I am going to root my Nexus 5x very soon. I have some doubts, please help me to clarify those.
1. If I want to go with systemless root, I wouldn't have to flash modified boot.img. In that case will I be able to disable force encryption? If yes how?
2. If I have understood it correctly, in order to have disabled force encryption, I have to wipe user data after flashing SuperSU zip. Now in order to keep the encryption disabled, I have to wipe user data each time I flash a custom ROM or kernel?
I may seem noob in this question, but I am going through these encryption business for the very first time, so I thought its better to clarify rather than bricking my first Nexus [emoji6]
Thanks in advance.
Sent from my C6902 using Tapatalk
nondroid said:
I am going to root my Nexus 5x very soon. I have some doubts, please help me to clarify those.
1. If I want to go with systemless root, I wouldn't have to flash modified boot.img. In that case will I be able to disable force encryption? If yes how?
2. If I have understood it correctly, in order to have disabled force encryption, I have to wipe user data after flashing SuperSU zip. Now in order to keep the encryption disabled, I have to wipe user data each time I flash a custom ROM or kernel?
I may seem noob in this question, but I am going through these encryption business for the very first time, so I thought its better to clarify rather than bricking my first Nexus [emoji6]
Thanks in advance.
Sent from my C6902 using Tapatalk
Click to expand...
Click to collapse
You need to reformat userdata to remove the encryption. You do not need to continue to wipe after that for encryption purposes since it wont get re-encrypted unless forced encryption is enabled or you encrypt it. You will need to have a kernel/boot.img without forced encryption or it will re encrypt itself.
Systemless root has nothing to do with encryption and you could flash TWRP and root with SuperSU 2.6+ and still be encrypted.
A good starting place here
If I have got it right then I have to either flash boot.img or a kernel that disables force encryption in order to continue disabled force encryption.
Thanks for the clarification.
Sent from my C6902 using Tapatalk
Keithn said:
Systemless root has nothing to do with encryption and you could flash TWRP and root with SuperSU 2.6+ and still be encrypted.
Click to expand...
Click to collapse
Right and wrong at the same time...
Systemless root does disable force encryption: http://forum.xda-developers.com/apps/supersu/wip-android-6-0-marshmellow-t3219344
The stock kernel will force encryption.
The stock kernel + systemless SuperSU will not force encryption.
Assuming you have all stock but TWRP installed, you would format data to remove encryption, then flash systemless root to stay unencrypted.
berndblb said:
Right and wrong at the same time...
Systemless root does disable force encryption: http://forum.xda-developers.com/apps/supersu/wip-android-6-0-marshmellow-t3219344
The stock kernel will force encryption.
The stock kernel + systemless SuperSU will not force encryption.
Assuming you have all stock but TWRP installed, you would format data to remove encryption, then flash systemless root to stay unencrypted.
Click to expand...
Click to collapse
I see that the posted boot images don't have forced encryption along with other changes, but I didn't see anything saying it was necessary to use a kernel without forced encryption to have root. Does flashing 2.60+ also modify the kernel to disable force encryption (If enabled) when it does the necessary modifications for root? You can still be encrypted with systemless root so I figured that forced encryption would have no impact on the systemless root.
Edit- Looked at the script and it looks like it is supposed to. So whether it actually matters or not, it won't force encrypt after flashing SuperSU.
Related
Hey
I disabled encryption my Nexus 5X once I was on 6.0 using TWRP.
Now after upgrading to 6.0.1 the device is encrypted again.
How can I avoid that in the future? I want to device to stay decrypted when I upgrade.
Thanks
When upgrading, if you flash the stock boot/kernel and start up Android it will encrypt your data again. To avoid this make sure you flash a custom boot/kernel that does not force exception before booting into Android
So installing twrp and elementalx right after upgrading should be OK?
Upgrade
Flash TWRP
Format
Flash systemless SuperSU
Flash ex kernel
That's the order I did it in and my phone is not encrypted
If you are already decrypted, upgrade by flashing system.img (along with vendor, radio, bootloader). Don't flash data.img, so you don't lose your current data. You also won't need to format the data partition if you are already decrypted.
Just make sure you flash a modified boot.img each time you upgrade before booting back into the system (best to make sure the modified boot.img is for that specific build) - or go systemless and flash SuperSU that modifies the boot.img automatically to remove encryption.
Thanks I'll do that next time!
I'm completely stock and have the same issue after 6.0.1 upgrade. Phone shows as encrypted and nothing happens when I tap on it.
Any suggestions?
Sent from my Nexus 5X using Tapatalk
hamedunix said:
I'm completely stock and have the same issue after 6.0.1 upgrade. Phone shows as encrypted and nothing happens when I tap on it.
Any suggestions?
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
Then it already is encrypted. You need to format data in twrp and flash modified boot.img / systemless root / kernel that doesn't force encryption
All your data will be lost..
tacofromhell said:
Then it already is encrypted. You need to format data in twrp and flash modified boot.img / systemless root / kernel that doesn't force encryption
All your data will be lost..
Click to expand...
Click to collapse
Coming from Nexus 4, I'm new to encryption by default. So nexus 5x is encrypted and there's no way a normal user could decrypt it. I think I'd be fine with that. [emoji4]
Sent from my Nexus 5X using Tapatalk
hamedunix said:
Coming from Nexus 4, I'm new to encryption by default. So nexus 5x is encrypted and there's no way a normal user could decrypt it. I think I'd be fine with that. [emoji4]
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
Well, if you're a "normal user" you'd probably don't even know your phone is encrypted.
You probably also won't even know what root is. Most users just want it to work and nothing more.
Forced encryption is an inconvenient thing for us 'advanced users' though.
peltus said:
Well, if you're a "normal user" you'd probably don't even know your phone is encrypted.
You probably also won't even know what root is. Most users just want it to work and nothing more.
Forced encryption is an inconvenient thing for us 'advanced users' though.
Click to expand...
Click to collapse
Been into rooting and stuff like that; however, I don't mind encryption as long as it won't affect my experience on N5X.
Sent from my Nexus 5X using Tapatalk
Update (May 20): Update to latest version 2.74-2
All versions after SuperSU 2.72 has force encrypt support built in. However it will still disable force encryption by default, you have to set flags manually.
I only modified the default value of the force encrypt flag in the flashing script, so no need to worry that this might break things
If your OCD forces you to use the official version, please look here for instructions to set the flag manually by yourself.
Hi, many people have their hands on the HTC 10, and you may found out that wiping data after rooted with SuperSU, your signal will be broken.
This is caused by the fact that by default, SuperSU's flashing script will change the data encryption flag from "forceencrypt" to "encryptable". If you wiped data after the flag is set to "encryptable", your data partition will be decrypted. In many times, decrypted data is good, but on the HTC 10, for some unknown reason the signal will break with data decrypted.
More info here:
[PSA][MUST SEE] New HTC Policy : Things You Should Know Before Unlocking Bootloader
This issue has caught more attention after an S-OFF method is available. You're required to have root and wipe data after gaining S-OFF. The developer of the S-OFF tool has created a tutorial for this particular problem, you can find it here:
[Guide] Root (Optionally s-off) and Keep your radio working
I slightly modified the SuperSU flashing script, so now it won't change the encryption flag.
This zip will remain useful until we find a way to decrypt our data partition with working signal.
Hi,
this works without problems, big tanks. Device is rooted now.
regards
starbase64
Big thanks. I wish I would have had this yesterday afternoon!
Now I just need to get a stock 1.21.617.3 image to start again with my US unlocked. If anyone has it, please let me know.
Is there a way to manually change the flag back to forceencrypt?
MNoisy said:
Big thanks. I wish I would have had this yesterday afternoon!
Now I just need to get a stock 1.21.617.3 image to start again with my US unlocked. If anyone has it, please let me know.
Is there a way to manually change the flag back to forceencrypt?
Click to expand...
Click to collapse
I have TWRP images for system_image and boot if you need them to fix broken signal as per @jcase. We're both 1.21.617.3
datafoo said:
I have TWRP images for system_image and boot if you need them to fix broken signal as per @jcase. We're both 1.21.617.3
Click to expand...
Click to collapse
Yes yes yes please! THANK YOU!
Where can I find them?
Nice buddy, will update the method used in my build, makes life a lot easier.
I had considered making similar modifications but you appear to have beaten me too it
topjohnwu said:
Hi, many people have their hands on the HTC 10, and you may found out that wiping data after rooted with SuperSU, your signal will be broken.
This is caused by the fact that by default, SuperSU's flashing script will change the data encryption flag from "forceencrypt" to "encryptable". If you wiped data after the flag is set to "encryptable", your data partition will be decrypted. In many times, decrypted data is good, but on the HTC 10, for some unknown reason the signal will break with data decrypted.
More info here:
[PSA][MUST SEE] New HTC Policy : Things You Should Know Before Unlocking Bootloader
This issue has caught more attention after an S-OFF method is available. You're required to have root and wipe data after gaining S-OFF. The developer of the S-OFF tool has created a tutorial for this particular problem, you can find it here:
[Guide] Root (Optionally s-off) and Keep your radio working
Here I come up with a more elegant solution. I slightly modified the SuperSU flashing script, so now it won't change the encryption flag, and also won't remove dm-verify.
NOTE: If your boot image is already modified, it will not reset the flag back to forceencrypt. You have to restore to the stock boot image, then flash this zip. The way I accomplished this is reverting a few modification from the previous ramdisk, so the ramdisk itself has to be stock.
Devs can include this zip into their rom, so users can wipe their whole data with your rom installed.
This zip will be useful until we find a way to decrypt our data partition with working signal.
Click to expand...
Click to collapse
I would NOT use this zip to root the HTC 10, you really need to remove verity, this is going to cause many many many issues, its going to softbrick a huge number of phones, anything from a lot of root apps, to restoring a twrp backup is going to trip dm-verity
SuperSU v2.72 has all of this built in via KEEPVERITY and KEEPFORCEENCRYPT flags. It's not publicly released yet but will be within a few days.
Chainfire said:
SuperSU v2.72 has all of this built in via KEEPVERITY and KEEPFORCEENCRYPT flags. It's not publicly released yet but will be within a few days.
Click to expand...
Click to collapse
Out of curiosity, where will we put those flags? /data/.supersu isn't an option, because /data is encrypted and unmountable, and /system/.supersu isn't an option if /system is read-only and we want to preserve dm-verity.
jcase said:
I would NOT use this zip to root the HTC 10, you really need to remove verity, this is going to cause many many many issues, its going to softbrick a huge number of phones, anything from a lot of root apps, to restoring a twrp backup is going to trip dm-verity
Click to expand...
Click to collapse
My system is modified, but everything is working fine. I'm using this without a problem so I shared it.
Is it because my device is S-OFF? If this is the case, then I'll remove the link. Thanks for the kind remind.
topjohnwu said:
My system is modified, but everything is working fine. I'm using this without a problem so I shared it.
Is it because my device is S-OFF? If this is the case, then I'll remove the link. Thanks for the kind remind.
Click to expand...
Click to collapse
I'd have to look at the zip and test to see why. It could be that your particular firmware isn't actually enforcing dm-verity (I believe google mandates this on 6.0+), that HTC disables enforcing when s-off or the zip isn't properly enforcing verity.
Best advice is not to enforce verity on system if you are rooted.
What should (and did for my phone) happen if you have dm-verity enabled on system and a modified system is the phone shouldn't successfully boot.
Captain_Throwback said:
Out of curiosity, where will we put those flags? /data/.supersu isn't an option, because /data is encrypted and unmountable, and /system/.supersu isn't an option if /system is read-only and we want to preserve dm-verity.
Click to expand...
Click to collapse
I've added /cache/.supersu as location specifically for those devices with a TWRP that can't read encrypted /data.
Still, you can echo to /data/.supersu even if /data isn't mounted and that'll still work. It just will not persist between boots.
Custom ROM devs should put it in /system/.supersu, though, or set the variable in shell and export that variable (important!) before running the SuperSU ZIP.
Chainfire said:
I've added /cache/.supersu as location specifically for those devices with a TWRP that can't read encrypted /data.
Still, you can echo to /data/.supersu even if /data isn't mounted and that'll still work. It just will not persist between boots.
Custom ROM devs should put it in /system/.supersu, though, or set the variable in shell and export that variable (important!) before running the SuperSU ZIP.
Click to expand...
Click to collapse
Will that cause complications for users who wipe cache often?
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
topjohnwu said:
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
Click to expand...
Click to collapse
Will have a bash tonight mate
topjohnwu said:
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
Click to expand...
Click to collapse
still no go on boot
LeeDroid said:
still no go on boot
Click to expand...
Click to collapse
Yeah... Just tested myself and it won't boot.
It's weird though, it can boot on my modified system
I might need more investigation, or just wait for Chainfire to release the new update.
Is it OK to use SYSTEMLESS with your current build?
Thanks
ah, perhaps encountered a blarf
you wanna stick with blarp ... he's much nicer
topjohnwu said:
Yeah... Just tested myself and it won't boot.
It's weird though, it can boot on my modified system
I might need more investigation, or just wait for Chainfire to release the new update.
Click to expand...
Click to collapse
Ahh, I knew why.
I cannot separate the forceencrypt flag patch and verify flag by modifying the script.
Had to wait for Chainfire to release new version, or we have to manually modify the boot image.
hi, I unlocked and rooted my nexus with 5x stock rom 7.1.1
I try to disable the encryption of files by formatting the data partition, but if you check in the SECURITY settings, the phone is always encrypted.
What am I doing wrong? Thank you.
Decrypt Question
Are you flashing SuperSu to patch kernel to remove forced encryp or flashing a custom kernel to remove it? If not, the stock kernel will re-encrypt upon boot.
I think that is normal, mine also shows encrypted currently with a stock kernel. Only time I need to decrypt is in TWRP, and instead of a password, I'm using a pattern.
TypNguy said:
I think that is normal, mine also shows encrypted currently with a stock kernel. Only time I need to decrypt is in TWRP, and instead of a password, I'm using a pattern.
Click to expand...
Click to collapse
That's probably not the kind of decryption he was looking for.
The correct answer has been given
thanks for the answers, but I still have the same problem.
I rooted, I installed the latest TWRP recovery, as well installed nexus ...
Then I formatato the DATA partition.
Start the well nexus (latest version) and under the heading Safety, the phone is still encrypted!
The kernel of pure nexus is stock?
I was wondering if there existed a 'no-force encrypt' kernel I could flash to the Pixel C on 8.1.0?
Format data and then install magisk.
Monazite said:
Format data and then install magisk.
Click to expand...
Click to collapse
Thanks. I wish it had been that simple .If I do this I think (and Iam not so sure) that wiping the data partition did remove the encryption. I then flashed Magisk. But when I rebooted to TWRP, the system was encrypted again, asking me for a password which I haven't got. Is there not a 'no-force encryption file I am supposed to flash before or after I flash Magisk, to prevent the system from encrypting again?
fgaine said:
Thanks. I wish it had been that simple .If I do this I think (and Iam not so sure) that wiping the data partition did remove the encryption. I then flashed Magisk. But when I rebooted to TWRP, the system was encrypted again, asking me for a password which I haven't got. Is there not a 'no-force encryption file I am supposed to flash before or after I flash Magisk, to prevent the system from encrypting again?
Click to expand...
Click to collapse
Have you checked encrypted status in settings? Magisked boot.img should have disabled encryption if data partition is not encrypted. Or you need flash another kernel?
Sent from my Google Pixel 2 using XDA Labs
fgaine said:
Thanks. I wish it had been that simple .If I do this I think (and Iam not so sure) that wiping the data partition did remove the encryption. I then flashed Magisk. But when I rebooted to TWRP, the system was encrypted again, asking me for a password which I haven't got. Is there not a 'no-force encryption file I am supposed to flash before or after I flash Magisk, to prevent the system from encrypting again?
Click to expand...
Click to collapse
https://forum.xda-developers.com/pi...yflasher-make-install-custom-kernels-t3537487
JUST WANT TO DISABLE VERITY/ENCRYPTION?
You can build lazyflasher by itself, empty, without a kernel Image.fit or modules and flash it!
It's already set up to automatically disable verity and make encryption optional.
Alternatively, there's a branch already set up called no-verity-opt-encrypt. You can find prebuilt official zips at:
https://build.nethunter.com/android-tools/no-verity-opt-encrypt/
Install as last step - after Magisk installation .. but normally Magisk is removing force-encryption too.
Are you sure you did format /data ?
Just wiping is not enough !
As it's not a development topic this thread should be moved to QA section ..
Anyway .. Good luck !
followmsi said:
https://forum.xda-developers.com/pi...yflasher-make-install-custom-kernels-t3537487
JUST WANT TO DISABLE VERITY/ENCRYPTION?
You can build lazyflasher by itself, empty, without a kernel Image.fit or modules and flash it!
It's already set up to automatically disable verity and make encryption optional.
Alternatively, there's a branch already set up called no-verity-opt-encrypt. You can find prebuilt official zips at:
https://build.nethunter.com/android-tools/no-verity-opt-encrypt/
Install as last step - after Magisk installation .. but normally Magisk is removing force-encryption too.
Are you sure you did format /data ?
Just wiping is not enough !
As it's not a development topic this thread should be moved to QA section ..
Anyway .. Good luck !
Click to expand...
Click to collapse
Thanks for the info. I'll try that later on. Don't fancy formatting and having to reinstall everything again for now. Cheers.
Hello everyone!
I want to root my phone, but have some question before starting the process, because something maybe will not work as expected.
1. The main propose of my root is to install Cerberus as system app, wich will protect the app from a hard reset;
2. I want to remove some useless apps, like lens, google files, and others (I have found some posts with is safe to disable/remove);
3. I want to integrate the app's updates the phone receives after setting an account. I have used Link2SD on previous phones;
4. MAYBE I will install Butterfly For Daisy (the multitasking is annoying!!), so, maybe I'll install Kernel Auditior as system app.
5. I'll NOT use custom ROM, I'll keep Android One experience for now.
So, as far I read, to complete the root process, I have to disable encryption on phone. The problem is: i use 4 accounts on my phone, one of them is a Google App one, wich means when I configure it, it will ask to encrypt my phone. Google Apps accounts ALWAYS use encryption on my organization, is mandatory. So...
A. Can I root without disable encryption?
B. Can I just boot TWRP to root, without permanently install it?
C. I'll have phone updates problems with questions 1, 2, 3 and 4 above?
D. Will a Google App account work on a rooted phone with Magisk for Mi A2 Lite?
E. Magisk Manager will be installed as system app or user app? Because Cerberus will use root. If I reset the phone, I'll lose Magisk Manager if it is installed as user, so Cerberus will not get root permissions and will not work properly.
Thank you in advice, and sorry for tons of questions.
romulocarlos said:
A. Can I root without disable encryption?
B. Can I just boot TWRP to root, without permanently install it?
C. I'll have phone updates problems with questions 1, 2, 3 and 4 above?
D. Will a Google App account work on a rooted phone with Magisk for Mi A2 Lite?
E. Magisk Manager will be installed as system app or user app? Because Cerberus will use root. If I reset the phone, I'll lose Magisk Manager if it is installed as user, so Cerberus will not get root permissions and will not work properly.
Click to expand...
Click to collapse
A. Magisk/root works fine with encryption.
B. Don't use TWRP to root. But you can boot it without installing (fastboot boot image.img)
C. Follow the process in the Magisk guide thread to install OTAs.
D. No idea
E. User app. It gives itself root via Magisk.
If you modify the system image you'll have a much harder time doing OTAs. You must have unmodified partitions to install OTAs. I do this to get a dark bootanim, but for install/remove system apps you'd be much better off to use Magisk modules. There's modules for both systemizing apps and hiding system apps.
a1291762 said:
A. Magisk/root works fine with encryption.
B. Don't use TWRP to root. But you can boot it without installing (fastboot boot image.img)
C. Follow the process in the Magisk guide thread to install OTAs.
D. No idea
E. User app. It gives itself root via Magisk.
If you modify the system image you'll have a much harder time doing OTAs. You must have unmodified partitions to install OTAs. I do this to get a dark bootanim, but for install/remove system apps you'd be much better off to use Magisk modules. There's modules for both systemizing apps and hiding system apps.
Click to expand...
Click to collapse
Thank you.
A. OK, I'll try soon
B. Ok, I'll use it to take a full backup before start the process
C. You mean your guide or BubuXP's? In fact, BubuXP's seems easier to do!
D. Let's cross fingers...
E. Can I convert it to system? Like I sayed, Cerberus will need root after a reset. Without Manager, I'll not see the warning to grant root access, don't?
I'll search for these modules. Thank you.
romulocarlos said:
C. You mean your guide or BubuXP's?
E. Can I convert it to system? Like I sayed, Cerberus will need root after a reset. Without Manager, I'll not see the warning to grant root access, don't?
Click to expand...
Click to collapse
C. If you just have Magisk, use bubuxps guide. My guide is if you have magisk and twrp and want to do otas. It's mostly the same, with extra steps.
E. Magisk Manager does not need to be a system app. It won't help you if it lives on /system and Magisk gets removed.
Factory reset doesn't touch boot so I guess if you intend to do factory reset often it might be useful to put apps on system. But by doing so, you'll make it much harder to take OTAs.
To take an OTA you'll need to flash the original system, apply the ota then apply your system changes again. If you're upgrading to a release without fastboot images you'll want to take a backup of system before you modify it.
It might even be worthwhile only upgrading to fastboot releases because you'll have the backup and can modify the images before you flash them, avoiding booting without your customizations.
a1291762 said:
C. If you just have Magisk, use bubuxps guide. My guide is if you have magisk and twrp and want to do otas. It's mostly the same, with extra steps.
E. Magisk Manager does not need to be a system app. It won't help you if it lives on /system and Magisk gets removed.
Factory reset doesn't touch boot so I guess if you intend to do factory reset often it might be useful to put apps on system. But by doing so, you'll make it much harder to take OTAs.
To take an OTA you'll need to flash the original system, apply the ota then apply your system changes again. If you're upgrading to a release without fastboot images you'll want to take a backup of system before you modify it.
It might even be worthwhile only upgrading to fastboot releases because you'll have the backup and can modify the images before you flash them, avoiding booting without your customizations.
Click to expand...
Click to collapse
Thank you again. But...
C. I used BubuXP's guide. Works well. I just need an updated "Disable-Force-Encryption-Treble.zip", because it install an older version of Magisk, and I need encryption disabled to make backups, as TWRP can't make backup on /data.
E. Well, Magisk itself won't be removed after a reset, but if Magisk Manager is removed, how an app will get root permissions? The warning about the permissions comes from Magisk Manager, not from Magisk itself (the one on boot), don't?
And, yes, I want some apps on /system, as Cerberus, for example. I'll put the updates on /system, also. It makes easier to handle the phone after a reset. I don't mind too much to OTAs, as we can download the whole ROM and flash it as I need.
EDIT: don't need an updated "disable-force-encription". Just installed lastest Magisk version in TWRP after disable-force-encription.