if the phone really didn't need to have the no verity zip flashed......like would adding the no verity zip step in the rooting process as a norm, would there be any ill affects or bricking the phone and such?
Click to expand...
Click to collapse
I'd say "no". The "no verity" zip is just a patched boot.img, which is one of the files that gets modified with root, or flashing custom ROMs, and is easily fixed or turned back to stock.
On the other hand, if you are that concerned, flashing "no verity" just IMO is not a big benefit. All it does, is remove the verity warning screen when you reboot the phone, which goes away in 5 seconds, of if you press the power button (same as the unlocked bootloader warning screen). I've never bothered with the "no verity" as this little thing (the warning screen) doesn't bother me. But obviously, it bothers some folks. So the choice is yours.
Related
I see this annoying error whenever i am in TWRP. I thought I had it resolved when I flashed the stock ROM then flashed my current run CM-12.1-20150902-NIGHTLY-shamu obtained from Cyanogens website.
Then today I let it run the latest OTA and forgot I would lose root. So I attempted to root again only get get stuck at the boot screen. I eventually did a dirty flash of the same CM 12.1 and now I am back to normal and I was able to root again. But I still get the error E: Unable to mount storage.
Also, I am now also unable to see my Nexus in Windows to explore Internal Storage but was able to before I tried rooting.
Thanks in advance.
Sounds like a good time to do full wipe and clean install. Including TWRP and root.
prdog1 said:
Sounds like a good time to do full wipe and clean install. Including TWRP and root.
Click to expand...
Click to collapse
That's the thing, I thought I did all that properly and then flashed the latest CM 12.1 but noticed last night after a failed root that it is now giving the error again.
Would using my backup after I flashed the stock ROM cause the error to come back? I am just looking for the easiest way to avoid reconfiguring my phone and apps again.
tjlmbklr said:
That's the thing, I thought I did all that properly and then flashed the latest CM 12.1 but noticed last night after a failed root that it is now giving the error again.
Would using my backup after I flashed the stock ROM cause the error to come back? I am just looking for the easiest way to avoid reconfiguring my phone and apps again.
Click to expand...
Click to collapse
Good chance it is that CM12 borking it. Flash anything you want. It either fixes it or it don't. Can always flash back to stock to troubleshoot.
Are you encrypted, with a password to decrypt on boot?
If you have like a swipe password , when rebooting into TWRP you will never the normal android to allow you to enter your password, instead you *should* get one in TWRP, however it will just prompt you for an alphanumeric password.
If you cancel out of that, or enter the wrong password (or don't have an alphanumeric password to enter), I believe it gives you this message... and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
scryan said:
Are you encrypted, with a password to decrypt on boot?
If you have like a swipe password , when rebooting into TWRP you will never the normal android to allow you to enter your password, instead you *should* get one in TWRP, however it will just prompt you for an alphanumeric password.
If you cancel out of that, or enter the wrong password (or don't have an alphanumeric password to enter), I believe it gives you this message... and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
Click to expand...
Click to collapse
I am not really sure what this is so my guess is now. I do have my phone set with a 'pattern unlock to boot and unlock the phone. How do I tell if I am encrypted?
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot,
The phone is encrypted by default.
the fact that your device requires pattern unlock at boot, and not just to unlock is a pretty good indicator, but try going into security and select encrypt phone. If it does not give you warnings, remind you to charge and offer to let you encrypt, it is because you already are. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
scryan said:
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot,
The phone is encrypted by default.
the fact that your device requires pattern unlock at boot, and not just to unlock is a pretty good indicator, but try going into security and select encrypt phone. If it does not give you warnings, remind you to charge and offer to let you encrypt, it is because you already are. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
Click to expand...
Click to collapse
Well I haven't changed my kernel and it says Encrypted in my settings. So I could potentially stay on my current setup and resolve my error if I install another kernel?
So here's what I hope will be an easy answer, what is the best method to flash a kernel? I have only tried it once and failed since my phone failed to boot afterwards.
Any recommendations on which kernel to use with CM?
Thanks for the help.
tjlmbklr said:
Well I haven't changed my kernel and it says Encrypted in my settings. So I could potentially stay on my current setup and resolve my error if I install another kernel?
So here's what I hope will be an easy answer, what is the best method to flash a kernel? I have only tried it once and failed since my phone failed to boot afterwards.
Any recommendations on which kernel to use with CM?
Thanks for the help.
Click to expand...
Click to collapse
No.
And CM comes with its own kernel, that does not force encryption.
The kernel is not "encrypted" or "decrypted", the stock kernel forces encryption, others don't. But if your encrypted, you are encrypted until you reformat userdata (obviously this wipes phone) so that it is not encrypted.
scryan said:
Your encrypted if you did not install a kernel that supports no forced encryption, the reformat your user data partition via fastboot
Click to expand...
Click to collapse
scryan said:
...and obviously will fail to mount the encrypted partition.
If this is the case, boot back into system, turn off all passwords/security and it should work fine (no need to decrypt)
Click to expand...
Click to collapse
scryan said:
. Turn off the pattern needed to boot at least, if not any unlock security in general before rebooting to recovery to avoid this error.
Click to expand...
Click to collapse
On encryption:
https://wiki.archlinux.org/index.php/Disk_encryption
(not related to nexus, other then it explains encryption, and nexus is encrypted)
You don't need to disable encryption, but obviously since you have your phone set up to require a pattern supply the decryption key to the system, and your booting into twrp BEFORE you can supply the key for decryption... twrp is not going to have any way to read the encrypted partition. Just turn the security off before rebooting to recovery.
Alternatively you can look up threads here on decrypting your phone, and follow those instructions. You will get a very minor performance boost too... but it does mean that if your phone is lost or stolen your data is a little more accessible.
scryan said:
No.
And CM comes with its own kernel, that does not force encryption.
The kernel is not "encrypted" or "decrypted", the stock kernel forces encryption, others don't. But if your encrypted, you are encrypted until you reformat userdata (obviously this wipes phone) so that it is not encrypted.
On encryption:
https://wiki.archlinux.org/index.php/Disk_encryption
(not related to nexus, other then it explains encryption, and nexus is encrypted)
You don't need to disable encryption, but obviously since you have your phone set up to require a pattern supply the decryption key to the system, and your booting into twrp BEFORE you can supply the key for decryption... twrp is not going to have any way to read the encrypted partition. Just turn the security off before rebooting to recovery.
Alternatively you can look up threads here on decrypting your phone, and follow those instructions. You will get a very minor performance boost too... but it does mean that if your phone is lost or stolen your data is a little more accessible.
Click to expand...
Click to collapse
Thanks. I hope to figure this all out tonight.
tjlmbklr said:
Thanks. I hope to figure this all out tonight.
Click to expand...
Click to collapse
The thread on it is a little confusing IMO, maybe just me.
Just remember encryption is about how the data is stored on the partition NOT a setting in the kernel. The kernel only comes into play because the kernel used stock on the nexus 6 has code to check if you are using encryption, and if you are not it forces you to encrypt your data before it boots.
So step one is make sure you have a kernel that does not force encryption. I have not seen a 3rd party nexus kernel with encryption set to enforced, that would be weird.
Step two is to actually go ahead and make your user data partition not encrypted. This has to be done by reformating in fastboot, see tutorial thread for commands. When you reformat, by default the partition will not be encrypted.
Just make sure that when you an update you don't flash the stock kernel and boot, because this will wipe your device when it forces you to encrypt (You could probably power down or cancel some how? Have never tried...)
This would most likely happen if you ran stock, and you fastboot flashed a new system and boot (boot contains kernel)
Alternatively, don't mess with any of this. You don't need to be unencrypted to mount your data in recovery, you just need to set up security in android to not require any kind of pin to boot (I used to just turn unlock to swipe instead of pattern before I wanted to use recovery). There is some performance lost with encryption, but they vastly improved encrypted performance with 5.1.1, and not being encrypted only gives you a tiny bump in performance. just A LITTLE more snappy imo.
scryan said:
The thread on it is a little confusing IMO, maybe just me.
Just remember encryption is about how the data is stored on the partition NOT a setting in the kernel. The kernel only comes into play because the kernel used stock on the nexus 6 has code to check if you are using encryption, and if you are not it forces you to encrypt your data before it boots.
So step one is make sure you have a kernel that does not force encryption. I have not seen a 3rd party nexus kernel with encryption set to enforced, that would be weird.
Step two is to actually go ahead and make your user data partition not encrypted. This has to be done by reformating in fastboot, see tutorial thread for commands. When you reformat, by default the partition will not be encrypted.
Just make sure that when you an update you don't flash the stock kernel and boot, because this will wipe your device when it forces you to encrypt (You could probably power down or cancel some how? Have never tried...)
This would most likely happen if you ran stock, and you fastboot flashed a new system and boot (boot contains kernel)
Alternatively, don't mess with any of this. You don't need to be unencrypted to mount your data in recovery, you just need to set up security in android to not require any kind of pin to boot (I used to just turn unlock to swipe instead of pattern before I wanted to use recovery). There is some performance lost with encryption, but they vastly improved encrypted performance with 5.1.1, and not being encrypted only gives you a tiny bump in performance.
Click to expand...
Click to collapse
LeanKernel decrypt is an option as it should be in all Kernels and is one of the better ones. The top kernel developers make it an option. Many noobs post unencrypted kernels where they only change the ramdisk and there is no other option. Can have performance and encryption as you say especially with the Google code updates.
prdog1 said:
LeanKernel decrypt is an option as it should be in all Kernels and is one of the better ones. The top kernel developers make it an option. Many noobs post unencrypted kernels where they only change the ramdisk and there is no other option. Can have performance and encryption as you say especially with the Google code updates.
Click to expand...
Click to collapse
Super random and unrelated plug for leankernel, but OK thanks. :good:
There are plenty of popular kernels, I have found Zen good, many like Elite and Hells Core as well.
Hi guys,
I got a rather foolish question that i wasnt able to answer myself yet.
The issue is that after a clean install, after booting into recovery (twrp 3.4.0.1 bluespark) i get a screen where i have to swipe to the right.
I guess thats what is called dm verity here.
After i swipe to the right, i get issues with flashing .zips, e.g. i cant flash viper anymore, it gets an error with reading sdcard.
So far i ignored the issue because i can just flash everything after full wipe without rebooting. But its annoying anways.
Is there any permanent fix to that or do is there just a fix that i have to perform everytime i flash a new ROM?
Im currently on sultans unofficial LOS. What would be the easiest fix for me?
Maybe you could have read the warning there.
It asks if you want to modify system or keep it read only.
If you select read only then you won't be able to flash anything to the system.
Also, that isn't dm-verity.
DM verity is the second notice you get with the red text when you restart your device.
Hello,
I have Oneplus 3 A3000 running on OOS 4.0.1 (Android 7.0). I also have official OP3 twrp recovery version 3.0.3-0 installed and root was done using supersu free v2.82.. It also has dm verity prompt which comes up during boot time because it is oem unlocked.
I want to know exact procedure to go to complete stock rom + stock recovery along with links to download stock recovery and rom. I saw different versions of stock recovery for different OOS. I don't care about device data as everything is on cloud and nothing on is on device. App list also I can get from google account history. Only thing I care is not to corrupt any system partitions. I also saw few posts that go into boot loop if incorrectly unrooted. I would not want that either.
Your help is greatly appreciated. Virtual beer for you ???. I am software engineer so even though I am noob in terms of hacking my android, I can follow the instructions properly.
Thanks again.
You can flash official OOS Rom and just use TWRP, you can try using the current recovery you have. Allow it to boot after if it allows you then do not go back to TWRP, allow it to boot to its system and then normally it will just override TWRP with OOS stock recovery.
reyscott said:
You can flash official OOS Rom and just use TWRP, you can try using the current recovery you have. Allow it to boot after if it allows you then do not go back to TWRP, allow it to boot to its system and then normally it will just override TWRP with OOS stock recovery.
Click to expand...
Click to collapse
What about unroot and oem lock and dm verity? do I need to do all that before doing OOS update? I am getting OOS 4.1.6 in system update.
mit2nil said:
What about unroot and oem lock and dm verity? do I need to do all that before doing OOS update? I am getting OOS 4.1.6 in system update.
Click to expand...
Click to collapse
you sure you want to be locked again ? i doubt..
dm verity is not a big deal for me.. i allowed it.. im ok with but if you want to remove it siankatbg has a guide on how to remove it..
reyscott said:
you sure you want to be locked again ? i doubt..
dm verity is not a big deal for me.. i allowed it.. im ok with but if you want to remove it siankatbg has a guide on how to remove it..
Click to expand...
Click to collapse
I actually want to go to systemless su + magisk + xposed later on. This one didn't work well with some apps that can detect root. But before I do that I want to start fresh because things tend to go messy and i do not have a backup device right now
mit2nil said:
I actually want to go to systemless su + magisk + xposed later on. This one didn't work well with some apps that can detect root. But before I do that I want to start fresh because things tend to go messy and i do not have a backup device right now
Click to expand...
Click to collapse
flash stock oos thats it.. you may leave the bootloader unlocked. better that way..
Sorry but I am still not sure about exact process. Here are my noob queries:
1. Should I update twrp to latest version before proceding? If so which one? currently it is 3.0.3-0. I remember running into encryption issue due to unsupported twrp when I did this last time.
2. Should I use wipe option to wipe anything before I update OOS? I want to do clean install. If so, what should I be wiping out of dalvik/system/data/internal storage/cache/usb otg?
3. To update, I should copy full ota zip on internal memory -> go to recovery -> install -> select zip file -> swipe to flash. Is that correct?
4. After that if I boot into recovery -> I will keep twrp and if I let it boot, it will replace twrp with stock recovery right?
5. Let say, I let it boot n install stock recovery, will I have dm-verity during next boot?
6. Will my superSU root be gone or still be there? If it is still there should I do complete unroot before starting this process?
7. If it is not gone, is it ok to do complete unroot after stock oos + recovery is installed?
8. I saw a dm-verity patch zip which can be used to patch dm-verity in bootloader mode if I do "fastboot oem disable_dm_verity and fastboot oem enable_dm_verity". Does it suppress the issue or it resolves it gracefully?
Thanks for the patience and help in answering the queries advance.
mit2nil said:
Sorry but I am still not sure about exact process. Here are my noob queries:
1. Should I update twrp to latest version before proceding? If so which one? currently it is 3.0.3-0. I remember running into encryption issue due to unsupported twrp when I did this last time.
2. Should I use wipe option to wipe anything before I update OOS? I want to do clean install. If so, what should I be wiping out of dalvik/system/data/internal storage/cache/usb otg?
3. To update, I should copy full ota zip on internal memory -> go to recovery -> install -> select zip file -> swipe to flash. Is that correct?
4. After that if I boot into recovery -> I will keep twrp and if I let it boot, it will replace twrp with stock recovery right?
5. Let say, I let it boot n install stock recovery, will I have dm-verity during next boot?
6. Will my superSU root be gone or still be there? If it is still there should I do complete unroot before starting this process?
7. If it is not gone, is it ok to do complete unroot after stock oos + recovery is installed?
8. I saw a dm-verity patch zip which can be used to patch dm-verity in bootloader mode if I do "fastboot oem disable_dm_verity and fastboot oem enable_dm_verity". Does it suppress the issue or it resolves it gracefully?
Thanks for the patience and help in answering the queries advance.
Click to expand...
Click to collapse
1. Try the first the current TWRP that you have. If it work, then just reboot it on to the system and TWRP will be overwritten by Stock OOS recovery.
2. Wipe dalvik/system/data/cache ..
3. YES , if im not mistaken.
4. answered on question 1.
5. most probably. Try flashing a certain firmware (not sure which one would work) . This is what I did before. But cant be sure.
6. It will be gone.
7. gone.
8. You can try.
reyscott said:
1. Try the first the current TWRP that you have. If it work, then just reboot it on to the system and TWRP will be overwritten by Stock OOS recovery.
2. Wipe dalvik/system/data/cache ..
3. YES , if im not mistaken.
4. answered on question 1.
5. most probably. Try flashing a certain firmware (not sure which one would work) . This is what I did before. But cant be sure.
6. It will be gone.
7. gone.
8. You can try.
Click to expand...
Click to collapse
Thank you so much.
mit2nil said:
Thank you so much.
Click to expand...
Click to collapse
I will tell you what I do.
Flash the latest official TWRP which is 3.1.1-2
If you want a totally clean install, boot into recovery and wipe system data including internal storage, dalvik and cache.
Then without rebooting, push the ROM downloaded from the OnePlus site to the phone. Select the ROM in recovery and swipe to flash.
Otherwise you can copy the ROM to the phone, boot into recovery, wipe system, data, dalvik and cache and then in recovery, flash the ROM.
Wipe dalvik and cache and reboot into system.
Your root will be gone and along with it TWRP. You will be on stock ROM with stock recovery.
Leave the bootloader unlocked. If necessary, it can be locked at any time.
Most likely you will not get the dm verity error. If you do, simply flash the zip given in post #215 in siankatabg's thread on dm verity. It will merely remove the message as all such methods do.
Enjoy
tnsmani said:
I will tell you what I do.
Flash the latest official TWRP which is 3.1.1-2
If you want a totally clean install, boot into recovery and wipe system data including internal storage, dalvik and cache.
Then without rebooting, push the ROM downloaded from the OnePlus site to the phone. Select the ROM in recovery and swipe to flash.
Otherwise you can copy the ROM to the phone, boot into recovery, wipe system, data, dalvik and cache and then in recovery, flash the ROM.
Wipe dalvik and cache and reboot into system.
Your root will be gone and along with it TWRP. You will be on stock ROM with stock recovery.
Leave the bootloader unlocked. If necessary, it can be locked at any time.
Most likely you will not get the dm verity error. If you do, simply flash the zip given in post #215 in siankatabg's thread on dm verity. It will merely remove the message as all such methods do.
Enjoy
Click to expand...
Click to collapse
Hi sorry I was afk for couple of weeks. So I started following this procedure. Very strangely, after I did a reboot post stock OOS (1.4gb zip) flash, twrp said no os installed, you are sure you want to reboot? I wasn't sure so I just said yes. Then I also so dm-verity coming back which was not the case when I started as I had disabled it using "fastboot enable_dm_verity" command.
Now, its been more than five minutes and my phone is stuck on the boot animation forever. (red dot in middle and two while dots rotating).
I am not sure what happened. Can someone please help me ?
mit2nil said:
Hi sorry I was afk for couple of weeks. So I started following this procedure. Very strangely, after I did a reboot post stock OOS (1.4gb zip) flash, twrp said no os installed, you are sure you want to reboot? I wasn't sure so I just said yes. Then I also so dm-verity coming back which was not the case when I started as I had disabled it using "fastboot enable_dm_verity" command.
Now, its been more than five minutes and my phone is stuck on the boot animation forever. (red dot in middle and two while dots rotating).
I am not sure what happened. Can someone please help me ?
Click to expand...
Click to collapse
Never mind. It booted to setup screen after few minutes. I guess I was in too much hurry.
i just went to stock yesterday, i flash stock recovery followed by sideloading the Oxygen OS and after that relock the bootloader.. i kinda feel the battery is much better now compare to when it was rooted with OOS
danxtian said:
i just went to stock yesterday, i flash stock recovery followed by sideloading the Oxygen OS and after that relock the bootloader.. i kinda feel the battery is much better now compare to when it was rooted with OOS
Click to expand...
Click to collapse
Awesome. I am still getting safety net failure even after locking bootloader lock. Any ideas? It fails on CTS profile match. I even did factory reset. Only thing I can think of is the "dm verity" which is back for some reason even though I am on complete stock rom+recovery with no root or unlocked bootloader.
Any way to remove it from stock recovery?
mit2nil said:
Awesome. I am still getting safety net failure even after locking bootloader lock. Any ideas? It fails on CTS profile match. I even did factory reset. Only thing I can think of is the "dm verity" which is back for some reason even though I am on complete stock rom+recovery with no root or unlocked bootloader.
Any way to remove it from stock recovery?
Click to expand...
Click to collapse
There is a zip floating around XDA which I am not able to locate immediately. It may be on siankatabg's thread on dm verity. Simply flash it.
There is also another method I read about where you flash the 4.0.2 firmware, use the enable verity command on adb, boot the phone and then flash the current firmware.
Both methods are mentioned here in XDA. Search for it.
EDIT: One of them here: https://forum.xda-developers.com/showpost.php?p=72273041&postcount=215
See also the OP of the same thread for the other method.
mit2nil said:
Awesome. I am still getting safety net failure even after locking bootloader lock. Any ideas? It fails on CTS profile match. I even did factory reset. Only thing I can think of is the "dm verity" which is back for some reason even though I am on complete stock rom+recovery with no root or unlocked bootloader.
Any way to remove it from stock recovery?
Click to expand...
Click to collapse
i remember having the dm verity but i forgot what i did to make it disappear.. after that time ive been running OOS rooted with twrp until i decided to go back to stock locked
So, I stopped doing anything as I got busy with my life. Here comes the 4.1.7 OTA and my DM verity was gone. So, it seems like if you go to stock and if still dm verity exists, try to do ota update or go to one ota back for flashing.
Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.
PROS:
1. Virtually total protection of your data, especially if encrypted
2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
4. Inability to unlock bootloader in fastboot, see above
5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
6. You can still change/update roms, backup/restore data to your liking
7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone
CONS:
1. You would have to set up things once
2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).
The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him
THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows
Preliminary steps:
Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.
1. Create a directory on your PC named, let's say, Bootkeys.
2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory
4. Key Generation:
Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.
Code:
# private key
openssl genrsa -f4 -out custom.pem 2048
openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der
You don't need to use pem files and can delete them after key generation.
5. Signing:
Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal
Code:
java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
java -jar BootSignature.jar -verify recovery_signed.img
Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').
6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager
7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.
8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.
10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
Now, you are ready for the FUN PART: re-locking:
11. Boot in fastboot and execute fastboot oem lock
12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again
Screenshots
And you have already done it, right?
Sounds fun tbh, will try for sure.
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
Will this work if the phone is decrypted (using no verity)?
optimumpro said:
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
Click to expand...
Click to collapse
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?
obol2 said:
Will this work if the phone is decrypted (using no verity)?
Click to expand...
Click to collapse
I dont think, cause it is encrypted.
vdbhb59 said:
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?
Click to expand...
Click to collapse
obol2 said:
Will this work if the phone is decrypted (using no verity)?
Click to expand...
Click to collapse
Guys. Read 9-10 in the OP. Everything about encryption is there.
optimumpro said:
Guys. Read 9-10 in the OP. Everything about encryption is there.
Also, OEM option isn't available on custom roms. But you can modify build.prop for it to show up. Once everything is working, you can set oem unlock not allowed and remove the entry from build.prop.
Click to expand...
Click to collapse
Oops, my bad. I get your point.
Will try over the weekend. BTW, are you going for a release in the next 2-3 days? Then, I will clean flash once that is out.
vdbhb59 said:
Oops, my bad. I get your point.
Will try over the weekend. BTW, are you going for a release in the next 2-3 days? Then, I will clean flash once that is out.
Click to expand...
Click to collapse
I will update the rom once October security patches become available.
optimumpro said:
Screenshots
Click to expand...
Click to collapse
Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)
david19au said:
Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)
Click to expand...
Click to collapse
That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.
optimumpro said:
That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.
Click to expand...
Click to collapse
Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?
david19au said:
Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?
Click to expand...
Click to collapse
Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.
Haven't been using Windows for 10 years. So, can't help you.
optimumpro said:
Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.
Haven't been using Windows for 10 years. So, can't help you.
Click to expand...
Click to collapse
I have a Linux VM just in case this happens but maybe you should mention it in your thread as most users here use Windows.
Additional experience having a custom rom on locked bootloader:
It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
optimumpro said:
Additional experience having a custom rom on locked bootloader:
It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
Click to expand...
Click to collapse
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..
vdbhb59 said:
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..
Click to expand...
Click to collapse
So, were you able to encrypt on Jaguar?
Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
optimumpro said:
So, were you able to encrypt on Jaguar?
Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
Click to expand...
Click to collapse
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.
vdbhb59 said:
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.
Click to expand...
Click to collapse
Whatever rom you have, if you are encrypted (whether FDE or FBE), you must wipe encryption by doing factory reset in TWRP before re-locking. Otherwise, when you re-lock, your encryption key will be wiped, but encryption will stay, so, the phone will be useless. You can do encryption later, when you are successfully re-locked.
so i've tried a few roms, and couldn't get gpay working. im going to try a few things mentioned in other threads, but before i start that. i want to properly/fully reset my phone to the stock, to hopefully make sure i don't mess anything up in the future.
my first issue was installing twrp, i tried to `fastboot flash` the recovery, but nothing worked until i followed these steps: https://www.getdroidtips.com/download-and-install-twrp-recovery-for-redmi-k20-pro-latest/
im worried about what might be in the misc.bin in that zip. cuz i couldn't reboot into twrp recovery until i flashed that. does anyone know what that is? i think i just want to flash/reset? everything on my phone back to miui, make sure i update to the latest firmware etc. but, tbh, i find navigating xda difficult and can't seem to find the official firmware anywhere, or steps on how to reset the phone...
thanks for any help
Um, i think ur in the wrong category
thejacer87 said:
my first issue was installing twrp, i tried to `fastboot flash` the recovery, but nothing worked until i followed these steps ...
im worried about what might be in the misc.bin in that zip. cuz i couldn't reboot into twrp recovery until i flashed that. does anyone know what that is?
Click to expand...
Click to collapse
The misc.bin file is basically just a script that tells the Device to directly boot into TWRP, because Xiaomi Devices / MIUI are configured to overwrite TWRP after a reboot. If you still feel uncomfortable having to flash the misc file, try "fastboot *BOOT* TWRP.img" instead of "fastboot *FLASH* TWRP.img".
If you wish to keep MIUI installed instead of an Custom ROM make sure to flash Magisk, as it patches the DM-Verity stuff that causes the Device to either get stuck in a Bootloop or replace TWRP with the Stock Recovery.
If you're planning to run an Custom ROM like LineageOS, AOSiP etc. you don't have to flash Magisk as long as your Device isn't encrypted. Rebooting from TWRP to System without flashing Magisk on an encrypted Device will encrypt your Data Partition and you'll have to format Data to be able to access the Internal Storage again. (Flashing Magisk in that case will prevent your Device from encrypting all your Data again after an ROM Flash.)
Fatal_Scythe said:
The misc.bin file is basically just a script that tells the Device to directly boot into TWRP, because Xiaomi Devices / MIUI are configured to overwrite TWRP after a reboot. If you still feel uncomfortable having to flash the misc file, try "fastboot *BOOT* TWRP.img" instead of "fastboot *FLASH* TWRP.img".
If you wish to keep MIUI installed instead of an Custom ROM make sure to flash Magisk, as it patches the DM-Verity stuff that causes the Device to either get stuck in a Bootloop or replace TWRP with the Stock Recovery.
If you're planning to run an Custom ROM like LineageOS, AOSiP etc. you don't have to flash Magisk as long as your Device isn't encrypted. Rebooting from TWRP to System without flashing Magisk on an encrypted Device will encrypt your Data Partition and you'll have to format Data to be able to access the Internal Storage again. (Flashing Magisk in that case will prevent your Device from encrypting all your Data again after an ROM Flash.)
Click to expand...
Click to collapse
k thanks for the info. what's the difference b/w the boot v flash for twrp?
is the misc.bin from that link i posted safe then? where did it come from? is there a thread here where files like that are posted/talked about?
i definitely plan to stick with either lineage or Pixel experience. i just want to get google pay going. so i think my next attempt will be to relflash magisk and look into that sql fix everyone mentions
thejacer87 said:
so i've tried a few roms, and couldn't get gpay working. im going to try a few things mentioned in other threads, but before i start that. i want to properly/fully reset my phone to the stock, to hopefully make sure i don't mess anything up in the future.
my first issue was installing twrp, i tried to `fastboot flash` the recovery, but nothing worked until i followed these steps: https://www.getdroidtips.com/download-and-install-twrp-recovery-for-redmi-k20-pro-latest/
im worried about what might be in the misc.bin in that zip. cuz i couldn't reboot into twrp recovery until i flashed that. does anyone know what that is? i think i just want to flash/reset? everything on my phone back to miui, make sure i update to the latest firmware etc. but, tbh, i find navigating xda difficult and can't seem to find the official firmware anywhere, or steps on how to reset the phone...
thanks for any help
Click to expand...
Click to collapse
If you're planning to go back to stock MIUI and locked bootloader, I highly recommend using Mi Flash and flashing the original fastboot MIUI ROM which can be found here https://www.xda-developers.com/download-miui-11-xiaomi-redmi-note-7-pro-poco-f1/amp/. All you gotta to do is extract the ROM file which is .tgz to any folder, and in Mi Flash select that folder click on "clean all and lock" in the bottom right corner, and click flash. This should theoretically make your device "out of the box".
Keep in mind that this method requires a PC with all ADB and fastboot drivers, they can be downloaded from here https://forum.xda-developers.com/showthread.php?t=2588979 .
thejacer87 said:
k thanks for the info. what's the difference b/w the boot v flash for twrp?
is the misc.bin from that link i posted safe then? where did it come from? is there a thread here where files like that are posted/talked about?
i definitely plan to stick with either lineage or Pixel experience. i just want to get google pay going. so i think my next attempt will be to relflash magisk and look into that sql fix everyone mentions
Click to expand...
Click to collapse
BOOT will just let the Device temporarily boot into the Recovery (without making changes to the Recovery Partition) FLASH will write the Recovery Image to the Recovery Partition so you can boot to it whenever you want / need to.
I don't know if there's any kind of threads where certain files are talked about sorry, but I could be wrong though.
I don't know much about G Pay, I was gonna try it too but my Bank doesn't support it. I've seen quite a few people reporting success in getting it to work / making payments with it in local stores with the mentioned SQL Fix so if you're lucky it'll work for you too
Fatal_Scythe said:
BOOT will just let the Device temporarily boot into the Recovery (without making changes to the Recovery Partition) FLASH will write the Recovery Image to the Recovery Partition so you can boot to it whenever you want / need to.
I don't know if there's any kind of threads where certain files are talked about sorry, but I could be wrong though.
I don't know much about G Pay, I was gonna try it too but my Bank doesn't support it. I've seen quite a few people reporting success in getting it to work / making payments with it in local stores with the mentioned SQL Fix so if you're lucky it'll work for you too
Click to expand...
Click to collapse
just got gpay to work with the sql fix. thanks for the help