Related
I upgraded from 5.1.1 to 6.0 by flashing the factory image without flashing userdata. Everything worked perfectly, but, as many people have noted, I get a "Your device is corrupt" message briefly on startup, before having the opportunity to enter my encryption code. Again, the phone functions just fine despite this.
I'm wondering what it is about my phone that causes this message to display. My bootloader is unlocked, though I don't think this alone should be a problem. I am completely stock, unrooted (though I was rooted on previous versions). As such, I don't think it can be a problem with the system or boot partitions, since, again, I have flashed and re-flashed these directly from the factory image. I don't see how it can be problem with userdata, since this isn't even decrypted when I get the "corrupt" message (i.e., I haven't entered the encryption code yet). Perhaps it's some problem with how userdata is encrypted?
Any logs that might give insight into where the fault is occurring?
Verity is the cause. That post should answer your question.
cupfulloflol said:
Verity is the cause. That post should answer your question.
Click to expand...
Click to collapse
Thanks for the link. I'm still not sure this explains my situation. I get a red "corrupt" warning telling me my device is actually corrupt, which should mean that system files have been modified. However, my system is unmodified; I know this because I have flashed it directly (multiple times).
Although it is extremely unlikely and might be a unique situation, Verity might have actually worked for what it was designed for, for once, and your system might actually be corrupted by either persistent malware or bad memory.
I would warranty return the phone, if possible.
Sent from my VS985 4G using Tapatalk
Wipe data factory reset from stock recovery.
trent999 said:
Although it is extremely unlikely and might be a unique situation, Verity might have actually worked for what it was designed for, for once, and your system might actually be corrupted by either persistent malware or bad memory.
I would warranty return the phone, if possible.
Sent from my VS985 4G using Tapatalk
Click to expand...
Click to collapse
droidstyle said:
Wipe data factory reset from stock recovery.
Click to expand...
Click to collapse
Thanks. I'm not looking really looking for a radical solution (wiping phone, returning it); I'm looking for an explanation (which might guide me to a less radical solution). Again, I wonder whether Verity makes a log somewhere. As I mentioned, my phone is working perfectly.
Hard to imagine it's persistent malware, since I've flashed every partition other than userdata (which is still encrypted when I get the "corrupt" message). Moreover, I'm by no means the first person to report this behavior.
NYZack said:
Thanks. I'm not looking really looking for a radical solution (wiping phone, returning it); I'm looking for an explanation (which might guide me to a less radical solution). Again, I wonder whether Verity makes a log somewhere. As I mentioned, my phone is working perfectly.
Hard to imagine it's persistent malware, since I've flashed every partition other than userdata (which is still encrypted when I get the "corrupt" message). Moreover, I'm by no means the first person to report this behavior.
Click to expand...
Click to collapse
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I didn't notice mine until I installed a custom recovery. Hrm..maybe I just didn't pay attention lol
Tower1972 said:
I didn't notice mine until I installed a custom recovery. Hrm..maybe I just didn't pay attention lol
Click to expand...
Click to collapse
i didnt get it either. but i flashed a custom kernel as well, which gets rid of that message.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I'm unlocked, stock and get no such message(s). Expecting it when I install a recovery though
Larzzzz82 said:
I'm unlocked, stock and get no such message(s). Expecting it when I install a recovery though
Click to expand...
Click to collapse
So I can't figure out what the true story is. Some people say that it happens to everybody with an unlocked bootloader, but, according to what you say, this isn't the case. I am stock in every way - recovery, bootloader, boot image, system image - and yet I get this warning. It's not a big deal, but it eats at me and makes me wonder whether there really is something corrupt about some aspect of my system.
NYZack said:
So I can't figure out what the true story is. Some people say that it happens to everybody with an unlocked bootloader, but, according to what you say, this isn't the case. I am stock in every way - recovery, bootloader, boot image, system image - and yet I get this warning. It's not a big deal, but it eats at me and makes me wonder whether there really is something corrupt about some aspect of my system.
Click to expand...
Click to collapse
It has to be changes to recovery. I'm running stock 6.0 with an unlocked bootloader and root and I have no such message on startup. Rooted and unlocked through Wugfresh NexusTool and temporary modified recovery option (non-persistent).
dasDestruktion said:
It has to be changes to recovery. I'm running stock 6.0 with an unlocked bootloader and root and I have no such message on startup. Rooted and unlocked through Wugfresh NexusTool and temporary modified recovery option (non-persistent).
Click to expand...
Click to collapse
No, if you're rooted, it's a different story. The modified boot image installed when you root disables verity checking.
I got the message after rooting my phone with CFRoot. Have done that before, always worked. But now the phone stops working after that boot message, I have reinstalled the stock image.
simms22 said:
it will appear when you boot up on marshmallow, when you have an unlocked bootloader.
Click to expand...
Click to collapse
I can confirm that this is not true. I ultimately factory-reset my phone from Recovery (it was acting strangely in other ways - Contacts crashing, for instance). My bootloader remains unlocked, but I no longer get the "Corrupt" message on startup.
I'm unlocked on marshmallow also and have never had that message
Take a look at here, it was my experience and solution.
https://productforums.google.com/forum/m/#!topic/nexus/sTu8Bdc1GLA;context-place=topicsearchin/nexus/category$3Adevice-security
Sent from my Nexus 6 using XDA Free mobile app
Semseddin said:
Take a look at here, it was my experience and solution.
https://productforums.google.com/forum/m/#!topic/nexus/sTu8Bdc1GLA;context-place=topicsearchin/nexus/category$3Adevice-security
Sent from my Nexus 6 using XDA Free mobile app
Click to expand...
Click to collapse
A simple factory reset in Recovery was all I needed. But I was hoping for a solution that didn't involve wiping my phone, ... and some insight into why so many of us are getting this message with stock systems.
NYZack said:
A simple factory reset in Recovery was all I needed. But I was hoping for a solution that didn't involve wiping my phone, ... and some insight into why so many of us are getting this message with stock systems.
Click to expand...
Click to collapse
Glad you could fix yours with a simple factory reset. Mine was in a much worse situation where i immediately got the corrupted message once i entered gmail account into phone. Google reps couldnt find the answer to the issue but advised me to downgrade to previous os and take OTA to marshmallow, that definitly fixed the issue for me.
Sent from my Nexus 6 using XDA Free mobile app
Device verification on Android and Nexus can be a bit of an interesting subject.
In theory, dm-verity on a Nexus will ONLY validate the system image, and nothing else.
This is the key description that Google made regarding verified boot;
http://source.android.com/devices/tech/security/verifiedboot/verified-boot.html
The key takeaways from that are;
1) an enforcing secure boot chain will involve validating each of the bootloader/boot partitions from the previous level, up to and including the boot.img.
2) The boot image contains the linux kernel and the verity_key file.
3) The verity_key file is the public key used to validate the contents of the metadata partition, which stores the hash tree for the system partition and is used to validate the contents of the system partition *on the fly*.
4) When dm-verity detects a change, it causes an I/O error.
5) On Nexus devices, the validation of the boot partition can be disabled.
The part that is interesting, is figure 2.
The part where it verifies metadata signature files --> no, causes it to reboot in logging mode and gives you the big ugly warning page.
Note that an unlocked Nexus 6 does NOT implement the yellow or orange warning states in its default configuration - see the description of "Class A". I'm not entirely sure if they can be enabled or not, but I've heard chatter of something to the effect of fastboot oem verify, which might enable validation of the boot partition.
So what happens during a dm-verity?
Well, when init tries to mount the system partition using dm-verity, it fails signature check. When it fails signature check, it sets a boot flag that it failed signature check, and *reboots*. The bootloader picks up this boot flag, and loads the error. If dm-verity PASSES signature check, it just continued boot as normal -- no rebooting.
So the approach for getting rid of that error message is actually this; if you tell init not to apply dm-verity, then the signature check is never even applied, so it continues boot as normal.
What isn't clear, is how it could be even remotely possible for a corrupt boot or cache partition to trigger a bootloader error. The only thing I can imagine, is maybe there is some additional check that isn't documented, or a bug in the bootloader that gets triggered when some boot flag is set wrong.
Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
plop12345 said:
Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
Click to expand...
Click to collapse
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
Got it working with the stock ROM in the mean time. Just don't use TWRP to flash Magisk. Keep the stock recovery, Use Magisk Manager to patch boot.img (check tar format in settings) , then flash back via Odin, boot and factory reset. Done.
No luck with any custom ROM yet. Desperately looking for help. Would also pay quite a bit to have someone skilled looking into this. I don't want to keep the Korean ROM of my N950N
Nick216ohio said:
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Click to expand...
Click to collapse
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
plop12345 said:
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
Click to expand...
Click to collapse
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Jammol said:
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Click to expand...
Click to collapse
Ah crap, didn't even think of that issue
Anyway, at least to me a phone without reliable encryption is not usable as daily driver. I wonder why this gets so little attention. I spend some days now trying to resolve this, but there is not much information out there or I'm not capable to dig it up.
I couldn't even find a clear statement, what it actually is that prevents TWRP to mount encrypted /data on modern Samsung phones.
I known they do their own SOC based hardware encryption, but what is it that TWRP can't get? Does the trusted zone not release the key if a custom binary boots? I really like to understand a bit more on how this actually works.
Thanks
Figured it out: https://forum.xda-developers.com/galaxy-note-8/how-to/guide-how-to-root-device-encryption-t3742493
Hello guys..
I am not able to find out what is DM verity..??
When does it occur ???
And how to fix it ??
Is it really a serious problem..?
Please help me
Actually I am a noob ..
Hello
+1
When it will be fix ?
bye
DM-verity is a security feature in Android. There's nothing to fix...
If you root and modify your device you usually need to somehow disable dm-verity, but this is usually taken care of when rooting (Magisk and SuperSU). Otherwise there's usually dm-verity disable zips around, and most custom kernels also disable it as well.
Mayank7 said:
Hello guys..
I am not able to find out what is DM verity..??
Actually I am a noob ..
Click to expand...
Click to collapse
If you weren't able to find it, I don't think you looked very hard. It's been discussed and answered many may many times.
Number one rule to learn as an xda noob: search search search. You will have a very tough time, thinkiing of a question that hasn't already been asked and answered at some point. At least not things as simple as dm-verity, how to root, etc.
Mayank7 said:
When does it occur ???
And how to fix it ??
Is it really a serious problem..?
Click to expand...
Click to collapse
To be nice, since you are new:
If you have the dm-verity warning screen (which simply goes away after 5 seconds, or you can bypass by pressing power button), I assume you flashed TWRP and/or root, custom ROM, etc.
In that case, dm-verity is normal, as those types of modifications will always trigger the dm-verity warning screen.
The dm-verity warning is similar to the bootloader unlocked warning. Simply ignore it, wait 5 seconds for it to go away, or just press the power button to bypass.
If you want, there are ways to bypass the dm-verity warning screen (so it doesn't show up) either by downgrading firmware, disable dm-verity, then upgrade firmware again. Other method is modified boot.img. Either of these mods, don't "correct" the condition that is causing the dm-verity warning, but rather just disable the appearance of the warning screen itself. As already mentioned, there is really nothing to "fix" since the dm-verity warning screen is normal, if your phone is modified by you.
If however, you get the dm-verity screen, and the phone refuses to boot, you may have swiped in TWRP to allow system modifications (which you are not supposed to do). But normally, rooting or custom kernel will bypass this condition.
My old phone had full device encryption and I installed Magisk with 'Preserve force encryption' checked - absolutely no problems.
My new phone (Samsung Galaxy S9+) was decrypted after installing TWRP, then installed Magisk with 'Preserve AVB 2.0/dm-verity' checked. Again no problems.
Now I want to encrypt my phone (Lock screen and security -> Encrypt device) and I am wondering when exactly and how to switch from 'Preserve AVB 2.0/dm-verity' to 'Preserve force encryption' in Magisk? Shall I first encrypt or shall I first change options in Magisk and then encrypt? Or maybe remove root and Magisk, then encrypt and then install Magisk (which seems the safest but most efforts consuming option)?
If you enable the "Preserve forced encryption" toggle in the Manager and then straight away install Magisk again, your device should encrypt itself on the next boot.
You can of course also just encrypt the device from the Android settings, without doing anything else. Having the forced encryption flag disabled by Magisk doesn't matter in this respect. It'll just mean that if you happen to format your /data partition at some point, it'll be unencrypted again.
Thank you! On a separate note - what will happen with TWRP since it cannot read encrypted containers? Would at least be possible to backup (although it would be information TWRP itself would not be able to read) and restore or TWRP will be totally useless?
If TWRP can't deal with your device's encryption, it'll not be able to do anything with the encrypted partition.
Attempt failed.
First, before encryption, I tried to untick 'Preserve AVB 2.0/dm-verity' and to tick 'Preserve force encryption' - but Magisk keeps changing this to the initial status ('Preserve AVB 2.0/dm-verity' ticked and 'Preserve force encryption' unticked).
Then I proceeded to standard full device encryption (Lock screen and security -> Encrypt device). The process started but only after a minute the phone rebooted and cannot boot actually - error message 'Encryption unsuccessful. Encryption process interrrupted bla-bla-bla... You need to hard reset device to factory settings'. And the only way out of this screen is the Reset button.
So now I am wondering how to "save the day" the easy way (without formatting, installing dm-verity, restoring TWRP backup, etc.). Anyone has an idea how to proceed? If there is no easy way, at least the way which someone has already used successfully. The only thing I tried was installing no-verity-opt-encrypt-samsung-1.0.zip in TWRP but nothing different happens afterwards.
orifori said:
Attempt failed.
First, before encryption, I tried to untick 'Preserve AVB 2.0/dm-verity' and to tick 'Preserve force encryption' - but Magisk keeps changing this to the initial status ('Preserve AVB 2.0/dm-verity' ticked and 'Preserve force encryption' unticked).
Click to expand...
Click to collapse
The check-boxes in the Magisk Manager will only do something if you straight away install Magisk after having changed them. If you change their state, exit the Manager, and then open the Manager again, they will return to the initial status. Magisk will have to re-patch the boot image with the new setting.
Then I proceeded to standard full device encryption (Lock screen and security -> Encrypt device). The process started but only after a minute the phone rebooted and cannot boot actually - error message 'Encryption unsuccessful. Encryption process interrrupted bla-bla-bla... You need to hard reset device to factory settings'. And the only way out of this screen is the Reset button.
So now I am wondering how to "save the day" the easy way (without formatting, installing dm-verity, restoring TWRP backup, etc.). Anyone has an idea how to proceed? If there is no easy way, at least the way which someone has already used successfully. The only thing I tried was installing no-verity-opt-encrypt-samsung-1.0.zip in TWRP but nothing different happens afterwards.
Click to expand...
Click to collapse
Actually, I don't think you can encrypt your device if you have a custom recovery installed. Something like that, at least... You'll have to look it up to confirm.
Just tried to restore through TWRP (boot, system, data excl. storage) - absolutely no change! Attempts (all of which unsuccessful):
1 - Wiped Dalvik cache - same result. The very same black screen asking me to factory reset device but in TWRP I have access to the whole filesystem which means that the phone it NOT encrypted.
2 - Then I flashed stock rom in Odin and TWRP disappeared (replaced by Android recovery). But the black screen asking me to factory reset is still there!!!
3 - After this total mess went down the hard way - from hard reset to TWRP restore.
Now I am only wondering why TWRP wouldn't be able to restore?! I though that restored TWRP backup would bring the phone exactly in the sate in which it was during the backup.
Hey guys, time to pay homage to the departed.
Necroposting here!
Howdy do, Mr Didge! Long time no see, read, text! Business humming along, i see!
I wanted to ask for a soul to take pity on me, i beg you, do tell, does decrypting, automatically and immediately, no ifs, ands, or buts, mean buhbye to the lockscreen? Because ive tried about everything there is to no success, my head hurts from banging it at the wall for months (since I'm the type of guy who'll hardly ask), but i give up! 6T, actually is where i have the problem (disregard what'll say below). Thanks!
Sent from my Mate 10 Pro using XDA Labs
culiacanazo said:
Hey guys, time to pay homage to the departed.
Necroposting here!
Howdy do, Mr Didge! Long time no see, read, text! Business humming along, i see!
I wanted to ask for a soul to take pity on me, i beg you, do tell, does decrypting, automatically and immediately, no ifs, ands, or buts, mean buhbye to the lockscreen? Because ive tried about everything there is to no success, my head hurts from banging it at the wall for months (since I'm the type of guy who'll hardly ask), but i give up! 6T, actually is where i have the problem (disregard what'll say below). Thanks!
Sent from my Mate 10 Pro using XDA Labs
Click to expand...
Click to collapse
Ha! I wish it was a business... That would mean I would make some money out of it. I probably could though. My Magisk guide has somewhere between 100000 to 200000 hits a month. Putting some ads on there could probably generate a cup of coffe or two... Problem is: I hate ads. Anyway....
If you're talking about the boot lockscreen (password on boot), then yes, that would go out the window if you're not encrypted as far as I know. An ordinary lockscreen should still be possible though. Although, OnePlus have been starting to do some weird stuff lately, so I wouldn't put it past them to mess stuff up.
Oh yeah... Nice to see you! :laugh:
Didgeridoohan said:
Ha! I wish it was a business... That would mean I would make some money out of it. I probably could though. My Magisk guide has somewhere between 100000 to 200000 hits a month. Putting some ads on there could probably generate a cup of coffe or two... Problem is: I hate ads. Anyway....
If you're talking about the boot lockscreen (password on boot), then yes, that would go out the window if you're not encrypted as far as I know. An ordinary lockscreen should still be possible though. Although, OnePlus have been starting to do some weird stuff lately, so I wouldn't put it past them to mess stuff up.
Oh yeah... Nice to see you! :laugh:
Click to expand...
Click to collapse
Yeah, I'm taking about the no screen, no Google pay type of thing.
The one when you jus booted.
And actually i can set it up, the thing is when time comes to unlock it'll say wrong password/pattern/pin! I hate that, in writing this from an unencrypted mate 10 pro with no problem, also on pie, also rooted and the whole nine yards, so i don't know, haven't seen much online, only ONE thread, if you can call it that, of a guy from last year whom nobody answered.
Sent from my Mate 10 Pro using XDA Labs
culiacanazo said:
Yeah, I'm taking about the no screen, no Google pay type of thing.
The one when you jus booted.
And actually i can set it up, the thing is when time comes to unlock it'll say wrong password/pattern/pin! I hate that, in writing this from an unencrypted mate 10 pro with no problem, also on pie, also rooted and the whole nine yards, so i don't know, haven't seen much online, only ONE thread, if you can call it that, of a guy from last year whom nobody answered.
Sent from my Mate 10 Pro using XDA Labs
Click to expand...
Click to collapse
I feel I'm not going to be much help, so I'll just post this:
https://xkcd.com/979/
Didgeridoohan said:
I feel I'm not going to be much help, so I'll just post this:
https://xkcd.com/979/
Click to expand...
Click to collapse
????
Sent from my Mate 10 Pro using XDA Labs
??? I thought it only happened to me
Didgeridoohan said:
If you enable the "Preserve forced encryption" toggle in the Manager and then straight away install Magisk again, your device should encrypt itself on the next boot.
You can of course also just encrypt the device from the Android settings, without doing anything else. Having the forced encryption flag disabled by Magisk doesn't matter in this respect. It'll just mean that if you happen to format your /data partition at some point, it'll be unencrypted again.
Click to expand...
Click to collapse
Thank you a lot @Didgeridoohan!!!
I never could change that's options on Magisk Manager. After you'r explanations, i change the option and after do install Magisk again and reboot. Works fine, option apply.
Many thanks!!
Didgeridoohan said:
If you enable the "Preserve forced encryption" toggle in the Manager and then straight away install Magisk again, your device should encrypt itself on the next boot.
For some reason after enabling "Preserve forced encryption" and installing Magisk straight after didn't worked. After reboot the box is ticked but under Encryption&Credentials showing not encrypted.
Click to expand...
Click to collapse
culiacanazo said:
Hey guys, time to pay homage to the departed.
Necroposting here!
Howdy do, Mr Didge! Long time no see, read, text! Business humming along, i see!
I wanted to ask for a soul to take pity on me, i beg you, do tell, does decrypting, automatically and immediately, no ifs, ands, or buts, mean buhbye to the lockscreen? Because ive tried about everything there is to no success, my head hurts from banging it at the wall for months (since I'm the type of guy who'll hardly ask), but i give up! 6T, actually is where i have the problem (disregard what'll say below). Thanks!
Sent from my Mate 10 Pro using XDA Labs
Click to expand...
Click to collapse
You've got to hangout with me bro.
Maddd.
Hello everyone,
Every time my moto x4 is restarted, a message appears on the boot screen:
"verity mode is set to logging"
It is something quick, written in yellow and soon the device finishes the initialization.
I wonder if this affects anything on the device?
I make the following observations:
My moto x4 was in the version PAYTON_OPW29.69-26_SUBSIDY-DEFAULT_REGULATORY-DEFAULT_CFC.XML. As I was having problems with Wi-Fi on the device, I decided to unlock the bootloader and flash another version of the android. Finally I opted for PAYTON_FI_OPWS28.46-21-12_SUBSIDY-DEFAULT_REGULATORY-DEFAULT_CFC.XML, this after having tested other versions, all with success. But since I unlocked the bootloader and did the first downgrade this message appears at the boot of the device.
My moto x4 is an XT1900-6.
Another thing done through a previous search was to run the command "getprop ro.boot.veritymode" in the terminal, directly on the device, which returned: "enforcing".
Anyway, I'm not sure if everything is OK with the device or if I lost any important function. If it is a normal error and if it is not, I would like to know the solution to this problem.
This is "normal". I think you can ignore it. If you were worried about security and privacy, you would want it to be enforcing so that the phone wouldn't boot if it was modified. Most users do not want this since it would break a lot of things.
Edit: are you using any third party zips to hide root or pass safety net? They might mask the verity mode, maybe? I don't use them so I couldn't tell you the expected behavior.
gee one said:
This is "normal". I think you can ignore it. If you were worried about security and privacy, you would want it to be enforcing so that the phone wouldn't boot if it was modified. Most users do not want this since it would break a lot of things.
Edit: are you using any third party zips to hide root or pass safety net? They might mask the verity mode, maybe? I don't use them so I couldn't tell you the expected behavior.
Click to expand...
Click to collapse
I did another clean install, using the same firmware as android 8.1 (one), now I'm not using root, as I see no need. I hope there is no problem with this message on the boot screen. I hope I still receive updates via OTA.
To remove this message needs to flash the bootloader from phone variant. This file fix for XT1900-6.
filipepferraz said:
To remove this message needs to flash the bootloader from phone variant. This file fix for XT1900-6.
Click to expand...
Click to collapse
nice bro, it worked for me. :good: :fingers-crossed: