[How-To] Disable Forced Encryption

Search This thread

bbedward

Inactive Recognized Developer
Jun 6, 2010
1,892
2,574
Cleveland, OH
I'm not responsible for anything blah blah

This is intended to disable forced encryption on the nexus 6. You can still encrypt the device after doing this, but it won't be automatically done.

After observing how this force encryption stuff works, I got it mostly figured out. (It's entirely a SW layer, as is already widely known). Basically when all the devices from fstab are mounted in android with the forceencrypt option, fs_mgr sets a flag for encryption (something like IF This_Device_Isnt_Encrypted; then This_Device_Needs_Encryption). on devices (looks like android only allows you to encrypt 1 device, which is probably to prevent such cases as over-resource usage ,maybe some other conflict that it doesn't support over 1 device, idk) that have forceencrypt set on them, if it can't unmount the device before doing these encryption checks - in other words if it's usy (like a file is open) - it just skips encryption all together. So if the device had a file preventing it from being unmounted, it just says "oh well, skip encryption." I found this kinda odd behavior anyway :p

You can still encrypt the device, it just isn't forced. Some people are complaining about the slowness of the encryption SW-layer (why force SW encryption? At least put some HW for it in the device). This makes it the way it probably should be - optional.

Stock LMY47D/LMY47E/LMY47M/LMY47I (5.1.0) - No force encrypt:
https://www.androidfilehost.com/?fid=95916177934540533

Stock LRX22C (5.0.1) - No force encrypt:
https://www.androidfilehost.com/?fid=95857557620392411

Stock LRX21O (5.0) - No force encrypt:
https://www.androidfilehost.com/?fid=95784891001613336

Prerequisites:
- You should be running the same build as the kernel you install (E.G. if you are running 5.1.0 LMY47D you should install the LM47D no force encrypt kernel)
- Your bootloader must be unlocked (fastboot oem unlock)

How-to install kernel:
1.) Reboot to boot loader
2.) Download the appropriate boot.img above
3.) Install it via fastboot (fastboot flash boot boot_noforceencrypt.img)

To disable forced encryption after kernel is installed:
1.) Reboot to boot loader
2.) Format userdata (fastboot format userdata) - This will erase all of your data (apps, sd card, etc.) - so make appropriate backups
 
Last edited:

jjhiza

Senior Member
Dec 19, 2010
3,163
2,697
Dirty Jersey
Look who's back!! ?

Awesome work man... I'll be testing as soon as my whale arrives tomorrow.

*Also, hit me up on Hangouts... I might have something you'd be interested in. Mike is in, come December I think... Could be fun.
 

bbedward

Inactive Recognized Developer
Jun 6, 2010
1,892
2,574
Cleveland, OH
Look who's back!! ?

Awesome work man... I'll be testing as soon as my whale arrives tomorrow.

*Also, hit me up on Hangouts... I might have something you'd be interested in. Mike is in, come December I think... Could be fun.

Will do, I'm quite swamped in projects at the moment :laugh: Got one app I'm supposed to finish up by the 30th. Will I get the time, who knows :p
 

djkinetic

Senior Member
Feb 26, 2011
3,641
1,387
Chicago
I'm not responsible for anything blah blah

I haven't tested this, because I don't have a nexus 6 at the moment. But this is a boot.img that (should) disable forced encryption. Rooted and non-rooted versions available.

What this does is disables forced encryption (and adds root, or not)

This isn't tested, but I'm fairly confident it will work after observing how this force encryption stuff works. Basically when all the devices from fstab are mounted in android, fs_mgr sets a flag for encryption on devices (up to 1 device I guess) that have forceencrypt set on them, if it can unmount the device or it isn't busy (if it can't it just goes on without encryption :cowboy:)

You can still encrypt the device, it just isn't forced. Some people are complaining about the slowness of the encryption SW-layer. This makes it the way it probably should be - optional.

Rooted (Chainfire) - no force encrypt:
https://www.androidfilehost.com/?fid=95784891001613334

Stock - No force encrypt:
https://www.androidfilehost.com/?fid=95784891001613336

Stock (in case these don't work for some reason you can just use this one to go back):
https://www.androidfilehost.com/?fid=95784891001613337

How-to:
1.) Reboot to boot loader
2.) Unlock device (fastboot oem unlock) - will wipe all data
3.) I think unlocking the device will automatically run encryption jobs, so don't do anything important because you'll need to factory reset again
4.) Download 1 of the above no force encrypt files (Chainfire rooted one, or stock one - up to you)
5.) Flash it in the bootloader (fastboot flash boot boot_noforceencrypt.img)
6.) If it works, factory reset the device and it should no longer be automatically encrypted (check in Settings -> Security)
7.) If it doesn't work, go back into the bootloader and flash the stock image.

Like I said, I don't have my own nexus 6 to test yet, but I'm just trying to help out.

flashed the rooted one after data wipe/factory reset trying to normal boot with this version i get an infinite loop of the chainfire auto root script running. flashed the noenforce version and was able to boot up fine but super su says no root. the encryption disable did work however.
 
Last edited:

bbedward

Inactive Recognized Developer
Jun 6, 2010
1,892
2,574
Cleveland, OH
flashed the rooted one after data wipe/factory reset trying to normal boot with this version i get an infinite loop of the chainfire auto root script running. flashed the noenforce version and was able to boot up fine but super su says no root.

I'm not sure how the chainfire stuff works entirely TBH. I saw in the thread over there people had it looping a few times before coming to.

You need to factory reset after flashing this, too. Which can be done with fastboot erase userdata.

Looks like, cf-auto root doesn't call "fastboot flash boot" just "fastboot boot" - is that a difference or is it the same thing?
 
Last edited:

NeoteriX

Senior Member
Jan 28, 2008
240
48
flashed the rooted one after data wipe/factory reset trying to normal boot with this version i get an infinite loop of the chainfire auto root script running. flashed the noenforce version and was able to boot up fine but super su says no root. the encryption disable did work however.
What I'm sure everyone is dying to know is if you can run Androbench and report what the NAND scores are after disabling encryption.
 

djkinetic

Senior Member
Feb 26, 2011
3,641
1,387
Chicago
I'm not sure how the chainfire stuff works entirely TBH. I saw in the thread over there people had it looping a few times before coming to.

You need to factory reset after flashing this, too. Which can be done with fastboot erase userdata.

Looks like, cf-auto root doesn't call "fastboot flash boot" just "fastboot boot" - is that a difference or is it the same thing?

i ended up flashing noencrypt, then factory reset, then running cf root after a full reboot, end result encryption off and root with twrp =) life is good.
 

bbedward

Inactive Recognized Developer
Jun 6, 2010
1,892
2,574
Cleveland, OH
That looks like a vast improvement, faster than the note 4.

http://arstechnica.com/gadgets/2014...premium-price-still-comes-with-compromises/2/

Woot woot

Side question, if we flash this image to disable encryption, have root, and unlocked bootloader, will we still get the OTA updates?

I think so, but this boot.img would be overwritten after an OTA update so it'd turn back on the forced encryption (which would encrypt after the OTA rebooted/booted). You'd probably also lose root, assuming it formats /system.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 206
    I'm not responsible for anything blah blah

    This is intended to disable forced encryption on the nexus 6. You can still encrypt the device after doing this, but it won't be automatically done.

    After observing how this force encryption stuff works, I got it mostly figured out. (It's entirely a SW layer, as is already widely known). Basically when all the devices from fstab are mounted in android with the forceencrypt option, fs_mgr sets a flag for encryption (something like IF This_Device_Isnt_Encrypted; then This_Device_Needs_Encryption). on devices (looks like android only allows you to encrypt 1 device, which is probably to prevent such cases as over-resource usage ,maybe some other conflict that it doesn't support over 1 device, idk) that have forceencrypt set on them, if it can't unmount the device before doing these encryption checks - in other words if it's usy (like a file is open) - it just skips encryption all together. So if the device had a file preventing it from being unmounted, it just says "oh well, skip encryption." I found this kinda odd behavior anyway :p

    You can still encrypt the device, it just isn't forced. Some people are complaining about the slowness of the encryption SW-layer (why force SW encryption? At least put some HW for it in the device). This makes it the way it probably should be - optional.

    Stock LMY47D/LMY47E/LMY47M/LMY47I (5.1.0) - No force encrypt:
    https://www.androidfilehost.com/?fid=95916177934540533

    Stock LRX22C (5.0.1) - No force encrypt:
    https://www.androidfilehost.com/?fid=95857557620392411

    Stock LRX21O (5.0) - No force encrypt:
    https://www.androidfilehost.com/?fid=95784891001613336

    Prerequisites:
    - You should be running the same build as the kernel you install (E.G. if you are running 5.1.0 LMY47D you should install the LM47D no force encrypt kernel)
    - Your bootloader must be unlocked (fastboot oem unlock)

    How-to install kernel:
    1.) Reboot to boot loader
    2.) Download the appropriate boot.img above
    3.) Install it via fastboot (fastboot flash boot boot_noforceencrypt.img)

    To disable forced encryption after kernel is installed:
    1.) Reboot to boot loader
    2.) Format userdata (fastboot format userdata) - This will erase all of your data (apps, sd card, etc.) - so make appropriate backups
    23
    5.0.1 boot image force encrypt disabled

    Disabled force encrypt in 5.0.1 (lrx22c)
    only change is forceencrypt->encryptable in fstab.shamu
    22
    I assume this boot.img will also work with the LYZ28E build?

    Here's one for LYZ28E

    Doesnt take a genius to mode the boot.img


    1. Extract the Android Image Kitchen zip i uploaded in this post
    2. drag in the boot.img file you wish to modify onto the unpackimg.bat file
    3. you should get a command window pop up, it should say succesfull and you will get a few folders added.
    4. open the ramdisk folder and open the fstab.shamu file using notepad++
    5. search for forceencrypt and replace it with encryptable. there should be only one case where this exists.
    6. save the file, go back to the root of the image kitchen folder, and run the repackimg.bat file.
    7. you should get a new boot.img build called image-new.img, you can use this now to flash on your device
    12
    Here's a link for the No Force Encrypt file I made for the MRA58K Nexus 6 Marshmallow factory image. Going to flash the files on to my phone now.

    PHP:
    http://www13.zippyshare.com/v/1lvgqKcI/file.html
    10
    Thanks! What do we do to upgrade from 5.0.1 to 5.1 exactly and keep the unencrypt?

    Couple of options, but first to note:
    - adb sideload from stock recovery will not work if you are not completely stock. It does a block-level update so it will fail if it finds a mismatch on the device boot.img and what it expects, like if you are already unencrypted.

    First option:
    - Flash the 5.1.0 factory image, and repeat the entire process
    - Will wipe everything

    Second option (ONLY if you are on stock LRX22C
    - You can extract the OTA update
    - Hack the script to not install boot img patch and disable md5 checks.
    - Don't do it this way

    Third option
    - Get the factory image and extract it
    - Flash the bootloader (fastboot flash bootloader bootloader-shamu-blah.zip)
    - Flash the radio (fastboot flash radio radio-shamu-blah.zip)
    - Reboot bootloader (fastboot reboot-bootloader)
    - Extract the: image-shamu-lm47yd.zip
    - Flash recovery (fastboot flash recovery recovery.img) Skip this if you are using a custom recovery and want to keep it
    - Flash modified boot.img in OP (fastboot flash boot bootimg_noforceencrypt_lmy47d.img)
    - Flash system (fastboot flash system system.img)

    The cache/userdata img are only needed if you want to full wipe.

    You will lose root, obviously, but can easily get it back from twrp.