As I was trying to update my EEA global stable rom 10.2.7 to the latest release (10.3.3), I followed a guide to accomplish that without losing TWRP and my /data partition. I flashed a zip called DisableForceEncryption_Treble_v18.0.zip after flashing the new rom but before reflashing magisk. As a matter of fact I could boot into the new ROM with all my data intact, but TWRP was overwritten by the official MIUI recovery.
As I flashed TWRP again via fastboot, my device was encrypted again and I had to format my /data partition.
So I restored my /data backup and booted into MIUI again, that asked for my PIN. The PIN I previously set was not working anymore so I had to delete /data/system/locksettings.db and I was able to access the OS again. Funny thing, my fingerprints were still there and still worked to unlock the phone.
Finally, I wanted to create a new PIN or Password. It asked me for a new PIN and then again to confirm it. As it seems to have accepted my newly registered PIN, it does not work when I try to unlock my phone! So I have to delete locksettings.db again (which seems to be the only file I could find that relates to lock settings). Everytime I create a new PIN, it lets me register it but then it's like it doesn't match with what I type when it asks for it to unlock the phone.
What did I do wrong? How I can restore my lock settings?
Thanks for reading so far!
That's weird.
Something similar happened to me a few days ago and I could set a new lock again with no problem.
Does it happen only with PIN? Have you tried with PATTERN?
Schnedi said:
That's weird.
Something similar happened to me a few days ago and I could set a new lock again with no problem.
Does it happen only with PIN? Have you tried with PATTERN?
Click to expand...
Click to collapse
Yes, it happens with PIN, password or pattern regardlessly. Whatever I set, it stores it, but when asked to unlock the screen or enter security settings it just rejects it.
P.S.: This might be unrelated: I don't know if Magisk 19.3 behaves like this or not, but since I installed it the Mi Unlock status is uncertain (it said "Unlocked" before, now it lets me enter on the prompt as it was the first time unlocking the phone). So I rebooted to bootloader and ran "fastboot oem device-info" which correctly reported that my device was unlocked.
Just in case... here is what i found in logcat.
Here is when I create a new PIN:
Code:
:/ # logcat |grep password
06-09 05:07:05.130 1453 1453 E LockSettingsStorage: Cannot read file java.io.FileNotFoundException: /data/system/gatekeeper.password.key: open failed: ENOENT (No such file or directory)
06-09 05:07:05.130 1453 1453 E LockSettingsStorage: Cannot read file java.io.FileNotFoundException: /data/system/password.key: open failed: ENOENT (No such file or directory)
06-09 05:14:16.049 1453 5555 W LockSettingsService: Synthetic password not enabled
Then i put it in again to confirm that it is right (it accepts it)
Code:
06-09 05:14:16.902 1453 5555 W LockSettingsService: Synthetic password not enabled
And finally when I click OK and the screen goes back to settings and it shows that I have set a lockscreen password.
Code:
06-09 05:14:22.326 1043 1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.328 1043 1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.329 1043 1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.333 1043 1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.334 1043 1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.335 1043 1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.733 1043 1043 I keystore: del USRPKEY_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.734 1043 1043 I keystore: del USRCERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.735 1043 1043 I keystore: del CACERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.736 1043 1043 I keystore: del USRPKEY_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.737 1043 1043 I keystore: del USRCERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.737 1043 1043 I keystore: del CACERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.803 1043 1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.815 1043 1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.817 1043 1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000
And here is the error when I try to unlock the screen with the (correct) PIN that gets rejected:
Code:
06-09 05:19:37.552 634 634 E GatekeeperHalDevice: verify
06-09 05:19:37.552 634 634 E GatekeeperHalDevice: ret: 0
06-09 05:19:37.552 634 634 E GatekeeperHalDevice: resp->status: -24
06-09 05:19:37.558 2305 2305 D KeyguardSecurityView: [B]reportFailedPatternAttempt[/B]: #2
06-09 05:19:37.591 1453 1543 E UsbDeviceManager: handle message = 6
06-09 05:19:37.592 2305 2667 D KeyguardViewMediator: setKeyguardEnabled(true)
06-09 05:19:37.612 2305 2305 D KeyguardViewMediator: handleKeyguardDoneDrawing
06-09 05:19:37.621 2305 2305 V KeyguardUpdateMonitor: startListeningForFingerprint()
thunderteaser said:
... As I flashed TWRP again via fastboot, my device was encrypted again and I had to format my /data partition.
So I restored my /data backup and booted into MIUI again, that asked for my PIN. The PIN I previously set was not working anymore so I had to delete /data/system/locksettings.db and I was able to access the OS again. Funny thing, my fingerprints were still there and still worked to unlock the phone.
Click to expand...
Click to collapse
Do I understand correctly that you restored a backup of an encrypted data partition to an unencrypted data partition? If so, you will definitely have problems. If your device is encrypted, you probably should try restoring the backup again. If you are not encrypted, then you need to understand that, on lavender, setting pins/passwords, etc., will not work correctly if the device is not encrypted. Why? You would need to ask Xiaomi's programmers. But that is the situation.
In the end, you might need to do a clean flash ...
DarthJabba9 said:
Do I understand correctly that you restored a backup of an encrypted data partition to an unencrypted data partition? If so, you will definitely have problems. If your device is encrypted, you probably should try restoring the backup again. If you are not encrypted, then you need to understand that, on lavender, setting pins/passwords, etc., will not work correctly if the device is not encrypted. Why? You would need to ask Xiaomi's programmers. But that is the situation.
In the end, you might need to do a clean flash ...
Click to expand...
Click to collapse
Thanks for your answer. My backup comes from a /data partition that was originally formatted via TWRP when I unlocked the bootloader and rooted it, so it should be decrypted. If setting a PIN means encrypting data once again, then you are correct, as I backed up my partition with all of my lock settings stored. But to answer your question: I don't know. It just makes no sense to me, as I was able to restore my data and everything works smoothly besides the lock settings. I just know that most of my problems come from having an unreliable TWRP which doesn't support MIUI encryption (I'm waiting for OrangeFox to be released), but other than that I don't understand what is going on with Android security since Marshmallow was released (I'm coming from a OnePlus One stuck on Marshmallow).
So, should I factory reset?
thunderteaser said:
Thanks for your answer. My backup comes from a /data partition that was originally formatted via TWRP when I unlocked the bootloader and rooted it, so it should be decrypted. If setting a PIN means encrypting data once again, then you are correct, as I backed up my partition with all of my lock settings stored. But to answer your question: I don't know. It just makes no sense to me, as I was able to restore my data and everything works smoothly besides the lock settings. I just know that most of my problems come from having an unreliable TWRP which doesn't support MIUI encryption (I'm waiting for OrangeFox to be released), but other than that I don't understand what is going on with Android security since Marshmallow was released (I'm coming from a OnePlus One stuck on Marshmallow).
So, should I factory reset?
Click to expand...
Click to collapse
Rooting the device doesn't mean that it is decrypted. The lavender ROMs have a nasty habit of encrypting the device again when you boot to system (unless you have effectively disabled forced-encryption after formatting data - but this situation can change quickly). If you are not encrypted, then no attempt at securing the phone will work. It will allow you to set a pin/password, but they will always be declared to be "wrong" when you try to unlock the phone. You can easily check whether you are encrypted or not (in the ROM's security settings). Another clue - if you don't see any option of setting a fingerprint, then it means that you are not encrypted. What does the debug screen show when you boot up TWRP? If it shows something like "dm-0" somewhere on the page, then you are encrypted.
The long and short of it is this - if you want to be able to use pins/passwords/fingerprint, then your phone needs to be encrypted. IMHO all these problems with encryption are due to bugs in Xiaomi's Pie firmwares (and this is getting worse by the day). The other possible interpretation is that this is all deliberate - but I am not a conspiracy theorist, so I choose to believe that these problems are not due to malice.
Doing a factory reset is a good way of starting afresh (I don't know whether formatting data again would be better). However, if you do this, don't try to restore the data backup again - you will just return to "square one".
PS: there are already stable betas of OrangeFox for lavender (see my signature) ...
DarthJabba9 said:
Rooting the device doesn't mean that it is decrypted. The lavender ROMs have a nasty habit of encrypting the device again when you boot to system (unless you have effectively disabled forced-encryption after formatting data - but this situation can change quickly). If you are not encrypted, then no attempt at securing the phone will work. It will allow you to set a pin/password, but they will always be declared to be "wrong" when you try to unlock the phone. You can easily check whether you are encrypted or not (in the ROM's security settings). Another clue - if you don't see any option of setting a fingerprint, then it means that you are not encrypted.
Click to expand...
Click to collapse
Thanks for your superclear answer. I still don't get how to check for encryption on MIUI 10. I can't see anything related to encryption in security settings, but I still see the options to add fingerprints. Also, "adb shell ro.crypto.status" fails because there is no such file.
What does the debug screen show when you boot up TWRP? If it shows something like "dm-0" somewhere on the page, then you are encrypted.
Click to expand...
Click to collapse
Can't see any result for dm-* in my recovery log.
The long and short of it is this - if you want to be able to use pins/passwords/fingerprint, then your phone needs to be encrypted. IMHO all these problems with encryption are due to bugs in Xiaomi's Pie firmwares (and this is getting worse by the day). The other possible interpretation is that this is all deliberate - but I am not a conspiracy theorist, so I choose to believe that these problems are not due to malice.
Doing a factory reset is a good way of starting afresh (I don't know whether formatting data again would be better). However, if you do this, don't try to restore the data backup again - you will just return to "square one".
Click to expand...
Click to collapse
So do you think this happened because I originally flashed a lazyflasher version that disabled dm-verity AND force-encryption in the attempt to not lose my data partition when I flashed an updated rom?
PS: there are already stable betas of OrangeFox for lavender (see my signature) ...
Click to expand...
Click to collapse
I will definitely follow its development, thank you so much!
thunderteaser said:
Thanks for your superclear answer. I still don't get how to check for encryption on MIUI 10. I can't see anything related to encryption in security settings, but I still see the options to add fingerprints. Also, "adb shell ro.crypto.status" fails because there is no such file.
Click to expand...
Click to collapse
Send me your recovery log via PM, and I will tell you whether you are encrypted.
thunderteaser said:
So do you think this happened because I originally flashed a lazyflasher version that disabled dm-verity AND force-encryption in the attempt to not lose my data partition when I flashed an updated rom?
Click to expand...
Click to collapse
I am not sure what is the cause. But you might just want to cut your losses and reset to defaults (or, better still, format data, and let MIUI encrypt again when you restart the phone). You will of course lose all your data (and if you format data, you will lose the contents of your internal storage). However, IMHO, life is too short, and setting up a pristine system is much better than the pain endured in trying to fix these fiddly problems (always a good idea to have your data backed up on the cloud anyway - whether it is GDrive or MiCloud). This makes it less painful to set up your phone again from the start.
DarthJabba9 said:
Send me your recovery log via PM, and I will tell you whether you are encrypted.
I am not sure what is the cause. But you might just want to cut your losses and reset to defaults (or, better still, format data, and let MIUI encrypt again when you restart the phone). You will of course lose all your data (and if you format data, you will lose the contents of your internal storage). However, IMHO, life is too short, and setting up a pristine system is much better than the pain endured in trying to fix these fiddly problems (always a good idea to have your data backed up on the cloud anyway - whether it is GDrive or MiCloud). This makes it less painful to set up your phone again from the start.
Click to expand...
Click to collapse
Well, you are absolutely right but I can't stop thinking of it as an entertaining part of being an Android user, or I won't be on xda . I've sent you my log, I really appreciate your help. <3
I'm back here just to update the thread with a solution for encryption problems, hoping it will help people with similar issues.
If you are going to stay on official MIUI 10 global stable and plan to install root/magisk and still lock the device by any means (pin, pattern, fingerprints, face unlock, etc.) your data partition MUST be encrypted. If your data partition is decrypted, the only way to encrypt it properly again would be by flashing a stock data partition via fastboot (using Mi Flash Tool to flash a whole stock ROM from scratch would be even better), so backup everything as you are going to lose your data.
Then, I absolutely recommend flashing the latest OrangeFox recovery by @DarthJabba9 (see his signature), which is the only recovery I found that properly supports MIUI encryption and also supports OTA updates (and has a lot of amazing features too and a pretty cool design!).
Since the fastboot image I flashed was 10.3.2 EU, I wanted to update to 10.3.3 EU via recovery without losing data and encryption. Here is what I did (you may follow these steps as a generic guide to update to any OTA version):
1) In OrangeFox recovery click on the Settings icon on the top right and enter "MIUI OTA" settings
2) Keep everything on, but make sure to untick "disable dm-verity" and "disable force-encryption" as you want to keep them enabled (the MIUI OTA main switch on top will switch off but everything you have set will still be applied)
3) Flash the full recovery ROM zip you want to update to
4) Flash Magisk and everything else you need
5) Reboot
If you did everything correctly, Magisk installer will tell you that it's keeping dm-verity and encryption untouched (this settings are also reflected in Magisk Manager app: in the main screen go to Advanced Settings and you will see both dm verity and encryption settings checked).
Thanks to @DarthJabba9 again for the awesome support! :highfive:
Related
Hi, I have a Huawei Y625-U51 (Dual-SIM) running stock Android 4.4.2/EMUI 2.3 Lite and I would like to encrypt the device, but there are no Encryption options in "Settings > Personal > Security". Is there a way to make these options available or otherwise carry out a system encryption (i.e. using adb)?
Here's the about info to the device:
Model: HUAWEI Y625-U51
Android: 4.4.2
Secpatch-Lvl: 2015-11-01
EMUI: EMUI 2.3 Lite
Kernel: 3.4.0
Build-Number: Y625-U51V100R001C577B108
I already tried carrying out a factory reset but that didn't bring up the encryption options.
I'm well-versed with Windows/Linux system hacks but new to Android, so please bear with me. Any help would be greatly appreciated. Thx.
Encrypt Huawei Y625 via rooting and shell commands
After reading up a few articles on different ways to start encryption from the command line in various Android versions, I decided to experiment and got lucky. Here's what I did (if you want to repeat these steps I suggest you attach your phone to the charging cable first. Also remember that this will likely void your warranty bla bla ) :
rooted the Huawei Y625 using kingoRoot
installed Android Terminal Emulator and ran it
Once inside the terminal I entered
Code:
su
setenforce 0
vdc cryptfs enablecrypto inplace <YourPasswordInCleartext>
(I'm not sure whether the 'setenforce' command that sets SELinux to permissive mode is actually necessary. However, this will only change runtime mode, so you needn't worry that it may persist over reboots).
The screen then immediately went blank. I had forgotten to attach the phone to the charging cable so I scrambled to find it and finally got the phone attached. But it looked pretty much dead now.
After nothing happened for another while, I pressed the start button. The screen remained blank but I got to hear the familiar boot melody. After a while (maybe 2 or 3 minutes) I pressed start again. This time, a message appeared "Wait while your phone is being encrypted" plus a slowly increasing percentage.
* When the encryption had finished, the phone booted up as usual, only this time the familiar melody and splash screen was interrupted by the message "Type password to decrypt storage"
Minor drawbacks:
The boot process is interrupted somewhat uglily in the middle of the melody and splash screen to ask for the encryption password
TouchPal's data transfer agreement pops up every time you start to enter the decryption password (presumably because the answer is written to the /data partition which is still and encrypted and therefore not available yet at this point)
Bigger drawback:
There is no way to change the encryption password using the GUI. You have to run 'vdc cryptfs changepw <YourPasswordInCleartext>' from a shell (Result should be "200 0 0"). That's a bummer if you want to enable encryption for someone reliant on GUI apps.
One last note: this being Android 4.4.2 there is no way to encrypt the whole system. The method described above will encrypt the userdata partition (mounted as /data) only.
P.S.: Sorry for not sharing article and app links, but xda anti-spam settings prevented me as a new user from posting links. So sorry for the missing convenience, but I'm sure you'll be able to find the apps mentioned yourself and as for the articles - they were interesting but relating to wildly different Android versions with different command syntax, so you're propably better off just following the steps above anyway
---
---
---
---
---
For owners of Xiaomi Air 12 or 13 that are facing static sound in Audio cause of Windows 10 please update your Realtek driver from their own website and not use windows update or general update. You need to download the latest 64bit driver dated ' 14-Jun-17 - 6.0.1.8186 '
@Wootever, sorry for my unrelated question. But, I have a Xiaomi Air 13 2016 and I've set a supervisor password when I changed to Linux. I then removed the password when I changed back to Windows 10, but it's still asking me for one...
Do you happen to know a way on how to remove the BIOS password on this laptop? I've extracted the executable from Insyde H20 A06 updater and changed the platform.ini, so it does a force flash of the password area (Password=1), however, it's still asking for one.. Any help would be greatly appreciated! Thanks in advance
@r00tPT
Try to set the password again and then set it to blank.
Wootever said:
@r00tPT
Try to set the password again and then set it to blank.
Click to expand...
Click to collapse
Thanks, but I cannot set the a new password, as when I try to access the BIOS, it asks me for a password..
I wanted to reset this password altogether, so I can access my BIOS and set a new one =/
@r00tPT
You can try to flash this default BIOS A06 Package, it will overwrite all device specific data (Serial, Windows Key, NVstore).
All settings should be set to default (including the password), but i haven't tested this (no guarantee and at your own risk).
Edit:
Don't forget to create a backup using the Backup.cmd file, it should be possible to restore the Serial number on the "empty" default BIOS.
Wootever said:
@r00tPT
You can try to flash this default BIOS A06 Package, it will overwrite all device specific data (Serial, Windows Key, NVstore).
All settings should be set to default (including the password), but i haven't tested this (no guarantee and at your own risk).
Edit:
Don't forget to create a backup using the Backup.cmd file, it should be possible to restore the Serial number on the "empty" default BIOS.
Click to expand...
Click to collapse
Thank you, Wootever! I think it's worth a try.
Would it make sense to create the backup, flash the default package, confirm if there's no password and then flash back the original Xiaomi BIOS to restore the Serial number?
Sorry, as I have near to none experience related to bios. thanks once again
@r00tPT
The backup includes all current settings (including the password), restoring it would also re-enable the password protection.
I made a little script to restore the device serial from the backup.bin file.
This is necessary because the Windows Activation seems linked with the device serial number.
Edit:
Updated the script.
Wootever said:
@r00tPT
The backup includes all current settings (including the password), restoring it would also re-enable the password protection.
I made a little script to restore the device serial from the backup.bin file.
This is necessary because the Windows Activation seems linked with the device serial number.
Edit:
Updated the script.
Click to expand...
Click to collapse
Wouldn't it be best to make a backup of the current bios with a flash programmer? I still haven't done this, as I'm trying to figure out what password I put.. (I basically set a supervisor password when I disabled secure boot, but then when I tried to set a new blank password it didn't change it back)
I have a friend who has the exact same laptop. Would it be fine if I made a backup of his bios and restore it into mine?
Could there be an issue or some missing information? Probably only the device serial number, which I could write again using your script? Would that be feasible?
By the way, sorry for asking these questions here/to you, but it's hard to find some guidance regarding this topic. Thanks once again
@Wootever, it worked!! You're the greatest man! I'm now able to access my BIOS again!
Is there any way to re-enable the flash protected range register again, just in case?
Wootever said:
I just got my hands on a Xiaomi Air 13 (2016 version) and wanted to share my findings.
The BIOS version of this device is A07, which is not yet made available by Xiaomi and originally, BIOS updates can only be flashed with the Insyde tools.
However, those require a valid certificate to correctly sign the binary file, thus a provided backup of version A07 won't be applicable as a update.
Intel Flash Programming tool is another alternative which allows to flash unsigned/customized versions, but in practice FPT can't access the BIOS region due to the protected range register which prohibits write access.
Code:
Error 316: Protected Range Registers are currently set by BIOS, preventing flash access.
Please contact the target system BIOS vendor for an option to disable Protected Range Registers.
Fortunately there is an undocumented variable switch that i found by coincidence which deactivates the flash protected range register.
For this i made a little tool which automatically patches the variable to allow BIOS update via FPT.
Note: modifying your BIOS is at your own discretion, i am not responsible for any damage caused by this procedure.
Download my variable patcher, extract it and execute Patcher.cmd
Reboot your device.
Download BIOS A07 for the Xiaomi Air 13 (2016)
Execute Backup.cmd to create a backup of your current BIOS.
Then execute Update.cmd to install version A07.
Use Serial.cmd to restore the device serial number from the backup BIOS.
Reboot your device.
I also made a few changes for this BIOS:
Updated microcode to 0xBA
Increased PWM frequency to 5000 Hz
Click to expand...
Click to collapse
I tried but I have this problem with patcher, any suggestion?
@Wootever
1) after upgrading the bios, how do i re-activate the flash protected range register?
2) do you have the default clean A07 bios (without the microcode and PWM changes)?
thank you!
May I ask if there is an easy way to unlock BIOS totally on Xiaomi Air 13? Because previously I opened a topic about it in biosmods.com , someone reached to me and told that due to write protection it needs quoting from him: "Bios mod can be flashed using SPI-programmer+SOIC8 clip only". That requires opening laptop up and connecting clip on chip physically. I love to tinker things in my laptop but that is a bit scary for me. So is there another way to do it, anyone knows??
THANK YOU!! This is pure gold! By the way, does the flag you found also unlock the ME region?
Update: nevermind. The answer is no unfortunately
bigorbi said:
May I ask if there is an easy way to unlock BIOS totally on Xiaomi Air 13? Because previously I opened a topic about it in biosmods.com , someone reached to me and told that due to write protection it needs quoting from him: "Bios mod can be flashed using SPI-programmer+SOIC8 clip only". That requires opening laptop up and connecting clip on chip physically. I love to tinker things in my laptop but that is a bit scary for me. So is there another way to do it, anyone knows??
Click to expand...
Click to collapse
No, you can flash any bios mod with the flag found by @Wootever. However, you may want to get a programmer (Altera USB blaster has cheap Chinese clones supported by flashrom) and a SOIC8 clip anyway just in case. They're dirt cheap and allow for recovery when things go wrong.
As a bonus, an external programmer enables you to get rid of the management engine.
CARLiCiOUS said:
THANK YOU!! This is pure gold! By the way, does the flag you found also unlock the ME region?
Update: nevermind. The answer is no unfortunately
Click to expand...
Click to collapse
It might be possible if the variable for ME Image Re-Flash is set:
Code:
Me FW Image Re-Flash, Variable: 0xD08
Disabled, Value: 0x0 (default)
Enabled, Value: 0x1
Variable to unlock protected range register:
Code:
BIOS SPI Lock:, Variable: 0x258
Enabled, Value: 0x1 (default)
Disabled, Value: 0x0
Edit:
Here is another variable patcher that also enables the ME Re-Flash variable.
(Note: not tested, use with caution)
Hello,
I remember when i set up A1 in firstboot, it asked if i want to be prompted with a password before booting android, to which i said no.
So this in effect, must have encrypted with the default password on first boot. This lets the system boot, and core services started, if the device gets rebooted
without my knowledge(so that i recieve calls and sms) VS, if it asks password before booting(uses my pin as password instead of default password), the core services arent available untill i put my pin in.
This issue was supposed to get solved through Nougat's FBE.
So my question is that, does Mi A1 uses FBE, so that even if i had opted for my pin as password before booting, i would not be blocked of using core services like phone and sms, with OS waiting at pin prompt?
Thanks.
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
this is the first major disappointment with A1. Was shocked on system setup to see this. Didn't expect this from a phone expected to receive updates upto P.
ashjas said:
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
Click to expand...
Click to collapse
Why do you think ? What encryption does it use ?
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
gradinaruvasile said:
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
Click to expand...
Click to collapse
So when the phone was set up in a way, where there was no password asked during (in the middle of) the boot process, how easy would it be for thiefes to access data stored on a A1 ? And how much would it help them if bootlocker was unlocked ?
When you reboot the phone, and you do not have a FDE password set up, the phone still asks for a PIN aftrer booting, with the text "Unlock for all features and data". This sounds like FBE to me.
- PIN is probably from the SIM card. My A1 never asked anything until i set up a password. But mine came with Android 7.1.1 so it is a possibility that some to come with later versions (that have FBE?)?
- FDE is usually enabled anyway on Android 7.1+ but it has a default password set ("default_password" AFAIR). So if you run TWRP for example, even without installing it,it will acces your data because it knows this default password. If you specify a custom password the disk will not be unlocked without it.
- A locked bootloader brings additional security. The idea behind it is to have a verified boot chain - if someone gets hold of your phone to not be able to flash custom system apps on it.
The partitions are checksummed and verified via dm-verity. So at boot time any unauthorized alterations (done, say, with booted TWRP, installed Magist and root then re-locked bootloader afterwards) will trigger a "System Destroyed" message.
The above will be all disabled if you unlock the bootloader and install TWRP. As for now TWRP (or any other loader) cannot ensure system consistency. It is possible to flash stuff on your device by restarting it and launching TWRP. If you have a strong encryption password set up your data partition will still be inaccesible to them but if you get your phone back and start it up the malware will start and do nasty stuff like siphoning all your data, passwords etc (because you can flash system apps that can see everything on the device).
After restart, it asked me for a PIN and then for SIM PIN, (even when draw pattern was my configured way for unlock). It never again asked me for PIN, only right after reboot. Why else would I be asked for a PIN only after reboot, if not because of FBE?
First, if this in the wrong section. Please move. Couldn't find a TWRP forum section and i'm using the N6P so decided to post it here.
My N6P is setup with fingerprint for unlock. Apparently this interferes with TWRP being able to mount data. So i went to device & security > set a password > went back to recovery > no dice: "Invalid password". Tried PIN, no dice. Tried the VDC cryptfs method found here https://www.xda-developers.com/how-to-manually-change-your-android-encryption-password/, no dice
22|angler:/ # vdc cryptfs changepw <unlock pin> <new password>
vdc V 02-06 19:49:45 14714 14714 vdc.cpp:50] Waited 0ms for vold
vdc E 02-06 19:49:45 14714 14714 vdc.cpp:109] Raw commands are no longer supported
The only thing that worked was to remove all security (no pin, no print, no password), then TWRP could succesfully mount /data
Now this is a hassle to do everytime i want to take a backup. Used to be able to use chainfire's Flashfire app to do that, but with the N6P no longer getting updates, i flashed "PixelExperience rom (based on AOSP 9) and SuperSU doesn't work anymore, so cant use FF either. Thus i'm "confined" to TWRP.
So the question is, does anyone know a working method to have BOTH fingerprint active AND being able to decrypt /data? IT's a major hassle removing & resetting fingerprint everytime.
Ch3vr0n said:
First, if this in the wrong section. Please move. Couldn't find a TWRP forum section and i'm using the N6P so decided to post it here.
My N6P is setup with fingerprint for unlock. Apparently this interferes with TWRP being able to mount data. So i went to device & security > set a password > went back to recovery > no dice: "Invalid password". Tried PIN, no dice. Tried the VDC cryptfs method found here https://www.xda-developers.com/how-to-manually-change-your-android-encryption-password/, no dice
22|angler:/ # vdc cryptfs changepw <unlock pin> <new password>
vdc V 02-06 19:49:45 14714 14714 vdc.cpp:50] Waited 0ms for vold
vdc E 02-06 19:49:45 14714 14714 vdc.cpp:109] Raw commands are no longer supported
The only thing that worked was to remove all security (no pin, no print, no password), then TWRP could succesfully mount /data
Now this is a hassle to do everytime i want to take a backup. Used to be able to use chainfire's Flashfire app to do that, but with the N6P no longer getting updates, i flashed "PixelExperience rom (based on AOSP 9) and SuperSU doesn't work anymore, so cant use FF either. Thus i'm "confined" to TWRP.
So the question is, does anyone know a working method to have BOTH fingerprint active AND being able to decrypt /data? IT's a major hassle removing & resetting fingerprint everytime.
Click to expand...
Click to collapse
I'm not sure why some people seem to have an issue with twrp requiring a password. Do you also have your security set to require pin on reboot?
I have pin/finger print set for my device and I have no issue with mounting data/ getting into twrp, it does not prompt me for a password anywhere in twrp.
Also, for as long ad the 6p has been around AFAIK, you cannot make a backup when you have any form of security measure enabled and be able to restore it and get into the system. Not sure why they could never find a way around it, but you have to remove pin/pattern/FP whatever security measures you have before making a backup in twrp.
There is a way to get Into it if needed by going in and deleing the lock screen security file via twrps file manager.
Well that clears that up then thanks. Does the pixel 3 XL also suffer from that problem? My N6p recently started getting the dreaded random battery reboot problem (can't complain after 3y I guess) and I'll be swapping to that device
** edit ** and no i don't have it set to require anything on boot. No pin/password/pattern.
Just set device security with fp + pin when os is fully loaded to unlock. That's all
Verstuurd vanaf mijn Nexus 6P met Tapatalk
Code:
/*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
ROM IS ABANDONED
AospExtended 7.0
Properties
Selinux mode: Enforcing by default
Build type: user
Gapps: not included
Working features
MicroG
Magisk
JamesDSP
MAC randomization
Storage encryption
Known issues
Data partition cannot be backed up by the official TWRP right now
Notes
This ROM is in beta state and not tested well, use as daily driver at your risk and backup everything!
[*]This ROM encrypts storage by default, so far only official TWRP can decrypt storage, don't use OrangeFox!
[*]Follow installation instructions!
If you experience issues, try to change selinux to permissive first
Installation
Flash latest stock ROM from here
Install official TWRP by following instructions in this post
Flash ROM zip to both A/B slots
Flash TWRP zip installer
Reboot to recovery
Flash this patch to fix sim card issue
Flash Gapps (optional)
Flash Magisk (optional)
TWRP can't wipe data partition properly for this ROM and Mi A3 bootloader unfortunately doesn't support partition formatting, so you have to use following workaround to wipe data partition
Reboot to bootloader
Flash this empty image file to userdata partition with fastboot flash userdata userdata.img
fastboot reboot
Cross fingers
Update
Flash ROM zip
Flash TWRP installer zip
Flash this patch to fix sim card issue
Flash Gapps (optional)
Flash Magisk (optional)
Wipe dalvik cache
Reboot to system
Downloads
14.2.2020
Download
Checksum: 7c8c9149d627f03cd30976b164404b13
Older builds
Telegram group
Sources
ROM
Device tree
Kernel
Vendor
Credits
AospExtended team - ROM
@Harukey - device sources
XDA:DevDB Information
[ABANDONED][ROM][10][UNOFFICIAL][BETA] AospExtended 7.0, ROM for the Xiaomi Mi A3
Contributors
Golbinex
ROM OS Version: Android 10
ROM Kernel: Linux 4.x
Based On: CrDroid
Version Information
Status: Beta
Created 2020-02-15
Last Updated 2020-03-17
Reserved
Changelog
14.2.2020
Initial public build
@Golbinex
Thank you man. It would be nice if you added some screenshots.
Onurnymr10 said:
@Golbinex
Thank you man. It would be nice if you added some screenshots.
Click to expand...
Click to collapse
Done.
https://forum.xda-developers.com/devdb/project/?id=37481#screenshots
Patch to fix sim card issue was uploaded: URL
Flash it with TWRP.
Thank you thank you thank you and a million times more! Finally a ROM I can use with MicroG. I've been stuck with the stock ROM (and google) since the fall after getting this phone. I'm free once again!
Hello everyone. I tried this rom today. I followed all steps for cleaning format data etc/ flash twrp on
a slot etc/ flash rom/ then install zip.twrp / Reboot recovery/ flash patch/flash gapps/flash magisk/ Reboot bootloader/ flash empty image/ fastboot Reboot..
followed all the steps and for no reason my phone space is almost full...
Anyone knows why?
Noexcusses said:
Hello everyone. I tried this rom today. I followed all steps for cleaning format data etc/ flash twrp on
a slot etc/ flash rom/ then install zip.twrp / Reboot recovery/ flash patch/flash gapps/flash magisk/ Reboot bootloader/ flash empty image/ fastboot Reboot..
followed all the steps and for no reason my phone space is almost full...
Anyone knows why?
Click to expand...
Click to collapse
That is currently bug. Solution should be disabling encryption like in other ROMs and not flashing userdata img at all. Or here is more complicated solution: https://forum.xda-developers.com/showpost.php?p=81782735&postcount=78
Do i need to re install everything thow?
Noexcusses said:
Do i need to re install everything thow?
Click to expand...
Click to collapse
Take a look at that link, you shouldn't lose any data by resizing partition, but definitely backup everything.
Bloo tooth bug - facebook bugs crashing all the time, low speaker... any solotuion guys?
Noexcusses said:
Bloo tooth bug - facebook bugs crashing all the time, low speaker... any solotuion guys?
Click to expand...
Click to collapse
Provide logs for developer I guess?
Bluetooth log
Can confirm, I have the same issue. Bluetooth device connects but no audio is sent to it. I have uploaded a logcat here: https://cloud.reekynet.com/s/ZLDbet9swwT9XFn.
During capturing this log I paired my bluetooth speaker and played music, which came out of the phone speaker.
EDIT: Seems like the interest is around line 6763:
Code:
03-12 17:24:50.042 4026 5467 D GmsGcmMcsSvc: Scheduling heartbeat in 2292 seconds...
03-12 17:24:50.043 4026 3478 D GmsGcmMcsOutput: Outgoing message: HeartbeatPing{}
03-12 17:24:50.175 4026 3477 D GmsGcmMcsInput: Incoming message: HeartbeatAck{last_stream_id_received=5}
03-12 17:24:50.176 4026 3477 D GmsGcmPrefs: learnReached: gcm_network_wifi / 44078
03-12 17:24:51.361 1947 2565 I chatty : uid=1002(bluetooth) e.StateMachines expire 29 lines
03-12 17:24:51.368 1947 2521 I chatty : uid=1002(bluetooth) bt_main_thread expire 27 lines
03-12 17:24:51.369 614 2518 I chatty : uid=1002 [email protected] expire 4 lines
03-12 17:24:51.369 1947 2576 I chatty : uid=1002(bluetooth) bt_a2dp_sink_wo expire 2 lines
03-12 17:24:51.370 1963 2170 I LocalBluetoothProfileManager: Failed to connect A2DP device
03-12 17:24:51.370 1963 2170 D CachedBluetoothDevice: onProfileStateChanged: profile A2DP, device=27:59:BE:CE:45:42, newProfileState 0
03-12 17:24:51.371 1947 2150 I chatty : uid=1002(bluetooth) BT Service Call expire 2 lines
03-12 17:24:51.371 1947 1947 I chatty : uid=1002(bluetooth) com.android.bluetooth expire 5 lines
03-12 17:24:48.193 1214 1923 I chatty : uid=1000(system) Binder:1214_3 identical 1 line
Also, I'm running without gapps, using microG if that matters.
Try to change selinux to permissive. Also mind that build is beta and there are severe issues with current AEX builds.
Golbinex said:
Try to change selinux to permissive. Also mind that build is beta and there are severe issues with current AEX builds.
Click to expand...
Click to collapse
Yeah I knew this going in and I'm willing to use a cable right now because other than this issue the ROM is rock solid and the only one with microG support for the A3
The SELinux setting is grayed out, how do I go about changing it? Found a lot of different guides online
ReekyMarko said:
Yeah I knew this going in and I'm willing to use a cable right now because other than this issue the ROM is rock solid and the only one with microG support for the A3
The SELinux setting is grayed out, how do I go about changing it? Found a lot of different guides online
Click to expand...
Click to collapse
https://f-droid.org/en/packages/com.mrbimc.selinux/
I don't know if it still works, hasn't been updated in almost 3 years so I doubt it but it's what I used to use on an older device
Golbinex said:
[*]Flash this empty image file to userdata partition with fastboot flash userdata userdata.img
Click to expand...
Click to collapse
This did not work. On contrary, the internal available space drop from 128Gb to only 10Gb.
garylawwd said:
https://f-droid.org/en/packages/com.mrbimc.selinux/
I don't know if it still works, hasn't been updated in almost 3 years so I doubt it but it's what I used to use on an older device
Click to expand...
Click to collapse
It works fine.
Technical said:
This did not work. On contrary, the internal available space drop from 128Gb to only 10Gb.
Click to expand...
Click to collapse
You can skip wiping data after flashing stock rom if you don't mind preinstalled xiaomi apps or try methods from other roms. Also you can wipe data with fastboot format:f2fs userdata (wipes internal storage as well!), if you get segmentation fault, try newer fastboot tool.
Golbinex said:
It works fine.
You can skip wiping data after flashing stock rom if you don't mind preinstalled xiaomi apps or try methods from other roms. Also you can wipe data with fastboot format:f2fs userdata (wipes internal storage as well!), if you get segmentation fault, try newer fastboot tool.
Click to expand...
Click to collapse
Thank you, but, I see two problems that I have passed before:
1) I can't boot without wiping data
2) Fastboot do not accept format commands in current MI A3 bootloader
Rom is abandoned, but feel free to try my Crdroid build