Many corporate IT security policies including mine at work are requiring that all devices used for work, i.e. BYOD, must be encrypted. I prefer my device to be rooted…and control my device to my liking. There’s a problem though… it’s not easy encrypting with root present. I set out on a mission to get it working.
There is very little information about encrypting Galaxy S6 devices (or any Galaxy for that matter) with root. I've tried numerous methods around the web and here on XDA but none worked with any of the current ROMs. I spent several days researching, investigating, and testing various methods before finding a solution that works.
Although not required, I started a fresh start—flashed the official Marshmallow stock ROM for my device (SM-G920i) and in the process wipe my device completely, including formatting the data partition and wiping the internal SD.
I previously had Lollipop installed with custom ROM. A nandroid was performed, ran TiBu then copied all the contents of the internal memory on my laptop prior to going to official stock. Can never be too careful.
The steps outlined below was tested on both ALEXIS ROM 5.0 and XtreStoLite 3.3.1 ROMs using the G920i unlocked variant. It may work on other international variants.
Flash stock Marshmallow ROM through Odin in ‘AP’ with AutoReboot and NAND Erase checked (from Odin v3.11.1 options)
Flash CF-AutoRoot via ODIN [let it auto-reboot when complete]
Flash TWRP 3.0.2-1 via ODIN [disable auto-reboot in ODIN options]
Reboot into TWRP recovery
Perform factory reset then format Data partition
Reboot TWRP recovery so that the Data partition is refreshed
Copy custom ROM and other flash files you’ll be using to /sdcard/ using ADB Push command. For example o adb push Rom.zip /sdcard/tools.
Flash custom ROM then reboot
Be patient—reboot will take about 5 minutes
Power off then boot into TWRP again to perform a factory reset and wipe Delvic cache
Reboot - wait patiently as boot will take several minutes
When the system finally boots up go through the first start wizard then go into setting to set up pin and fingerprints you wish to use
Encrypt phone -- this will take a while before it's complete. Be patient; the device will reboot several times, ask for password at boot-up then boot into the finally into the system.
The phone is now encrypted. Because we performed a factory reset, root and TWRP recovery were removed. We now have to flash CF-autoroot and TWRP recovery via Odin. Again, patience is required--it'll take about 5-10 minutes for the boot to complete.
Note that TWRP does not know how to decrypt Samsung encryption and therefore it can't read the /data/ partition. That partition will either have to be formatted before flashing a new ROM or removing encryption. Now I did not test removing the encryption, but I’d suggest that you have current backups of your device prior to performing that task.
I hope this helps anyone experiencing this issue.
Seems to me, that if they want the device encrypted, they would also prohibit root, it is a security risk.
So is there any chance to update an encrypted Rom via TWRP?
Good walkthrough.
I did also some research and i found on some other forums the opinion, that a full-disk-encryption on a rooted phone make not much sense,
where you can replace/install the custom recovery and decrpt the data with some adb commands? Is that true?
Confusing.
tefole said:
Good walkthrough.
I did also some research and i found on some other forums the opinion, that a full-disk-encryption on a rooted phone make not much sense,
where you can replace/install the custom recovery and decrpt the data with some adb commands? Is that true?
Confusing.
Click to expand...
Click to collapse
twrp do don't support samsung decryption, so encrypted data can be only deleted. but, if you enable reactivation lock, then, you can't flash in recovery, so stolen phone is like brick
BUT with custom rom (TyrannusRom and note 7 port) encrypted phone do not boot (boot loop), so there I finished my work with encryption
paulyz said:
twrp do don't support samsung decryption, so encrypted data can be only deleted. but, if you enable reactivation lock, then, you can't flash in recovery, so stolen phone is like brick
Click to expand...
Click to collapse
I see.
I believe, that i can live without the ability that TWRP doenst decrypt the /data and the /sdcard partition,
if I can run with a CFW, and if the phone is rooted and encrypted.
After i put the CFW on the phone, even I need TWRP anymore. Usually i try to dont change the CFW so frequently.
With reactivation look you mention the "OEM unlock" in the Android\developer settings I guess?
Is the flashing really locked, like brick, really? If you can't flash in recovery, but how to restore a stock firmware with odin? Isnt it the same?
I didnt get that
tefole said:
I see.
I believe, that i can live without the ability that TWRP doenst decrypt the /data and the /sdcard partition,
if I can run with a CFW, and if the phone is rooted and encrypted.
After i put the CFW on the phone, even I need TWRP anymore. Usually i try to dont change the CFW so frequently.
With reactivation look you mention the "OEM unlock" in the Android\developer settings I guess?
Is the flashing really locked, like brick, really? If you can't flash in recovery, but how to restore a stock firmware with odin? Isnt it the same?
I didnt get that
Click to expand...
Click to collapse
"Reactivation lock lets you use your Samsung account to prevent others from activating your device if it's ever lost or stolen. With Reactivation lock turned on, you will be required to enter your Samsung account credentials prior to performing a factory reset on the device. Your Samsung account login should be something you can easily remember."
when RL activated, you can't flash, you always get error.
One big problem, what after encryption you can't update ROM, change or update kernel and etc.
I see., thx for the infos.
I did some research as well. With activated RL you can go only in download mode and install stock with Odin.
But the phone is going to ask you for your samsung account credentials - anyway.
tefole said:
I see., thx for the infos.
I did some research as well. With activated RL you can go only in download mode and install stock with Odin.
But the phone is going to ask you for your samsung account credentials - anyway.
Click to expand...
Click to collapse
if you will find useful information, post, because, I very interested too, just do not have a lot time to play with this.
Ok have a ZTE Axon 7 can't flash any thing because of it instantly encryption and I get recovery and then game over any one have a Cure for this......... thanks in advance.
You have to do a factory wipe, to remove encryption. Then when setting up the phone again when it prompts you to set a security pin or finger sprints skip that part.
chairmanmarv said:
You have to do a factory wipe, to remove encryption. Then when setting up the phone again when it prompts you to set a security pin or finger sprints skip that part.
Click to expand...
Click to collapse
Tried that and it didn't work.....it doesn't matter what I flash stock ROMs tell me my password is correct but memory is corrupt and need to be wiped and when I flash a custom ROM it doesn't boot just two flashes of the led and that's it.
Which TWRP recovery are you on?
What I mean by Factory reset is a full Factory wipe your whole internal is erased. It is like a clean slate new phone.
You should have all the necessary files for your flash on your sd card there is an option to select storage to flash from there.
So when I first swapped from Stock Nougat to AEX I was encrypted on 5/4 ROM my internal was locked by encryption and could only dirty flash roms. it was annoying so I factory wiped and flashed latest AEX from there and didn't set up security right away so no encryption.
I realised my TIBU back ups were all on internal so had to basically start from scratch oops lol.
It is a little outdated now with the official Oreo roms but user @Oki 's guide helped me a lot and has clear steps and guides to get you all rooted and sorted on custom roms.
https://forum.xda-developers.com/axon-7/how-to/guide-axon-7-custom-oreo-roms-newbies-t3786693
chairmanmarv said:
Which TWRP recovery are you on?
What I mean by Factory reset is a full Factory wipe your whole internal is erased. It is like a clean slate new phone.
You should have all the necessary files for your flash on your sd card there is an option to select storage to flash from there.
So when I first swapped from Stock Nougat to AEX I was encrypted on 5/4 ROM my internal was locked by encryption and could only dirty flash roms. it was annoying so I factory wiped and flashed latest AEX from there and didn't set up security right away so no encryption.
I realised my TIBU back ups were all on internal so had to basically start from scratch oops lol.
It is a little outdated now with the official Oreo roms but user @Oki 's guide helped me a lot and has clear steps and guides to get you all rooted and sorted on custom roms.
https://forum.xda-developers.com/axon-7/how-to/guide-axon-7-custom-oreo-roms-newbies-t3786693
Click to expand...
Click to collapse
Just found out that the phone has bricked itself it would play any video or sound so did a hard reset now just getting a constant boot loop trying to get it in to EDL as we speak.....got EDL flashed stock ROM in miflasher now stuck on splash screen.......been on the splash screen for 10 minutes now.......
chairmanmarv said:
Which TWRP recovery are you on?
What I mean by Factory reset is a full Factory wipe your whole internal is erased. It is like a clean slate new phone.
You should have all the necessary files for your flash on your sd card there is an option to select storage to flash from there.
So when I first swapped from Stock Nougat to AEX I was encrypted on 5/4 ROM my internal was locked by encryption and could only dirty flash roms. it was annoying so I factory wiped and flashed latest AEX from there and didn't set up security right away so no encryption.
I realised my TIBU back ups were all on internal so had to basically start from scratch oops lol.
It is a little outdated now with the official Oreo roms but user @Oki 's guide helped me a lot and has clear steps and guides to get you all rooted and sorted on custom roms.
https://forum.xda-developers.com/axon-7/how-to/guide-axon-7-custom-oreo-roms-newbies-t3786693
Click to expand...
Click to collapse
Ok now got the thing back was able to reunlock the bootloader and installed recovery flashed candy rom with one issue could not mount system so now just flashed Oreo stock rom so all good again....... thanks for the help
The stock ROM encrypts by default, and formatting data partition in twrp is the only way to remove it. But to prevent the encryption before it happens, you have a few options:
1. If you dont plan to root, flash @jcadduono's no verity opt encrypt zip (Google it)
2. Magisk and SuperSU can optionally disable encryption before it happens. Magisk Manager has a config option if you're installing from the app. You can use Aroma SuperSU config if SuperSU is your root method of choice.
Hope that helped!
I would like to note that AOSP/Lineage/CM-based ROMs dont encrypt by default. though Im sure it could be enabled if you wanted to. This seems to be unique to the stock ROMs, mainly because Google insists that phone OEMs should go for higher security by enabling encryption as the default.
AnonVendetta said:
The stock ROM encrypts by default, and formatting data partition in twrp is the only way to remove it. But to prevent the encryption before it happens, you have a few options:
1. If you dont plan to root, flash @jcadduono's no verity opt encrypt zip (Google it)
2. Magisk and SuperSU can optionally disable encryption before it happens. Magisk Manager has a config option if you're installing from the app. You can use Aroma SuperSU config if SuperSU is your root method of choice.
Hope that helped!
I would like to note that AOSP/Lineage/CM-based ROMs dont encrypt by default. though Im sure it could be enabled if you wanted to. This seems to be unique to the stock ROMs, mainly because Google insists that phone OEMs should go for higher security by enabling encryption as the default.
Click to expand...
Click to collapse
Yep this is the problem I am having now....... can't find much info about it.
So, I've been reading ad nauseum on this topic with regards to flashing new ROMs on my 6t and getting locked out due to decryption.
Among other threads and places across the interweb, I've read all of these:
https://forum.xda-developers.com/search/forum/8259?query=Encryption
During my travels I've discovered that the s**t doesn't really hit the fan until "data" is wiped via TWRP. I see that the recommend process for flashing new ROMs goes like this:
Boot on twrp
Flash ROM
Flash twrp installer
Reboot to twrp
Factory reset
Reboot to system
Am I understanding this correctly that if I transpose steps 4 and 5, then I shall plan on losing all of my data, but if I reboot from TWRP (right back into TWRP) before step 5 (aka data wipe), I shouldn't loose my data?
Assuming that is correct, does it matter if I leave a lock screen password enabled before rebooting to TWRP from the soon-to-be replaced ROM? I ask this because removing the lock screen password did not seem to reduce my chances of encountering permananly encrypted data.
Thanks!
notorious.dds said:
So, I've been reading ad nauseum on this topic with regards to flashing new ROMs on my 6t and getting locked out due to decryption.
Among other threads and places across the interweb, I've read all of these:
https://forum.xda-developers.com/search/forum/8259?query=Encryption
During my travels I've discovered that the s**t doesn't really hit the fan until "data" is wiped via TWRP. I see that the recommend process for flashing new ROMs goes like this:
Boot on twrp
Flash ROM
Flash twrp installer
Reboot to twrp
Factory reset
Reboot to system
Am I understanding this correctly that if I transpose steps 4 and 5, then I shall plan on losing all of my data, but if I reboot from TWRP (right back into TWRP) before step 5 (aka data wipe), I shouldn't loose my data?
Assuming that is correct, does it matter if I leave a lock screen password enabled before rebooting to TWRP from the soon-to-be replaced ROM? I ask this because removing the lock screen password did not seem to reduce my chances of encountering permananly encrypted data.
Thanks!
Click to expand...
Click to collapse
Yes. For the love of god. Someone please clear up how we can flash on the go. I don't always have access to a computer with Adb/fastboot.
Every time I try to switch roms, upon rebooting to TWRP, my folders encrypt. Then I have to format data and voila, no fricking ROM to flash and I'm stuck
idkwhothatis123 said:
Yes. For the love of god. Someone please clear up how we can flash on the go. I don't always have access to a computer with Adb/fastboot.
Every time I try to switch roms, upon rebooting to TWRP, my folders encrypt. Then I have to format data and voila, no fricking ROM to flash and I'm stuck
Click to expand...
Click to collapse
Yeah A/B partition are a nuisance when it comes to flashing. I'd recommend you to do a clean flash of the ROM. Follow these steps.
1. Download the Latest Stable OOS from OnePlus's Website. Download the ROM ZIP of your Choice as well as the latest TWRP Installer. Transfer these to your phone and also copy them to a Laptop as you might have to Format Data.
2. Now Reboot to Recovery and flash OOS ZIP and TWRP Installer. Let it finish. Once it's done Reboot to Recovery from Within TWRP.
3. Again flash OOS and TWRP Installer. If for some reason your folders are messed up (as you posted in the image earlier) just go to Wipe and Format Data. And transfer the OOS and TWRP Installer to Internal and Flash them. Let it finish.
4. Once that's done, now again Reboot to Recovery and now flash ROM and TWRP Installer. After that's done, again Reboot to Recovery.
5. Again, flash ROM and TWRP Installer. Once done, Reboot to Recovery.
6. Now flash Gapps of your Choice. Stock are Recommend while anything above Nano will work. AROMA won't work. Once Gapps are flashed now go to Wipe and do a Factory Reset (Swipe to Factory Reset). Once that's Done, hit Reboot System and wait for the ROM to Load.
7. After the Initial Setup, Reboot to Recovery and flash Magisk and Custom Kernel if you want.
Personally I Format Data after flashing Gapps to get a "clean install". But that's not necessary. Also if you want to flash ROMs often I'd suggest investing in Swift Backup. It's an excellent app for Backups and can Backup almost Anything. Hope this helps.
This is what I do. Occasionally I get the Encrypted Folders but if followed correctly all is smooth. I can flash any ROM without Encryption. Except maybe stock OOS.
Thanks Mannan.
However, what I'm really looking for is someone to explain the following:
1. Which action or actions is it that triggers the phone to be encypted without a way to decrypt when flashing a new rom? My suspicion is that if the phone was encrypted while having been boot from slot A, then wiping data while in slot A results in data loss. By extension, rebooting into slot B and then wiping data allows slot B to now hold the encryption key. I'm sure this theory has got some errors, but it's the best I can come up with having no intrinsic knowledge on the topic.
2. Are there any means of mitigating data loss should the phone become encrypted? I.e. If possible, can I back up data (minus /data/media) and then restore that when I can't get access to /data/media?
With regards to question #1, I developed my "suspicion" after lossing ambition to test it. When I get my ambition back to fight this issue, I'll try again. I'm just getting sick of transfering 25+ gigs of data via adb every time the data gets encrypted and I can't get it decrypted.
notorious.dds said:
Thanks Mannan.
However, what I'm really looking for is someone to explain the following:
1. Which action or actions is it that triggers the phone to be encypted without a way to decrypt when flashing a new rom? My suspicion is that if the phone was encrypted while having been boot from slot A, then wiping data while in slot A results in data loss. By extension, rebooting into slot B and then wiping data allows slot B to now hold the encryption key. I'm sure this theory has got some errors, but it's the best I can come up with having no intrinsic knowledge on the topic.
2. Are there any means of mitigating data loss should the phone become encrypted? I.e. If possible, can I back up data (minus /data/media) and then restore that when I can't get access to /data/media?
With regards to question #1, I developed my "suspicion" after lossing ambition to test it. When I get my ambition back to fight this issue, I'll try again. I'm just getting sick of transfering 25+ gigs of data via adb every time the data encryption kicks in.
Click to expand...
Click to collapse
You're not that far off, actually. And while I'm no developer I suspect that Encryption kicks in when
a). You flash stock OOS. No matter what ROM you are on, when you flash OOS it's possible you can get encrypted. I'm not sure about this but if a developer could confirm that'd be great. This one time, I flashed OOS Stable while on Beta and it Encrypted my Storage. So I had to retransfer with a computer to flash it the required two times. So basically avoid flashing OOS when on a Custom ROM. Even when switching ROMs.
b). Just as you said, when you Wipe Data within TWRP and then Reboot to TWRP it also Encrypts the Device. So I usually Wipe Data after flashing ROM & Gapps. Otherwise if you Wipe Data after flashing ROM it will Encrypt you.
And to answer that last Question the app I personally use is called Swift Backup. It's an amazing app and although it costs $5.49 it can Backup Apps and Data. It can also backup the Files in Android/obb. Give it a go.
Mannan Qamar said:
You're not that far off, actually. And while I'm no developer I suspect that Encryption kicks in when
a). You flash stock OOS. No matter what ROM you are on, when you flash OOS it's possible you can get encrypted. I'm not sure about this but if a developer could confirm that'd be great. This one time, I flashed OOS Stable while on Beta and it Encrypted my Storage. So I had to retransfer with a computer to flash it the required two times. So basically avoid flashing OOS when on a Custom ROM. Even when switching ROMs.
Click to expand...
Click to collapse
I've been fiddling around with OOS and The Pixel Experience (aka TPE) ROM. I've yet to need to flash OOS in order to loose my ability to decrypt. Flashing TPE screws everything up quite nicely as well. That said, I have gotten into the situation where TWRP (booted from either slot) has got everything encrypted. However, in one case, I was able to get the data back by recreating the boot_a partition as it existed before I wiped data. I think there may be something to be learned here. However, subsequent attempts to use this method have not been successful. In other words, I'm not sure what I actually learned.
Mannan Qamar said:
And to answer that last Question the app I personally use is called Swift Backup. It's an amazing app and although it costs $5.49 it can Backup Apps and Data. It can also backup the Files in Android/obb. Give it a go.
Click to expand...
Click to collapse
I'm still using Titanium Backup (paid version as well). It works quite well and I'm happy with it. That said, it's still a much bigger pain in the butt to restore vs performing a nandroid restore of the data. It's apples and oranges though. In order for the nandroid to provide any real value, you pretty much have to do right before need it... unless you never do anything on your phone. It also only works with the ROM from which it was created... obviously. Since my current nandroid backup of /data is > 22 gb, its fairly cumbersome.
notorious.dds said:
I've been fiddling around with OOS and The Pixel Experience (aka TPE) ROM. I've yet to need to flash OOS in order to loose my ability to decrypt. Flashing TPE screws everything up quite nicely as well. That said, I have gotten into the situation where TWRP (booted from either slot) has got everything encrypted. However, in one case, I was able to get the data back by recreating the boot_a partition as it existed before I wiped data. I think there may be something to be learned here. However, subsequent attempts to use this method have not been successful. In other words, I'm not sure what I actually learned.
I'm still using Titanium Backup (paid version as well). It works quite well and I'm happy with it. That said, it's still a much bigger pain in the butt to restore vs performing a nandroid restore of the data. It's apples and oranges though. In order for the nandroid to provide any real value, you pretty much have to do right before need it... unless you never do anything on your phone. It also only works with the ROM from which it was created... obviously. Since my current nandroid backup of /data is > 22 gb, its fairly cumbersome.
Click to expand...
Click to collapse
I dunno if it will work but when you get Encrypted try booting the TWRP image. Maybe that'll work.
Doesn't this problem occur with backups and restore from twrp as well?.... This A/B stuff I'm not used to but I'll keep reading and hopefully something in my brain will kick in lol...
Mannan Qamar said:
I dunno if it will work but when you get Encrypted try booting the TWRP image. Maybe that'll work.
Click to expand...
Click to collapse
Yeah, that I defintitely tried. No dice. However, I just backed up everthing and I'm about to start blowing the thing up with ROM flashes. Consider it a stress test. I'll report back.
What I've got so far...
Coming from OOS 9.0.14 running on slot B with a lock screen pattern enabled, I boot into TWRP on slot B.
I then flashed The Pixel Experiance ROM via it's .zip file. (The flash is then applied to slot A because it goes to the inactive slot).
Flashed the TWRP install .zip
Changed active slot to A
Reboot to recovery (aka TWRP) ... now in slot A.
wiped data (minus storage)
Flashed magisk
Reboot system
This got me into the new ROM with data intact. However, when rebooting to recovery (still slot A), it would ask for a pattern but yet wouldn't accept the pattern to decrypt. Rebooting back into Pixel Experience the data was decrypted. So, even the data would decrypt when booted into system, I could no longer get to the data from within TWRP. I then changed the lock pattern from within Pixel Experience and reboot to TWRP, it still couldn't decrypt the data. Rebooting back to system succeeded in that it actually boot, but I could no longer unlock the phone (stuck on "phone is starting"). My presumption at this point was that Pixel Experience could no longer decrypt the data.
I then:
Reboot to TWRP (slot A still)
Flashed OOS
Flashed TWRP
Set active slot to B
Reboot to recovery (aka TWRP)
wiped data (minus storage)
reboot to system
At this point OOS failed to boot and I was returned to TWRP. Data was still not able to be decrypted. I then did a factory reset plus wiped storage (aka data, dalvik, and internal storage) and tried to boot to system... still failed and sent me back to TWRP. This time, although data was empty, it was decrypted. I tried to reboot system again. It failed again and sent me back to TWRP.
So, at this point , I've wiped data and internal storage but I cannot get stock OOS to boot. So, I reboot to bootloader and executed:
Code:
fastboot -w
My understanding is that this should do the same this as performing a factory reset from within TWRP. However, rebooting to system succeeded this time.
So, the new questions are:
1. How is it that I can decrypt data when booted into Pixel Experience on slot A, but I cannot decrypt the data via TWRP?
2. If I removed the lock screen pattern from OOS before flashing PixelExperience, would I have been able to decrypt the data in both the ROM and within TWRP?
3. Why is factory resetting via fastboot effective when doing so in TWRP is not?
notorious.dds said:
What I've got so far...
Coming from OOS 9.0.14 running on slot B with a lock screen pattern enabled, I boot into TWRP on slot B.
I then flashed The Pixel Experiance ROM via it's .zip file. (The flash is then applied to slot A because it goes to the inactive slot).
Flashed the TWRP install .zip
Changed active slot to A
Reboot to recovery (aka TWRP) ... now in slot A.
wiped data (minus storage)
Flashed magisk
Reboot system
This got me into the new ROM with data intact. However, when rebooting to recovery (still slot A), it would ask for a pattern but yet wouldn't accept the pattern to decrypt. Rebooting back into Pixel Experience the data was decrypted. So, even the data would decrypt when booted into system, I could no longer get to the data from within TWRP. I then changed the lock pattern from within Pixel Experience and reboot to TWRP, it still couldn't decrypt the data. Rebooting back to system succeeded in that it actually boot, but I could no longer unlock the phone (stuck on "phone is starting"). My presumption at this point was that Pixel Experience could no longer decrypt the data.
I then:
Reboot to TWRP (slot A still)
Flashed OOS
Flashed TWRP
Set active slot to B
Reboot to recovery (aka TWRP)
wiped data (minus storage)
reboot to system
At this point OOS failed to boot and I was returned to TWRP. Data was still not able to be decrypted. I then did a factory reset plus wiped storage (aka data, dalvik, and internal storage) and tried to boot to system... still failed and sent me back to TWRP. This time, although data was empty, it was decrypted. I tried to reboot system again. It failed again and sent me back to TWRP.
So, at this point , I've wiped data and internal storage but I cannot get stock OOS to boot. So, I reboot to bootloader and executed:
My understanding is that this should do the same this as performing a factory reset from within TWRP. However, rebooting to system succeeded this time.
So, the new questions are:
1. How is it that I can decrypt data when booted into Pixel Experience on slot A, but I cannot decrypt the data via TWRP?
2. If I removed the lock screen pattern from OOS before flashing PixelExperience, would I have been able to decrypt the data in both the ROM and within TWRP?
3. Why is factory resetting via fastboot effective when doing so in TWRP is not?
Click to expand...
Click to collapse
Well starting from the way you flashed the ROM, the rule of thumb is that you NEVER manually change slots. Now since you are on stock follow the instructions I posted earlier to flash PE or any other ROM for that matter. I think when you manually set the slot it somehow messed up Decryption. Next, after flashing OOS from TWRP when you are on a Custom ROM, you must always Format Data. The command you ran via Fastboot (fastboot -w) does just that.
So I just flashed Bootleggers from Stock OpenBeta 11. These are the steps I followed. I was successfully able to flash and was able to keep my Data intact. These are the steps I followed.
Starting from OpenBeta 11 I flashed ROM (Bootleggers) and then TWRP Installer. Then go to Reboot and Select Recovery. Once in Recovery, again flash ROM and TWRP Installer. Once done, reboot to Recovery. Flash Gapps and then go to Wipe and do a Swipe to Fa Tory Reset. This will Delete all your Data except Internal Storage. This is a necessary step when flashing a ROM. Once done, reboot to System. After this I was able to boot up Successfully with my Internal Storage as it was before flashing. After that I restored my backup. Everything is working and I can enter and Decrypt TWRP without error.
This thread should be pined as a guide because instalation notes in ROM threads are so basic.
A couple of things come to mind reading this thread in reference to encryption
1) if security patches dont match on A/B, it seems to trigger a lockout with encryption. i may be wrong.
2) if internal storage isnt wiped, i.e.-if you use the "factory reset' option in twrp, your data is still there and that in itself post-flash can trigger encryption error as the data is still there.
I think about it like this, despite it being A/B partitions, the data is like a middle layer that isnt individualized to one partition or the other. so a trigger/failure for secure boot encrypts it all.
kitcostantino said:
A couple of things come to mind reading this thread in reference to encryption
1) if security patches dont match on A/B, it seems to trigger a lockout with encryption. i may be wrong.
2) if internal storage isnt wiped, i.e.-if you use the "factory reset' option in twrp, your data is still there and that in itself post-flash can trigger encryption error as the data is still there.
I think about it like this, despite it being A/B partitions, the data is like a middle layer that isnt individualized to one partition or the other. so a trigger/failure for secure boot encrypts it all.
Click to expand...
Click to collapse
I'm pretty sure, that if you flash anything with a security patch earlier than the one you're currently using your data will get encrypted.
Which is why it happens with going back to OOS from custom, because they're always late with security patches compared to custom roms.
The hardest thing for.me coming from an A only device (Axon 7) has been learning order of operations. as long as one flashes rom followed by twrp and then a reboot into recovery, followed by installing magisk, things usually go okay. Going from aosp to aosp went okay, but like you said moving from OOS to AOSP or vice versa always yielded encryption lock. maybe we could make a merged security patch or something of the sort to bridge the gap. im no dev, so im sure someone who knows more than i can tell us why that wouldnt work. it would be really cool for One Plus to gain a better foothold in custom OS before the majority of crack flashers and devs swear off. Dont get me wrong, OOS is amazing and i feel with the inherent features, is superior to any other stock rom, but android is all about choice.
i really and truly wish someone would make a version of TWRP that had a dual boot set up vs A/B. I have had devices (looking at you, Droid Bionic) that never had proper root/bl unlock and had amazing rom communities bc of safestrap/dual boot/etc. i am more than willing to give up internal storage space to duplicate/clone /data and anything else that is on both systems. i also wish recovery had its own partition again, but that one is beyond our control at this point as it resides in boot now.
Maybe its conceivable. Who knows.
I have no issues. I don't lose anything when I flash ROMs. I boot to twrp, factory reset(not wipe storage), flash ROM, flash twrp installer....boot ROM, reboot twrp, flash gapps, custom kernel. Then I factory reset again (not wipe storage) and then install magisk..done....no issues. It will fail boot once and then boot fine because of this process but only after you do this. So if you reboot later you are fine...I keep all my stuff
First off, I want to thank all of you who contributed to this thread. I'm defintely gaining a better understanding of some of the pitfalls associated with A/B devices and encryption. Thanks!
Mannan Qamar said:
Well starting from the way you flashed the ROM, the rule of thumb is that you NEVER manually change slots. Now since you are on stock follow the instructions I posted earlier to flash PE or any other ROM for that matter. I think when you manually set the slot it somehow messed up Decryption.
Click to expand...
Click to collapse
So, my understand is that flashing a new ROM from within TWRP flashes it to the inactive slot. Therefore, my assumptions as to the reasoning behind rebooting from TWRP back into TWRP before wiping data were that:
Any modifiations made to the boot partition intended to affect the new ROM need to be made to the boot partition that shares the same slot as that of the new ROM, and
Wiping data while booted into image of TWRP which shares the same slot as the new ROM has some magical effect on preserving the ability to decrypt data vs wiping data while booted into the image of TWRP that resides in the slot of the ROM to be replaced.
It is these assumptions (combined with my execution of the basic recipe failing to prevent encryption lock-out) which led me to manually changing slots. I will say this... after flashing PE and TWRP.zip from within TWRP on slot B, simply rebooting to recovery brought me right back to TWRP on slot B. If PE is now on slot A, how does installing magisk, etc. do me any good while in slot B? Also, are my assumptions misguided as to the "why" rebooting to TWRP before installing magisk, wiping data, etc is necessary?
Mannan Qamar said:
Next, after flashing OOS from TWRP when you are on a Custom ROM, you must always Format Data. The command you ran via Fastboot (fastboot -w) does just that.
Click to expand...
Click to collapse
Lightbulb status: on
Thanks!
kitcostantino said:
If security patches dont match on A/B, it seems to trigger a lockout with encryption. i may be wrong.
Click to expand...
Click to collapse
Is this why in Mannan Qamar's earlier post he appears to be flashing the new ROM to BOTH slots before trying to boot into system?
ebproject said:
I'm pretty sure, that if you flash anything with a security patch earlier than the one you're currently using your data will get encrypted.
Which is why it happens with going back to OOS from custom, because they're always late with security patches compared to custom roms.
Click to expand...
Click to collapse
I'm assuming that flashing OOS to BOTH slots as is mentioned earlier with regards to flashing a custom ROM won't help when going back to OOS given the old vs new issue. Has anyone verified that yet?
It's my understanding that the sure security patch is applied to the system partition, correct? Is part of that patch included in boot, or no?
jamescable said:
I have no issues. I don't lose anything when I flash ROMs. I boot to twrp, factory reset(not wipe storage), flash ROM, flash twrp installer....boot ROM, reboot twrp, flash gapps, custom kernel. Then I factory reset again (not wipe storage) and then install magisk..done....no issues. It will fail boot once and then boot fine because of this process but only after you do this. So if you reboot later you are fine...I keep all my stuff
Click to expand...
Click to collapse
I notice that the FIRST thing you do is "factory reset". That's definitely not standard with the install threads I've read. Hmmmmm, interesting.
Also, why do you boot the ROM before flashing gapps, and kernel? It seems unnecessary since you're just factory resetting again. I'm sure I'm missing something on this one.
notorious.dds said:
I notice that the FIRST thing you do is "factory reset". That's definitely not standard with the install threads I've read. Hmmmmm, interesting.
Also, why do you boot the ROM before flashing gapps, and kernel? It seems unnecessary since you're just factory resetting again. I'm sure I'm missing something on this one.
Click to expand...
Click to collapse
Booting to ROM solved the encryption issues
idkwhothatis123 said:
Yes. For the love of god. Someone please clear up how we can flash on the go. I don't always have access to a computer with Adb/fastboot.
Every time I try to switch roms, upon rebooting to TWRP, my folders encrypt. Then I have to format data and voila, no fricking ROM to flash and I'm stuck
Click to expand...
Click to collapse
If you stuck on encrypted storage ever, reboot to system and after you see the setup screen, reboot to recovery again. Voila, your storage is decrypted now.
It happened to me all the time when I flash OOS and this way I am able to decrypt my internal storage.
I have a completely stock Moto G5 Plus (XT1683 - 2GB of RAM) on stock Oreo 8.1 and I want to use the Pixel Experience 10. I've watched some tutorials online but I still have some questions:
1. I've seen many people complaining that they lost their IMEI and 4G, but I still couldn't figure out if that only happened with people that downgraded from a custom Oreo rom to a stock Nougat or if there's a chance of that happening by installing any custom ROM. My phone has the latest official Oreo version and I've never messed with the system before. Is my phone still at risk of losing its IMEI if I install Pixel Experience 10? What did those people do wrong?
2. Now let's talk about the procedures I have to take. After unlocking the bootloader it will wipe my system, right? If that's so, should I let it boot again into Android and turn off or should I immediately get into fastboot and flash TWRP? Will it make a difference? Will the persist and efs partitions be there on TWRP to be backed up or do I need to let Android boot so it can make them first?
3. After everything, if I get into TWRP and it asks for a password, should I just cancel and wipe the partitions to remove the encryption (can I keep the internal storage?) or do I need to install that dm-verity file instead? As I understand the dm-verity if only for when rooting the phone while keeping the stock system, right? (I don't plan to root my phone, only install a custom ROM. It would also be good if I could keep my files, but if I can't, that's fine too.)
My original plan was the following, please take a look to see if i'll do things correctly.
1. Unlock the bootloader
2. Install TWRP immediately, before it even has a chance to restart
3. If TWRP asks for a password, skip and wipe all the partitions, if it doesn't, wipe them anyway to install the new ROM.
4. Backup efs and persist to my SD Card (will they even be there after I wipe the partitions?)
5. Right after that install the custom ROM
6. Reboot, not get into a bootloop and still have my IMEI. Profit.
Is everything right or did I misunderstand something?
Thanks!
Raploz said:
I have a completely stock Moto G5 Plus (XT1683 - 2GB of RAM) on stock Oreo 8.1 and I want to use the Pixel Experience 10. I've watched some tutorials online but I still have some questions:
1. I've seen many people complaining that they lost their IMEI and 4G, but I still couldn't figure out if that only happened with people that downgraded from a custom Oreo rom to a stock Nougat or if there's a chance of that happening by installing any custom ROM. My phone has the latest official Oreo version and I've never messed with the system before. Is my phone still at risk of losing its IMEI if I install Pixel Experience 10? What did those people do wrong?
2. Now let's talk about the procedures I have to take. After unlocking the bootloader it will wipe my system, right? If that's so, should I let it boot again into Android and turn off or should I immediately get into fastboot and flash TWRP? Will it make a difference? Will the persist and efs partitions be there on TWRP to be backed up or do I need to let Android boot so it can make them first?
3. After everything, if I get into TWRP and it asks for a password, should I just cancel and wipe the partitions to remove the encryption (can I keep the internal storage?) or do I need to install that dm-verity file instead? As I understand the dm-verity if only for when rooting the phone while keeping the stock system, right? (I don't plan to root my phone, only install a custom ROM. It would also be good if I could keep my files, but if I can't, that's fine too.)
My original plan was the following, please take a look to see if i'll do things correctly.
1. Unlock the bootloader
2. Install TWRP immediately, before it even has a chance to restart
3. If TWRP asks for a password, skip and wipe all the partitions, if it doesn't, wipe them anyway to install the new ROM.
4. Backup efs and persist to my SD Card (will they even be there after I wipe the partitions?)
5. Right after that install the custom ROM
6. Reboot, not get into a bootloop and still have my IMEI. Profit.
Is everything right or did I misunderstand something?
Thanks!
Click to expand...
Click to collapse
Answer for your questions
1) losing of IMEI no is possible on custom ROM too, but taking the backup of EFS and persist will retrieve them, so no problem. And losing of IMEI is random occur when moving from one rom to other.
2) just let the android boot once, so everything get loads up with unlock bootloader (no need to setup).
3)after installing the twrp, it won't ask for password since your device got format when unlocking bootloader, so it won't ask. If you want to remove encryption then format< type yes. It will remove your encryption.
4) for talking backup of EFS and persist use this method.
Code:
Use the following command to create a backup and save it at /sdcard/persist.img:
dd if=/dev/block/bootdevice/by-name/persist of=/sdcard/persist.img
To restore use the following command:
dd if=/sdcard/persist.img of=/dev/block/bootdevice/by-name/persist
If you have saved a backup using different name then use that name instead.
And seeing your plan, everything seem good, you can continue with your plan.
Note:- for some user PE won't work for them with 2gb version, so I suggest you to take a backup of stock ROM or keep an other rom file in case it needed.