I want to use a work profile and enroll my device using company portal to access my work email/teams while my phone is rooted.
I have burned a lot of time attempting to achieve this, thus far without success, so I'm hoping for some community help. My attempts can be categorized as performed on official FW (+root) and on a custom ROM (BeyondROM).
Using official samsung firmware
I have ODIN-flashed the latest BULF firmware on my SM-998B with a full wipe. Using original AP package, so no magisk yet. Company Portal then fails me with a somewhat generic "Cannot create a work profile - The security policy prevents the creation of a managed device because a custom has been installed on this device". At this point, device is not rooted and there are no signs of magisk lingering, so either this is a bug, or it queries Knox for the tripped efuse.
Next I attempted to create a work profile using Shelter, Island and SecureFolder. Each of them seem to run into the exact same error (worded slightly differently).
My gut feeling is that there is an issue with the underlying work profile functionality within Android itself, and I'm not being held back by simply the Knox bit -- surely Island doesn't mind a custom OS.
I then proceeded to root the official firmware with magisk (23016 canary, and since yesterday 24000 beta). Attempted every combination of denylist, zygisk, shamiko and USNF. None of it makes any difference: every attempt to instantiate a work profile immediately fails.
Using custom ROM
Custom ROM specifically mentions that Samsung's SecureFolder *works* with it, so while I generally prefer to customize the OS myself, I figured flashing this was worth a shot. So I did, and indeed, work profile functionality is not borked anymore. Even before installing the Magisk romdisk, both Shelter and Island manage to create a work profile, and I can install apps inside it. No need for root hiding at all, it seems.
Then I moved on to Company Portal. The enrollment procedure now actually appears to start and after ~3 seconds I am told: we need to encrypt the device. It's definitely getting further than it did on official firmware. I'm okay with encrypting the device. At full battery/charger inserted I can seemingly start this procedure, but it then hangs at a black screen with centered android picture. At this point my buttons and statusbar are made inaccessible. After an hour of nothing happening I restarted - no data was lost, I'm sure it never even started to encrypt.
Enabling encryption from the Biometric & Security menu is not presented as an option either.
If anyone has insights as to why work profile creation completely fails on stock firmware (and how to fix that), or if anyone knows the we can enable encryption while running a custom ROM, please reply.
By using MagiskHidePropsConf I was able to set `ro.crypto.state` from `unencrypted` to `encrypted`. This allowed me to create a full work profile, without it asking me to encrypt first.
Next a bunch of "rooted" issues came up, but Shamiko and USNF solved that.
I could then access the apps within the work profile, but the device is still not in compliance because it insists I should enable 'secure startup', i.e. ask a full password/pin after reboot -- this actually does happen on reboots, but I cannot find any corresponding menu entry for it.
That said, I can access the apps inside the portal now, which is the main thing. Perhaps I can even trick it into thinking the device is in compliance.
was your bootloader unlocked when you tried with the official firmware?
Yes, it has been unlocked for over a year. I did not re-lock before trying official firmware though.
Intune is supposed to work only on unmodified devices
see here https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
according to microsoft it won't work on
Devices that fail basic integrity
Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program source files
Devices with a beta/developer preview system image
Hi @zzattack ,
I am in the exact point like you, but I am on S9+ NOBLEROM (based on stock).
With crDroid ROM, all is working ok with Company Portal (encryption working, and I used Magisk to hide root).
But I would like to use NOBLEROM. I also set build prop ro.crypto.state to encrypted. For me 'Secure startup' is not showing in Biometrics and security, an no password required on boot. It is up only for Lock screen.
Did you managed to overcome secure startup ? Maybe it is a posibility to trick 'secure startup' is enabled, even it is not.
Obs. In my case, I can not run apps from work profile, even it is created and apps visible.
Thanks
Related
I have an ATT S5 (SM-G900A), completely stock, unrooted, updated to the latest 5.0 OTA update. My requirements for my phone are that it be able to pass Airwatch checks and that it be able to be encrypted (Personal device used at work). Some background first:
Last time I tried to play around with rooting, other mods, and whatnot was on my ATT S3 (I think I747?) and I discovered that an unspecified combination of rooting, installing a custom loader (CWM in my case) and installing a custom mod (Cyanogenmod at the time) made my phone unable to encrypt. At the time I was not required to use Airwatch, but encryption was required for my phone to connect to work, so I gave up on the whole lot.
I have now discovered that ATT, in their infinite wisdom, has replaced the S Voice drive mode with their own "ATT Drive Mode", and it's been verified they went so far as to remove the related APKs from the phone entirely. For those unaware, S Voice Drive mode is an feature of S Voice that (when turned on) reads out all callers and text messages, and then verbally prompts you for actions; reply, answer, ignore, etc. It allows fully hands free functionality. ATT Drive Mode, on the other hand, automatically kicks in whenever speeds of 20 MPH are detected (even if you're a passenger), rejects all calls and texts excluding a user-defined 5 person list, and essentially makes your phone useless anytime you're in a car. The goal is to "reduce texting and distracted driving", but as I'm on-call as part of my job and need to at least be aware of texts that come in within 10 minutes of receipt, it actually makes my drive much more dangerous. ATT Drive mode is a good idea for teens, perhaps, but i'm not a teen.
This brings me to my question: What are my options?
--Does rooting break my ability to encrypt? I know airwatch will flag, but I'm thinking there's a possibility of being able to root, put a custom loader on my phone, and then restore stock with that custom loader, whereupon I can try to install the drive mode APK...which leads me to my next question:
--Does having a custom loader (like safestrap or CWM or whatever is in use nowadays) break my ability to encrypt?
--Does anyone know of a way to install the S Voice drive mode in the G900A? I tried searching, but the only references involved being rooted, or ended with something vague like "download a stock rom and find the apk using root explorer" as the solution (which is vague to me because I don't know which stock rom to use, what apk to look for, and last time I used root explorer on my s3, it needed root...)
Honestly, the ideal solution would be something like the stock rom from the international version that would run on my ATT version...but I don't know if such a thing exists or is possible. I don't mind Samsung's cruft, but I do dislike ATT's lobotomizing of my phone to push their own little product that treats me like a kid. I know that I am less safe as a driver without the S Voice drive mode than I was with it.
I take it I have no options? And that no one knows how rooting affects encryption?
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
sheaiden said:
I take it I have no options? And that no one knows how rooting affects encryption?
Sent from my SAMSUNG-SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
I will make it easy for you. Since you took the 5.0 OTA update rooting is not possible anymore. Also there is no way to downgrade to KitKat which was rootable. Sorry. Not much you can do until someone finds a way to root 5.0. If you find the S Voice Drive app, you can side load it and see if it works.
Waiting4MyAndroid said:
I will make it easy for you. Since you took the 5.0 OTA update rooting is not possible anymore. Also there is no way to downgrade to KitKat which was rootable. Sorry. Not much you can do until someone finds a way to root 5.0. If you find the S Voice Drive app, you can side load it and see if it works.
Click to expand...
Click to collapse
Actually, while I greatly appreciate the fact that you took the time to reply (seriously! at least you took the time!), this is neither easy nor related to the questions I asked. If you look at my post, I'm not asking "how can I root", I'm asking three rather different questions:
--Does rooting break my ability to encrypt? I know airwatch will flag, but I'm thinking there's a possibility of being able to root, put a custom loader on my phone, and then restore stock with that custom loader, whereupon I can try to install the drive mode APK...which leads me to my next question:
--Does having a custom loader (like safestrap or CWM or whatever is in use nowadays) break my ability to encrypt?
--Does anyone know of a way to install the S Voice drive mode in the G900A? I tried searching, but the only references involved being rooted, or ended with something vague like "download a stock rom and find the apk using root explorer" as the solution (which is vague to me because I don't know which stock rom to use, what apk to look for, and last time I used root explorer on my s3, it needed root...)
In fact, I am unable to remain rooted (Airwatch; it's part of the post title), and the whole point and thrust of my question lies in the fact that I am looking to find out what affects encryption and what options I have as far as getting S Voice Drive mode on my phone while staying Airwatch compliant (not rooted). In addition, "if you can find the s voice drive app" is part of the problem too, as evidenced by the third question I asked above; I don't know where to find said app.
Does anyone know anything regarding what I was actually asking?
Everything that you want to do requires ROOT! Safstrap needs root, CWM will brick you phone since the bootloader is locked. Again, there is no way as of now to root the S5 with 5.0 att OTA.
Here is the link to download the GS4 S Voice app. You can try and side load it,
https://www.dropbox.com/s/oe7i2g81iuhjv38/S-Voice_Android_phone_J.apk?dl=0
Waiting4MyAndroid said:
Everything that you want to do requires ROOT! Safstrap needs root, CWM will brick you phone since the bootloader is locked. Again, there is no way as of now to root the S5 with 5.0 att OTA.
Here is the link to download the GS4 S Voice app. You can try and side load it,
Click to expand...
Click to collapse
Awesome, I'll start with that sideloading, and test it out. Thanks! As far as the rest, I suppose that does clarify some things (that I admittedly already knew), so I do appreciate it, but it still does leave the answers to the other questions. I can infer, of course, that the answer to whether having a custom bootloader on the Galaxy S5 breaks encryption will be dependent on whether root breaks the encryption, since as you pointed out custom bootloaders need root to install, but the fantasy I entertained for a little while was rooting when there's a method (hope springs eternal, so I'm hoping it will eventually be possible), installing a custom bootloader so I can do things like backups and sideload, getting the proper apk's installed for the drive app, and then unrooting it so I can connect it via airwatch to my work's network. Perhaps I should have marked this as a solidly theoretical question, since as you said, there currently exists no root. I just want to know, with the unique way that Samsung implemented Knox and the encryption on the S5, what will break encryption and what won't?
Of course, there is a side question brought up by all this...how possible is it to load another firmware on my phone? as in, use Odin to put the tmobile image on my phone. That is likely a bad example, since I'm fairly certain there are actual hardware differences between the ATT and the tmobile models, but the concept still stands. At what level are the hardware configurations different between phone companies?
sheaiden said:
Awesome, I'll start with that sideloading, and test it out. Thanks! As far as the rest, I suppose that does clarify some things (that I admittedly already knew), so I do appreciate it, but it still does leave the answers to the other questions. I can infer, of course, that the answer to whether having a custom bootloader on the Galaxy S5 breaks encryption will be dependent on whether root breaks the encryption, since as you pointed out custom bootloaders need root to install, but the fantasy I entertained for a little while was rooting when there's a method (hope springs eternal, so I'm hoping it will eventually be possible), installing a custom bootloader so I can do things like backups and sideload, getting the proper apk's installed for the drive app, and then unrooting it so I can connect it via airwatch to my work's network. Perhaps I should have marked this as a solidly theoretical question, since as you said, there currently exists no root. I just want to know, with the unique way that Samsung implemented Knox and the encryption on the S5, what will break encryption and what won't?
Of course, there is a side question brought up by all this...how possible is it to load another firmware on my phone? as in, use Odin to put the tmobile image on my phone. That is likely a bad example, since I'm fairly certain there are actual hardware differences between the ATT and the tmobile models, but the concept still stands. At what level are the hardware configurations different between phone companies?
Click to expand...
Click to collapse
You will not be able to change your bootloader period... At this point the locked bootloader is unbreakable. That leads to your next question about tmobile and that's a no as well due to the locked down bootloader.
Even with root you won't be able to do anything you've suggested due to the locked bootloader.
OPOfreak said:
You will not be able to change your bootloader period... At this point the locked bootloader is unbreakable. That leads to your next question about tmobile and that's a no as well due to the locked down bootloader.
Even with root you won't be able to do anything you've suggested due to the locked bootloader.
Click to expand...
Click to collapse
Interesting. I had been under the impression that I had seen people referring to installing clockworkmod or some similar thing on an S5, but I think I may be getting caught up in terminology; those are recoveries, aren't they? not bootloaders? Or perhaps people were posting about the other S5s with unlocked bootloaders. 15 different versions of S5, and I get stuck with the most apple-like of all the carriers....(in the sense of "you take what we give you and don't play with it!")
So, assuming I don't manage to get it installed via the link Waiting4MyAndroid was kind enough to post, I think that rules out anything other than the method of:
--wait for a root method to be established for the new OTA
--root, install the drive apk
--unroot, so I can encrypt and pass airwatch
Does anyone know if the old method of rooting broke encryption? and whether encryption was able to be performed after unrooting again?
Edit: Attempted to Sideload. Sadly, it is telling me "App not installed" (other sideloads do work; it's not the unknown sources setting). I'm thinking either the apk is marked for s4, and it's not compatible, or it's trying to overwrite files from the established svoice system, and that's not allowed. I suppose if someone has the drive apks from a tmobile S5 image or some such thing (same model, different carrier), then I could try again, but unfortunately this apk doesn't work. Thanks for the attempt, Waiting4MyAndroid!
Does your workplace have a BYOD policy that enforces full device encryption?
Have you already unlocked your bootloader and rooted your device, thus tripping Samsung Knox?
Have you tried to use Android Work Profile only to find out that "Your custom OS" does not allow it even if you reverted to stock and unrooted? (I know, right?)
Here is the solution...
Steps
Unlock Bootloader and Install TWRP.
(Thanks dr.ketan and geiti94)
Install the Dev-Base ROM and force Encryption by using the Dev-base ROM file name tags/triggers. (Thanks _alexndr)
Upon booting for the first time, setup pin with the checkbox for booting with pin protection. (This is full device Encryption).
Reboot
Enable Multi User (Samsung has disabled this by default)
arpanbag1996 said:
Enable multi-user feature on your Android one phone (running Android 5.1 Lollipop) without flashing .zip through custom recovery. All you need is root access.
Just go to /system , edit your "build.prop" file and add the following lines:
fw.max_users=3
fw.show_multiuserui=1
Save and reboot your phone. Done! Tested on Micromax Canvas A1.
Click to expand...
Click to collapse
(Source - Thanks arpanbag1996)
Add another user in settings>accounts.
Switch to second user and add your work account.
Make sure not to use any app that removes full device encryption. (Example: bxActions)
I've done this on my own device (SM-960F/DS) and it works great!
Let me know if anyone had success with any other ways to do this. I'm always open to suggestions.
Reserved for updates and alternatives
Thanks a lot for this guide! However, unless I'm missing something here, this method doesn't create an actual work profile, but a rather a seperate user on the device that's devoted just for the G Suite account (as adding my G Suite account on the sub user does not even prompt me to create a Work Profile). On my current device, ZTE Axon 7, where I can use work profile version and my personal gmail app side by side as if they are two separate apps, instead having to switch user account.
And of course, I can just add my G Suite account to my main user since I guess I'll trade a bit of my privacy from corporate IT for convenience sake. On the other hand I wonder if @_alexndr can consider enabling this feature in DevBase...
Or use an app like Nine (by 9Folders) that enforces Exchange Security at the app level and doesn't require the device to be secure.
Or you can use Exchained to bypass the policy entirely for Exchange based BYOD policies.
Sent from my SM-N960F using Tapatalk
I'm pretty sure this thread is about G Suite and Android work profile and not the Microsoft's stuff?
Sent from my SM-N960F using Tapatalk
kgptzac said:
I'm pretty sure this thread is about G Suite and Android work profile and not the Microsoft's stuff?
Sent from my SM-N960F using Tapatalk
Click to expand...
Click to collapse
No, it is about Android Work profile.
Microsoft Itunes use Work profile
G Suite Idk use work profile
But All MDM use work profile since android 9 ( maybe 8)
This thread should be on every samsung device. Because the issue is caused by knox.
Would this work for my Samsung A70. Really looking for a answer.
I'm confused. So which option should I choose out of the above replies and OP's suggestion? I want to have my work account on my personal device. But my phone is rooted, Knox triggered.
"island" is the app you are looking for
Updated long back but still works pretty fine.
Try "island" from playstore
Not updated from quite long but will do the job.
futurepack said:
Updated long back but still works pretty fine.
Click to expand...
Click to collapse
I installed Island and its gives me "cannot create work profile" error. Tried to setup Island with root, and I got stage 1 error.
Remove knox
Knox uses the same method as island to create work profile. Try installation after removing Knox.
Is possible i use in n950f? i lost the work profile installing the rom deluxe, and i need to work.
Hey Guys, i also have a fresh rooted and with custom rom installed Samsung (S10e but i assume the model doesn't matter for this topic).
I also have a GSuite account from my company and don't get it managed to istalla work profile on my phone.
Just getting a error that i use an modified ROM and therefore a work profile cannot be installed.
I know such similar issues from my pixel 3 where i just use Magisk hide which unfortunately don't work on the Samsung.
Also tried exchained and Island app (cannot be installed) which also don't really work.
For me the app Island work!!! Really thanks i use deluxe Room in note 8.
But the add a icon in initial menu the icon os the same, dont haver a small bag BLUE in bottom
demercy said:
For me the app Island work!!! Really thanks i use deluxe Room in note 8.
But the add a icon in initial menu the icon os the same, dont haver a small bag BLUE in bottom
Click to expand...
Click to collapse
can you share how you did this? which MDM solution are you using?
Maybe he can fix the job profile just like patching the security folder, so that he can work on the device that Knox tripped over! There will always be incompatibility when setting the island!
Techronico said:
Does your workplace have a BYOD policy that enforces full device encryption?
Have you already unlocked your bootloader and rooted your device, thus tripping Samsung Knox?
Have you tried to use Android Work Profile only to find out that "Your custom OS" does not allow it even if you reverted to stock and unrooted? (I know, right?)
Here is the solution...
Steps
Unlock Bootloader and Install TWRP.
(Thanks dr.ketan and geiti94)
Install the Dev-Base ROM and force Encryption by using the Dev-base ROM file name tags/triggers. (Thanks _alexndr)
Upon booting for the first time, setup pin with the checkbox for booting with pin protection. (This is full device Encryption).
Reboot
Enable Multi User (Samsung has disabled this by default)
(Source - Thanks arpanbag1996)
Add another user in settings>accounts.
Switch to second user and add your work account.
Make sure not to use any app that removes full device encryption. (Example: bxActions)
I've done this on my own device (SM-960F/DS) and it works great!
Let me know if anyone had success with any other ways to do this. I'm always open to suggestions.
Click to expand...
Click to collapse
This is only a multi-user mode, and has nothing to do with the work profile!
demercy said:
For me the app Island work!!! Really thanks i use deluxe Room in note 8.
But the add a icon in initial menu the icon os the same, dont haver a small bag BLUE in bottom
Click to expand...
Click to collapse
Could you share with us how you managed that ?
I myself am unsuccessful installing Island because the work profile cannot be created....
I usually root every phone, but since this is something I do once a year, I tend to forget some basics (so bear with me). Other things, I actually never really knew.
Until now, rooting a phone and flashing a custom rom (or the factory image) were "one and done" things and I simply never updated my phone ever again, since OTA no longer works once the bootloader is unlocked, and installing a newer image forced me to wipe everything in TWRP or else I could no longer read the encrypted memory. Of course, that also forced me to re-root my phone and reinstall everything. A bit too much of a hassle for monthly security updates...
Nowadays, however, updates and security patches are more important than ever. And since I just received my rootable SD N9600, I want to do it correctly this time and stay up do date.
This begs the question: How *do* I stay up to date without basically factory-resetting, re-formatting and re-rooting my phone every month for every security update?
Google showed me a few solutions.
Pixel phones apparently have A/B partitions and a TWRP script. Not an option for the Note 9, though.
Flashfire apparently was the perfect solution that did exactly what I was looking for, but it has been abandoned by Chainfire and unfortunately it no longer works with newer Magisk versions. Even when I downgraded to a super old Magisk version, it would ultimately crash when starting the app (after receiving root permissions). So it doesn't seem to work, although staying on an old version of Magisk forever would not be an ideal solution anyway.
Is there anything like Flashfire or a simpler approach that I am missing?
Surely, I can't be the only rooted user who wants to install monthly security patches without wiping the entire phone.
Spaced Invader said:
I usually root every phone, but since this is something I do once a year, I tend to forget some basics (so bear with me). Other things, I actually never really knew.
Until now, rooting a phone and flashing a custom rom (or the factory image) were "one and done" things and I simply never updated my phone ever again, since OTA no longer works once the bootloader is unlocked, and installing a newer image forced me to wipe everything in TWRP or else I could no longer read the encrypted memory. Of course, that also forced me to re-root my phone and reinstall everything. A bit too much of a hassle for monthly security updates...
Nowadays, however, updates and security patches are more important than ever. And since I just received my rootable SD N9600, I want to do it correctly this time and stay up do date.
This begs the question: How *do* I stay up to date without basically factory-resetting, re-formatting and re-rooting my phone every month for every security update?
Google showed me a few solutions.
Pixel phones apparently have A/B partitions and a TWRP script. Not an option for the Note 9, though.
Flashfire apparently was the perfect solution that did exactly what I was looking for, but it has been abandoned by Chainfire and unfortunately it no longer works with newer Magisk versions. Even when I downgraded to a super old Magisk version, it would ultimately crash when starting the app (after receiving root permissions). So it doesn't seem to work, although staying on an old version of Magisk forever would not be an ideal solution anyway.
Is there anything like Flashfire or a simpler approach that I am missing?
Surely, I can't be the only rooted user who wants to install monthly security patches without wiping the entire phone.
Click to expand...
Click to collapse
n9600 has limited development from the community. so if you are not going to flash a custom rom( usually thats how people stay up to date) then you will have to go through the rooting procedure each time.
bober10113 said:
n9600 has limited development from the community. so if you are not going to flash a custom rom( usually thats how people stay up to date) then you will have to go through the rooting procedure each time.
Click to expand...
Click to collapse
So every solution that makes this easier is strictly device-specific and nothing like Flashfire (which would have worked regardless of community activity for the N9600) exists anymore?
Dark times indeed, almost makes me question if I should keep rooting my devices...
I have rooted note8 with decrypted data partition (no-verity... something script). I updated recently to newest firmware simply through odin. I flashed firmware preserving data (home csc file?). There was bootloop but after i flashed twrp and rooted with magisk phone started without problem and all settings and data was there. So this is solution for me, maybe it will work on note 9 too.
Spaced Invader said:
So every solution that makes this easier is strictly device-specific and nothing like Flashfire (which would have worked regardless of community activity for the N9600) exists anymore?
Dark times indeed, almost makes me question if I should keep rooting my devices...
Click to expand...
Click to collapse
Personally I'm sticking with phones officially supported by lineageOs (formerly cynogenmod) from now on.
Kriomag said:
I have rooted note8 with decrypted data partition (no-verity... something script). I updated recently to newest firmware simply through odin. I flashed firmware preserving data (home csc file?). There was bootloop but after i flashed twrp and rooted with magisk phone started without problem and all settings and data was there. So this is solution for me, maybe it will work on note 9 too.
Click to expand...
Click to collapse
Hi, I have a Note 9 that was rooted with Magisk and running on Oreo 8. I updated it via Odin to Android 10. I have a bootloop. What should I do? Please help me
I've wondered this ever since my Tab S8+ reported it's device status as official despite me having flashed the tablet with magisk-patched firmware and asked me to update. This same exact scenario has happened with my rooted Tab S7+. However, I rooted that by flashing Magisk in TWRP rather than flashing patched firmware with Odin. I don't think anyone has tried applying an OTA update on their rooted Tab S8 device since the latest firmware isn't available yet, and could result in needed to flash patched firmware again. Then again, most rooted device will have their devices report as custom instead of official, so that may be why.
I'm willing to try this out on my Tab S7+ first as that device has TWRP, and I can easily restore my device to a rooted state afterwards. Since both tablets are relatively similar, I'll assume that if root persists after updating in the Tab S7+ then it should be safe to do so on the S8+ I'm curious of doing this solely for stability and performance updates in combination with everything root access grants.
With any part of the firmware patched, OTAs won't work - they'll fail. You could also wind up with a brick - most likely one you can recover from but I wouldn't bet either way on that. As always, have everything backed up in case the worst happens.
Since I still won't get my Tab S8 Ultra for another 10 days (unless they delay again), I haven't paid too close attention to the rooting instructions specific to this, and have only made note of them, however, the basic rule still applies - if any part of the firmware has been modified from stock, then OTAs will recognize that it's been modified and fail to apply - or as I said, it could possibly try to apply what it can but you could wind up with a mix and match of different firmware versions due to the OTA failing eventually, which would need some manual work to recover from - or very worst, you might need to start over from scratch and lose everything.
When I'm on any rooted device, I go into Developer options and disable Automatic system updates. It's still possible you could get an update prompt if you manually check for an update, but it's not advised to use OTAs when rooted.
I've always been a practitioner on all devices of flashing the full new firmware updates and re-rooting, however, I know that at least with devices with dual system partitions like Google Pixels (as far as I'm aware, Samsung still hasn't adopted dual partitions yet), there have been ways to apply Magisk to a manually sideloaded OTA, although I've observed other users who do this and something inevitably goes wrong with the process from time to time.
Not that full firmware flashes are immune to things going wrong.
Edit: If you try an OTA on yours, by all means, let us know what happens.
Edit 2: Adding TWRP to the mix may, or may not, affect the viability of applying OTAs. I've hardly used TWRP on any device in the last five years, so I'm not sure if it's smart about some things and can take root into account, but since TWRP doesn't exist on the Tab S8 (I don't have any older Tab), it won't matter for me.
roirraW edor ehT said:
With any part of the firmware patched, OTAs won't work - they'll fail. You could also wind up with a brick - most likely one you can recover from but I wouldn't bet either way on that. As always, have everything backed up in case the worst happens.
Since I still won't get my Tab S8 Ultra for another 10 days (unless they delay again), I haven't paid too close attention to the rooting instructions specific to this, and have only made note of them, however, the basic rule still applies - if any part of the firmware has been modified from stock, then OTAs will recognize that it's been modified and fail to apply - or as I said, it could possibly try to apply what it can but you could wind up with a mix and match of different firmware versions due to the OTA failing eventually, which would need some manual work to recover from - or very worst, you might need to start over from scratch and lose everything.
When I'm on any rooted device, I go into Developer options and disable Automatic system updates. It's still possible you could get an update prompt if you manually check for an update, but it's not advised to use OTAs when rooted.
I've always been a practitioner on all devices of flashing the full new firmware updates and re-rooting, however, I know that at least with devices with dual system partitions like Google Pixels (as far as I'm aware, Samsung still hasn't adopted dual partitions yet), there have been ways to apply Magisk to a manually sideloaded OTA, although I've observed other users who do this and something inevitably goes wrong with the process from time to time.
Not that full firmware flashes are immune to things going wrong.
Edit: If you try an OTA on yours, by all means, let us know what happens.
Edit 2: Adding TWRP to the mix may, or may not, affect the viability of applying OTAs. I've hardly used TWRP on any device in the last five years, so I'm not sure if it's smart about some things and can take root into account, but since TWRP doesn't exist on the Tab S8 (I don't have any older Tab), it won't matter for me.
Click to expand...
Click to collapse
Just attempted to OTA update on my Tab S7+ after making a backup, and it failed. When it rebooted to start applying the update, it booted into recovery to start flashing, but since I have TWRP installed, it booted to that instead, went straight to the main menu, and didn't apply the update. It's extremely ironic; my tablet says it's running unauthorized software and will no longer receive firmware updates, but it also says my device status is official and allows me to download and install updates if I check for them (it'll even mention there's an update available without having automatic download installed).
I rebooted to system, it said they the update failed, and prompted me to download the update again and try again. I can't tell if anything got affected since it seems like because the update failed, nothing got applied or changed. This makes me slightly less willing to try and OTA update on the Tab S8+. However, since the stock recovery is still in place (no TWRP yet), the update process would probably go a long smoother. Not to mention, if something was to go wrong, and I needed to flash patched firmware again, I could just flash HOME_CSC instead of the regular CSC so I can keep my data. There's no guarantee that will work, as a failed update could require my system to prompt me to factory data reset anyway, but it's definitely an option that's available.
I'll backup whatever I can before attempting this, and I'll post the results later.
Answer would be no, doing OTA requires bootloader to be locked. But since you rooted, then you have unlocked the bootloader. So if your tab s8+ has locked bootloader then OTA will pass without a problem.
Jake.S said:
Answer would be no, doing OTA requires bootloader to be locked. But since you rooted, then you have unlocked the bootloader. So if your tab s8+ has locked bootloader then OTA will pass without a problem.
Click to expand...
Click to collapse
Really? I thought having an unlocked bootloader would be a non-issue since you can flashing official and unofficial firmware with an unlocked bootloader. Not to mention that the recovery has remained unaffected, and stock recovery needs to be accessed to apply the update.
SavXL said:
Really? I thought having an unlocked bootloader would be a non-issue since you can flashing official and unofficial firmware with an unlocked bootloader. Not to mention that the recovery has remained unaffected, and stock recovery needs to be accessed to apply the update.
Click to expand...
Click to collapse
when unlocking bootloader you have to manually flash the stock firmware. Since OTA becomes unavailable when bootloader is unlocked. So if root is done in for example android 12 and you get a monthly patch then it will revoke the root since root usually modifies the OS files and gives you the root access sort off and flashing a update will write over those files and your root privileges will be removed.
Jake.S said:
when unlocking bootloader you have to manually flash the stock firmware. Since OTA becomes unavailable when bootloader is unlocked. So if root is done in for example android 12 and you get a monthly patch then it will revoke the root since root usually modifies the OS files and gives you the root access sort off and flashing a update will write over those files and your root privileges will be removed.
Click to expand...
Click to collapse
Huh. I thought that doing an OTA update wouldn't remove anything that was already a part of the system and would just just update whatever needed to be updated and called it a day. With the method of patching the firmware and flashing it, I assume root would just be a regular part of the system, and an OTA update wouldn't affect it. Odd...
SavXL said:
Huh. I thought that doing an OTA update wouldn't remove anything that was already a part of the system and would just just update whatever needed to be updated and called it a day. With the method of patching the firmware and flashing it, I assume root would just be a regular part of the system, and an OTA update wouldn't affect it. Odd...
Click to expand...
Click to collapse
That is because your normal access is only admin not root. So it has almost full rights, but when you add root access it is mostlikely a modification that you have to do, either by a command or flashing a file. But updating the OS will revoke the root since method you used becomes unavailable for next update which is why it can reset your changes backwards so your root privileges becomes lost and your access is back to default as before. But I wouldn't touch bootloader since doing that also bricks KNOX so features for KNOX will become permanently disabled since it requires a working Knox chip to work, but since KNOX chip fuse becomes blown when bootloader is unlocked then feature like Samsung pass, samsung secret folder and such will no longer work.
Jake.S said:
That is because your normal access is only admin not root. So it has almost full rights, but when you add root access it is mostlikely a modification that you have to do, either by a command or flashing a file. But updating the OS will revoke the root since method you used becomes unavailable for next update which is why it can reset your changes backwards so your root privileges becomes lost and your access is back to default as before. But I wouldn't touch bootloader since doing that also bricks KNOX so features for KNOX will become permanently disabled since it requires a working Knox chip to work, but since KNOX chip fuse becomes blown when bootloader is unlocked then feature like Samsung pass, samsung secret folder and such will no longer work.
Click to expand...
Click to collapse
Turns out you were absolutely correct. I downloaded and attempted to install the update, it booted into the stock recovery and got to 25% before erroring out. It booted back into Android and said that the update failed. Thankfully, nothing ended up getting removed or corrupted, and I still have root access. Guess I gotta stick to finding the latest firmware and patching it. ¯\_(ツ)_/¯
As I understand it, the pixel dialer now has a call recording capability built in, but its only enabled on a per country basis. Even though its legal to do single party recording in my jurisdiction, its not enabled. I had the same issue with my old one plus 7t, but I was able to force it via some automatable adb magic. Is there any way to do this for the Pixel 7?
possible only after root.
How? Please elaborate. Thanks
How to root P7
How to unlock the bootloader and root the Google Pixel 7 or Pixel 7 Pro with Magisk
Planning to root your Google Pixel 7 or Pixel 7 Pro? Here's how to unlock the bootloader and root the latest 2022 Pixel phones with Magisk!
www.xda-developers.com
GoogleDialerMod-Magisk
GitHub - jacopotediosi/GoogleDialerMod-Magisk: A deprecated module to tweak Google Dialer (Phone by Google) Android application to enable hidden features like call recording. Use https://github.com/jacopotediosi/GoogleDialerMod instead.
A deprecated module to tweak Google Dialer (Phone by Google) Android application to enable hidden features like call recording. Use https://github.com/jacopotediosi/GoogleDialerMod instead. - GitHu...
github.com
is it possible to root the phone, make the change to the db, then undo the changes (i.e. I'd rather not have my phone be rootable in general), also somewhat (small) worried about things breaking because of security checks after rooting. And it be nice to be able to use OTA upgrades.
No, it's not possible.
After unrooting, the bootloader must be locked, which will wipe data
efkosk said:
No, it's not possible.
After unrooting, the bootloader must be locked, which will wipe data
Click to expand...
Click to collapse
so the only way to do it in a way that could be preserved while maintaining the ability to do OTAs and the like would be if an user accessible exploit was discovered that enabled users to modify the sqlite db and that the OTAs don't overwrite said db? (big assumption, dont know if its true).
i.e. thinking creatively.for pixel 6
1) install the original firmware - i.e. from https://developers.google.com/android/images
2) somehow make use of dirty pipe to gain root, make the changes directly with sqlite, reboot, and phone will still be locked no longer rootable, but changes should persist in db.
and as phone was never unlocked, OTAs should work?
though, even if this is all true, doesn't help pixel 7 users (today). Also doesn't help if db gets overwritten fully (which even if small OTAs dont, I'd imagine, that the android 12-13 upgrade might have?, but again, assumption).
"somehow make use of dirty pipe to gain root" is comical. Do it like this somehow, but I don't know how.. :- D
No need to worry about root.
OTA works, you just have to use pixelflasher for that. It's not a problem and everything works perfectly.