First things first:
1. This is not a thread about how to flash ROMs, recoveries or use Android SDK and ABD or fastboot commands. If you have questions about the basics, please keep them in @Funk Wizard's excellent thread created for that purpose:
OnePlus 5T: Unlock Bootloader | Flash TWRP | Root | Nandroid & EFS Backup & More !!
2. This thread is not the place to discuss the merits of encryption or decryption.
3. I'm not responsible for what you do to your own device. Read, think, read more, re-think, wipe, flash in that order.
4. This OP and the following posts will be updated as the discussion develops, so please check back here from time to time.
Now on to the discussion
There has been a lot of talk lately about encryption, decryption and the benefits and liabilities of each. Obviously having your device encrypted is a gain for security, something we should try to keep if possible. But encryption methods can vary, which is a problem for flashaholics like myself. When you flash a new ROM that cannot read the encryption of the previous ROM, /data must be formatted, causing the loss of /sdcard - pictures, music, files, etc.
Understanding the Problem
The issue seems to revolve around Qualcomm's "KeyMaster" encryption keys. While both Nougat and Oreo use FBE (File Based Encryption), by default they use different encryption keys, as pointed out by dev @codeworkx -- Nougat and Oreo 8.0 use KeyMaster 1 while Oreo 8.1 uses KeyMaster 3. So when an Oreo 8.1 ROM is flashed, it either can't access /data (requires decryption or formatting /data) or the ROM reformats /data itself, like early beta Lineage 15.1 builds. Likewise, reverting to a Nougat or Oreo 8.0 build will cause the same problem. Apparently, moving to KeyMaster 1 to 3 works (ie, flashing from OOS to Omni/Lineage) but reverting from Keymaster 3 back to 1 doesn't. When this happens, OOS can still decrypt with your PIN/password but TWRP can't.
One solution is to run unencyrpted, for which you may find threads in the How-To section. This discussion is about how to stay encrypted and flash back & forth between ROMs without loosing all of your data.
Links on the subject:
https://source.android.com/security/encryption/file-based
I look forward to your contribution to this discussion! :good:
Reserved
Just dropping this here:
mad-murdock said:
If only someone would be advanced in linux FBE, used tools and libraries. There surely is a way to remove encryption with a flashable .zip. _IF_ current TWRP has the needed tools onboard.
I hope one day we get encrypt/decrypt options in TWRP - where it belongs.
Click to expand...
Click to collapse
Yes, NOW I have seen this thread. Thanks for mentioning.
Seems useful.
After a bit of google kicking, I found this: https://source.android.com/security/encryption/file-based
Seems a good start on the topic. Maybe add it to a list of (hopefully growing) links?
Wow. Seems like this didn't work out that well.
mad-murdock said:
Wow. Seems like this didn't work out that well.
Click to expand...
Click to collapse
1. Rather than understand and deal with it, lots of people decrypt.
2. The issue hasn't gone away. Give it time.
Great information to those who recently owned an OP even if they have knowledge how to flash ROMs. (Including me)
Thanks!
I've stumbled across another issue for investigation. While experimenting yesterday, I discovered that @codeworkx TWRP 3.2.1-0 for Oreo (8.0 and 8.1) is able to read stock OOS/OOS B1 encryption until it is backed up in TWRP, an Oreo 8.1 ROM is flashed (eg, Omni, Lineage), and OOS is restored. After that, TWRP cannot decrypt /data with the correct PIN/password of the restored OOS ROM or "default_password". It doesn't matter if the nandroid was taken with or without a PIN/password, if the PIN/password is removed from the Oreo 8.1 ROM before restoring the nandroid, etc. Codeworkx suspects it has to do with how the passwords are being stored between 8.0 and 8.1.
And before you ask, I never formatted /data or decrypted & re-encrypted. The contents of /sdcard survived every flash and nandroid restore. Every ROM flashed was able to access /data with the correct PIN/password including the restored OOS. Only TWRP can't read /data with the correct password.
Also, I've left recovery systemless. That means my nandroid backups are only of data, and I restore by flashing the stock OOS ROM and only restoring the data nandroid. So zero changes have been made to system.
the Doctor said:
I've stumbled across another issue for investigation. While experimenting yesterday, I discovered that @codeworkx TWRP 3.2.1-0 for Oreo (8.0 and 8.1) is able to read stock OOS/OOS B1 encryption until it is backed up in TWRP, an Oreo 8.1 ROM is flashed (eg, Omni, Lineage), and OOS is restored. After that, TWRP cannot decrypt /data with the correct PIN/password of the restored OOS ROM or "default_password". It doesn't matter if the nandroid was taken with or without a PIN/password, if the PIN/password is removed from the Oreo 8.1 ROM before restoring the nandroid, etc. Codeworkx suspects it has to do with how the passwords are being stored between 8.0 and 8.1.
And before you ask, I never formatted /data or decrypted & re-encrypted. The contents of /sdcard survived every flash and nandroid restore. Every ROM flashed was able to access /data with the correct PIN/password including the restored OOS. Only TWRP can't read /data with the correct password.
Also, I've left recovery systemless. That means my nandroid backups are only of data, and I restore by flashing the stock OOS ROM and only restoring the data nandroid. So zero changes have been made to system.
Click to expand...
Click to collapse
""And before you ask, I never formatted /data or decrypted & re-encrypted. The contents of /sdcard survived every flash and nandroid restore. Every ROM flashed was able to access /data with the correct PIN/password including the restored OOS. Only TWRP can't read /data with the correct password""
So Do you mean to say I can revert back to OOS OB-1 by flashing it over Omni/LOS/etc via TWRP without formatting Data, and later on restoring Nandroid data of OOS OB-1.
shail139 said:
""And before you ask, I never formatted /data or decrypted & re-encrypted. The contents of /sdcard survived every flash and nandroid restore. Every ROM flashed was able to access /data with the correct PIN/password including the restored OOS. Only TWRP can't read /data with the correct password""
So Do you mean to say I can revert back to OOS OB-1 by flashing it over Omni/LOS/etc via TWRP without formatting Data, and later on restoring Nandroid data of OOS OB-1.
Click to expand...
Click to collapse
Yes, but obviously TWRP would not be able to decrypt with a PIN/password set by OOS. That just means you would have to disable lockscreen protection in the ROM before going into TWRP.
the Doctor said:
Yes, but obviously TWRP would not be able to decrypt with a PIN/password set by OOS. That just means you would have to disable lockscreen protection in the ROM before going into TWRP.
Click to expand...
Click to collapse
By that way the steps to restore should be...
1. Backup of OOS OB-1 in TWRP should be taken post removal all securities PIN/PASSWORD/etc (On external drive/OTG)
2. Flash OOS OB-1 normally, clean flash, boot to system, no security should be set
3. Boot to TWRP, restore OOS OB-1 Backup Only "Data" should be checked via OTG drive
4. Reboot to system
"twrp-3.2.1-0-universal-codeworkx-dumpling" will be the TWRP to be used
Correct me if I am wrong in steps
so in this case, am i right to say that, so long i dont do nandroid restore, i wouldnt have problem with encryption/decryption regardless of what rom i'm flashing using codeworkx's universal TWRP?
usually i always clean flash new roms and i'm ok to go through the 'hassle' of reinstalling stuffs. if i want to go back to the previous rom, i'll just do a clean flash of the previous rom instead of reverting back via nandroid.
so technically so long i'm on the right TWRP, i'm fine with switching roms am i right?
thanks for sharing the findings as well!
gorillaCF said:
so in this case, am i right to say that, so long i dont do nandroid restore, i wouldnt have problem with encryption/decryption regardless of what rom i'm flashing using codeworkx's universal TWRP?
usually i always clean flash new roms and i'm ok to go through the 'hassle' of reinstalling stuffs. if i want to go back to the previous rom, i'll just do a clean flash of the previous rom instead of reverting back via nandroid.
so technically so long i'm on the right TWRP, i'm fine with switching roms am i right?
thanks for sharing the findings as well!
Click to expand...
Click to collapse
I tried a clean flash of OOS from TWRP as well, but even that didn't work. I think you'd have to restore factory encryption per this guide to get TWRP to be able to decrypt OOS again:
[How To] Revert to 100% stock OOS from Oreo 8.1 | Restore factory encryption
Again, you can flash, backup and restore in TWRP even if you don't. It just won't be able to decrypt /data with your OOS PIN/password, so you'd have to remove lockscreen security first.
the Doctor said:
I tried a clean flash of OOS from TWRP as well, but even that didn't work. I think you'd have to restore factory encryption per this guide to get TWRP to be able to decrypt OOS again:
[How To] Revert to 100% stock OOS from Oreo 8.1 | Restore factory encryption
Again, you can flash, backup and restore in TWRP even if you don't. It just won't be able to decrypt /data with your OOS PIN/password, so you'd have to remove lockscreen security first.
Click to expand...
Click to collapse
Formating /data is the only way to go back to 8.0 crypto (after booting fully stock) and then you can use you Nandroids from OOS to restore /data with PIN, face unlock all ON.
Been there, done that from 8.1 custom to OOS N.
Didn't use stock recovery, didn't use revert builds, there actually were none at the time, but I think they are unneeded anyway.
It's a cumbersome process because backing up internal storage and restoring it is a pain when you have a lot of data to carry around.
But it's pretty straight forward.
All this done on blu_spark TWRP.
The problem I noted above wasn't that OOS couldn't read or encrypt /data properly after the nandroid backup--TWRP couldn't read OOS's PIN/password. I had no problems restoring and running OOS after running Omni/Lineage. After I restored OOS, on first boot I entered the PIN and found that my fingerprints and face unlock still worked. But when I booted back into Codeworkx TWRP neither the PIN or "default_password" worked. I didn't try Blu_Spark.
IMO, what we ultimately want is an official TWRP that can decrypt without workarounds so we can avoid the cumbersome process or formatting /data and moving everything back to /sdcard.
Edit: Here is the exact sequence of what happened:
I came from OOS OB1 with /data formatted by the stock recovery, encrypted, with PIN/fingerprints/face unlock.
I booted Codeworkx recovery, entered the PIN, it decrypted properly, I did a nandroid backup of the Data partition.
Still in recovery, I wiped Dalvik-Art/Cache/System/Data, then flashed Omni, gapps, Magisk.
I ran Omni for a while, moved to Lineage using the same process as above. I never removed the PIN, and Codeworkx TWRP had no problems decrypting with it in Omni or Lineage.
After running Lineage for a while, I went back into Codeworkx TWRP, decrypted with my PIN (it worked), wiped as above, flashed OOS OB1 with the factory zip, wiped the Data partition, restored Data from nandroid, flashed Magisk, rebooted.
On first boot OOS asked for a PIN. I entered my PIN and found my fingerprints & face unlock still working.
VVV HERE IS THE PROBLEM STARTED VVV
When I booted back into Codeworkx TWRP it could not decrypt with my PIN. I booted back into OOS and removed my PIN, set lockscreen protection to "None". TWRP still could not decrypt /data. I tried "default_password" but no dice.
Revert back to Omni, remove PIN, reboot TWRP, still can't decrypt.
So something changed between when I restored OOS OB1 (TWRP could decrypt with the PIN) and after first boot (TWRP couldn't decrypt with the PIN). Also, why could TWRP decrypt with OOS OB1's PIN to do the nandroid backup from a clean flash and to restore the same backup after being on Omni/Lineage, but couldn't decrypt with it after the first boot of the OOS nandroid backup?
Again, formatting /data again is not an acceptable workaround. I think we want to understand what changed and solve the problem.
the Doctor said:
Again, formatting /data again is not an acceptable workaround. I think we want to understand what changed and solve the problem.
Click to expand...
Click to collapse
The mentioned /data format is not a workaround per se, it's the only working workflow to get things going once you find the need to get back to OOS for the time being.
Accepting that is part of the process!
Users should know this upfront so they don't find out the hard way.
I'm currently running OxygenOS 5.0.3 and my understanding is that it uses Keymaster1. If I'm now upgrading to LineageOS 15.1 it'd change to Keymaster3 but without the need of formatting.
However, if I'd want to revert to OxygenOS 5.0.3 with Keymaster1 I would have to format /data. Is my understanding correct?
Macusercom said:
I'm currently running OxygenOS 5.0.3 and my understanding is that it uses Keymaster1. If I'm now upgrading to LineageOS 15.1 it'd change to Keymaster3 but without the need of formatting.
However, if I'd want to revert to OxygenOS 5.0.3 with Keymaster1 I would have to format /data. Is my understanding correct?
Click to expand...
Click to collapse
My experience has been that the ROM can decrypt without any issues, but TWRP can't decrypt without formatting /data with the stock recovery.
the Doctor said:
My experience has been that the ROM can decrypt without any issues, but TWRP can't decrypt without formatting /data with the stock recovery.
Click to expand...
Click to collapse
As previous posters have alluded to, use "twrp-3.2.1-0-universal-codeworkx-dumpling.img". This is able to decrypt 5.0.3.
wunderdrug said:
As previous posters have alluded to, use "twrp-3.2.1-0-universal-codeworkx-dumpling.img". This is able to decrypt 5.0.3.
Click to expand...
Click to collapse
Right. Flash Omni or Lineage, then go back OOS and try it again as Macusercom says in the post I quoted.
I decided to upgrade to the latest Oxygen OS yesterday.
I had root, and TWRP Custom Recovery(3.2.1-0) and unlocked bootloader.
I unrooted, relocked bootloader and installed the latest full zip from oxygen os.
Then I unlocked bootloader and rerooted again and installed TWRP Recovery again.
Everything was working fine.
After everything was installed/restored I figured it would be good to take a nandroid backup, I took one and on reboot I get a bootloop to recovery.
I was able to reproduce this twice.
I think this has to do with something with fingerprint setup.
I'm a bit a loss on how to fix this without going trough a full wipe again.
I already tried wiping cache and dalvik, but no solution.
i had the same kind of issue. were you decrypted before?
If you are decrypted you need to flash the no verify zip. If you are encrypted try a dirty flash of OOS and Magisk. If you aren't using the most up to date version of Magisk that could have caused your problem. I've had no issues with Nandroid backup problems caused by fingerprint or pin security when using Codeworks or Blu Spark TWRP.
I was encrypted before and I am still encrypted.
I don't understand that taking a backup renders the phone unusable.
Restore fails with createTarFork() process ended with ERROR=255.
I made a clean flash(and locked bootloader) as it is a requirement for the latest OOS due to the upgrade to oreo.
Would it be possible to do a dirty flash with the full zip (I used: OnePlus5Oxygen_23_OTA_028_all_1801031502_04d7cc5.zip) and unlocked bootloader?
Secondly, I think I will try one of the suggested recoveries and see what it brings.
Hi everyone,
Just got my new G6, after much pain I managed to unlock the bootloader, install TWRP (v3.2.1.0) and to root it with SuperSU (stable release 2.82).
For now I'll keep the stock rom but I wanted to make a backup in case something went wrong with other tweaking I might do and I couldn't because TWRP couldn't "mount /system (device or resource busy)".
So I went into the mount menu and tried checking system but it just won't. I can mount it as read only but I can't mount it as writable.
If it's of any importance, I couldn't get magisk to install to root the phone and had to use SuperSU instead.
I could do the backup while mounting system as read only but I feel like it might be an issue in the future (for custom roms or even restoring the backup maybe ?) if I can't fix this issue.
So does anyone how to get TWRP to mount system as writable ? Thank you
Elvenstar said:
Hi everyone,
Just got my new G6, after much pain I managed to unlock the bootloader, install TWRP (v3.2.1.0) and to root it with SuperSU (stable release 2.82).
For now I'll keep the stock rom but I wanted to make a backup in case something went wrong with other tweaking I might do and I couldn't because TWRP couldn't "mount /system (device or resource busy)".
So I went into the mount menu and tried checking system but it just won't. I can mount it as read only but I can't mount it as writable.
If it's of any importance, I couldn't get magisk to install to root the phone and had to use SuperSU instead.
I could do the backup while mounting system as read only but I feel like it might be an issue in the future (for custom roms or even restoring the backup maybe ?) if I can't fix this issue.
So does anyone how to get TWRP to mount system as writable ? Thank you
Click to expand...
Click to collapse
Have you formatted data trough the dedicated option in TWRP? Format, not wipe, where you have to put "yes".
Anyway you can try with Melina's TWRP which solves many problems of the official one: https://forum.xda-developers.com/lg-g6/development/recovery-twrp-3-2-1-unofficial-fixes-t3722199
Killua96 said:
Have you formatted data trough the dedicated option in TWRP? Format, not wipe, where you have to put "yes".
Anyway you can try with Melina's TWRP which solves many problems of the official one: https://forum.xda-developers.com/lg-g6/development/recovery-twrp-3-2-1-unofficial-fixes-t3722199
Click to expand...
Click to collapse
I did try it once after the magisk install failed and I assumed it was because of that issue but I haven't tried yet with superSU correctly installed. Should I immediately try the backup after formatting or boot the phone once before ?
The issue I have with Melina's TWRP is that it's not compatible with fulmics and if I were to install any custom rom I think it would be that one (to keep stock camera mostly)
Elvenstar said:
I did try it once after the magisk install failed and I assumed it was because of that issue but I haven't tried yet with superSU correctly installed. Should I immediately try the backup after formatting or boot the phone once before ?
The issue I have with Melina's TWRP is that it's not compatible with fulmics and if I were to install any custom rom I think it would be that one (to keep stock camera mostly)
Click to expand...
Click to collapse
Format data, reboot recovery, and try to install magisk or mount system.
For Melina's TWRP it has NO problems with Fulmics, Zefie said that "officially" is not compatible because two users said that they have problems with that TWRP only with fulmics, i can assure you that with last version of both Melina's TWRP and Fulmics i never had problems like those two users, anyway you can try to use Melina's TWRP and if you have any problems just flash back the official twrp.
Killua96 said:
Format data, reboot recovery, and try to install magisk or mount system.
For Melina's TWRP it has NO problems with Fulmics, Zefie said that "officially" is not compatible because two users said that they have problems with that TWRP only with fulmics, i can assure you that with last version of both Melina's TWRP and Fulmics i never had problems like those two users, anyway you can try to use Melina's TWRP and if you have any problems just flash back the official twrp.
Click to expand...
Click to collapse
Alright so it's been a rough ride.
I formatted data, reboot TWRP and then indeed I was able to mount system as writable.
I then did my backup, which said it was successful and the only error it showed then was "unable to unmount /system"
I flashed magisk and rebooted into the normal system and the phone of course was back to factory settings and asked me my google account. Except that when I tried logging in it always showed me an error along the lines of "google play services keeps crashing". (making it impossible to get through the installation part of the system)
I'm not sure why that happened. I had frozen some apps but that shouldn't have been saved since I formatted data right ? and the phone was working perfectly fine before that.
But anyway I didn't really know what to do at that point so I just jumped the gun and downloaded and flashed fulmics.
It worked fine but only with supersu. For some reason magisk just doesn't want to get installed at all.
The rom itself worked fine but I had no root access by choosing magisk in the aroma installer so I wiped again and installed it again with supersu which works.
I also flashed xposed which is also working as intended.
So I'm all set for now I think.
Maybe when I need to wipe again I'll figure out why magisk doesn't work but for now I'm satisfied.
In any case, thank you for your help