Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,783,072 Members 45,192 Now Online
XDA Developers Android and Mobile Development Forum

Device Encryption and Root

Tip us?
 
bruzzy
Old
#1  
Junior Member - OP
Thanks Meter 7
Posts: 19
Join Date: Jun 2014
Default Device Encryption and Root

Hi everyone,

it's my first post on the xda-developers forum, so if the kind of my posting mismatches any rules, please let me know!

I'm using this forum for quite long time now, but so far all of my questions were answered by search & read... Some weeks ago I had another question, for which I colun't find an explicit answer yet. So based on some hints from different sources (thanks to google!) I did some experiments aka try and error and would like to share my experience with you (to give something back to the comunity, who helped me a lot in the past) and see whether I finally found the answere to my question... So please let me know, whether it worked for you as well or whether you know a different / better way to solve this kind of problem.

As usual: Use this guide at your own risk!


Problem statement:
I wanted to have my SM-P900 (stock rom) both rooted and encrypted (using device encryption). I've already done this for GT-I9100 (Galaxy S II) and GT-I9192 (Galaxy S4 Duo) in the past and it worked like a charme. But for some reason I couldn't get it working on the SM-P900...


Trial log (for short version see below):
I have successfully rooted this device via the CF-Auto-Root method by Chainfire (many thanks for the greate job!). When I later tried to activate the device entcryption, it first looked like the process has started (I got a black screen with a green android manikin), but after some time (~1min) the device just re-started and booted in normal mode. I tried it several times with the same end of story - no success, no harm either.

After some time of googling I found a hint, that on KitKat devices Superuser should be temporarily de-activated in order to get the device encryption starting properly and activate it after the encryption process has finished. So I tried that and indeed, this time the encryption process started after the reboot. I let it finish and after a reboot it looked like I was where I wanted to be at. But then I realized that I wasn't able to activate the Superuser back (SuperSU said "Can't find the su binary... You need to restore it manually" or something similar). Damned! I thought "OK, let's try CF-Auto-Root again". The root process itself seemed to work, but after that the device just hang at boot... Soft-brick...

Taking a more deeper look at the script source of an Update-Super-SU package from Chainfire I realized that it also does some writes to the /data partition. Well, I guess this broke the partition, since it was encrypted... (If anyone has a better explanation for this, please let me know!)

So everything back to the start: I flashed the stock rom, did a factory reset and re-ran CF-Auto-Root... Now the device was operating properly and was rooted, but no encryption. Before starting another try of encryption, I wanted verify that the temoprary un-root wasn't broken by the encryption. So I did a temorary un-root (by removing the tick at the option "Activate Superuser" in SuperSu settings) and then activated it back right away. This worked fine. I rebooted (just to confirm everything is still working) and Superuser still worked as expected. Then (to try one more thing) I "de-activated" su again and rebooted. Trying to activate it back after the reboot, I realized that I now was at the same situation as just after the encryption, but without the encryption. I.e. the problem was not the encryption itself, but kind of a bug in SuperSU - it was not able to activate su back after a reboot (I'll try to check it via a bug report to Chainfire).

So I digged a bit deeper into this and realized that SuperSU was simply deleting the su binary in /system/xbin on de-activation and writing it back on activation. And it looked like it wasn't able to write it back after a reboot (probably because of missing permission).

Knowing that, I decided to go a step further: I flashed the TWRP (many thanks to the TeamWin guys!), booted into recovery, mounted /system and copied the su binary manually to /system/xbin. After a reboot I tried once again open SuperSU, but it still said, it couldn't find the su binary. Hmmm... There must be something more... Having another look at the script source of the Update-Super-SU package I found that at the end it was calling the su binary with the option "-install". So I booted back to recovery and tried that as well... Hurra!!! After a reboot SuperSU was finally starting and the root-apps were able to get su access... So this seemed to be the desired solution.

I deactivated su again, rebooted and started the encryption. It ran and finished successfully, as expected. After that I booted to recovery and installed su manually, as I've done it before... Reboot... finger crossed... Tadaa!!! System is back, encrypted and root is working!


Solution approach:
  1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
  2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
  3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
  4. Reboot
  5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
  6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
  7. After the encryption is finished the device will reboot and ask for the password, just log in
  8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
  9. Boot into recovery
  10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
  11. Open the console or ADB shell
  12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
  13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
  14. Reboot
  15. You should be done
The Following 4 Users Say Thank You to bruzzy For This Useful Post: [ Click to Expand ]
 
Gatsrom
Old
#2  
Member
Thanks Meter 40
Posts: 51
Join Date: Oct 2010
Thank you for the info and the simple steps. I was considering something similar to what you wanted with your device.
 
eduardogsilva
Old
#3  
Junior Member
Thanks Meter 1
Posts: 7
Join Date: Jul 2012
bruzzy,

I've followed your steps and managed to re-enable SuperSU after encryption! (used twrp)

Thank you!!!!!
The Following User Says Thank You to eduardogsilva For This Useful Post: [ Click to Expand ]
 
EndlessAdventurer
Old
#4  
Junior Member
Thanks Meter 0
Posts: 1
Join Date: Jul 2014
Hello Bruzzy,
Thanks so much for the awesome post!
I am just having difficulty with the final steps. I am a complete newbie in regards to rooting and using these android tools.
Everything else was quite clear in your post except for these final steps.

Could you please simply a bit more step by step how I proceed to do the final steps listed below?
[*]Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).[*]Open the console or ADB shell[*]Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)[*]Execute the installation (if you use SuperSU: /system/xbin/su --install)[*]Reboot

Thanks so much!

EndlessAdventurer


Quote:
Originally Posted by bruzzy View Post
Hi everyone,

it's my first post on the xda-developers forum, so if the kind of my posting mismatches any rules, please let me know!

I'm using this forum for quite long time now, but so far all of my questions were answered by search & read... Some weeks ago I had another question, for which I colun't find an explicit answer yet. So based on some hints from different sources (thanks to google!) I did some experiments aka try and error and would like to share my experience with you (to give something back to the comunity, who helped me a lot in the past) and see whether I finally found the answere to my question... So please let me know, whether it worked for you as well or whether you know a different / better way to solve this kind of problem.

As usual: Use this guide at your own risk!


Problem statement:
I wanted to have my SM-P900 (stock rom) both rooted and encrypted (using device encryption). I've already done this for GT-I9100 (Galaxy S II) and GT-I9192 (Galaxy S4 Duo) in the past and it worked like a charme. But for some reason I couldn't get it working on the SM-P900...


Trial log (for short version see below):
I have successfully rooted this device via the CF-Auto-Root method by Chainfire (many thanks for the greate job!). When I later tried to activate the device entcryption, it first looked like the process has started (I got a black screen with a green android manikin), but after some time (~1min) the device just re-started and booted in normal mode. I tried it several times with the same end of story - no success, no harm either.

After some time of googling I found a hint, that on KitKat devices Superuser should be temporarily de-activated in order to get the device encryption starting properly and activate it after the encryption process has finished. So I tried that and indeed, this time the encryption process started after the reboot. I let it finish and after a reboot it looked like I was where I wanted to be at. But then I realized that I wasn't able to activate the Superuser back (SuperSU said "Can't find the su binary... You need to restore it manually" or something similar). Damned! I thought "OK, let's try CF-Auto-Root again". The root process itself seemed to work, but after that the device just hang at boot... Soft-brick...

Taking a more deeper look at the script source of an Update-Super-SU package from Chainfire I realized that it also does some writes to the /data partition. Well, I guess this broke the partition, since it was encrypted... (If anyone has a better explanation for this, please let me know!)

So everything back to the start: I flashed the stock rom, did a factory reset and re-ran CF-Auto-Root... Now the device was operating properly and was rooted, but no encryption. Before starting another try of encryption, I wanted verify that the temoprary un-root wasn't broken by the encryption. So I did a temorary un-root (by removing the tick at the option "Activate Superuser" in SuperSu settings) and then activated it back right away. This worked fine. I rebooted (just to confirm everything is still working) and Superuser still worked as expected. Then (to try one more thing) I "de-activated" su again and rebooted. Trying to activate it back after the reboot, I realized that I now was at the same situation as just after the encryption, but without the encryption. I.e. the problem was not the encryption itself, but kind of a bug in SuperSU - it was not able to activate su back after a reboot (I'll try to check it via a bug report to Chainfire).

So I digged a bit deeper into this and realized that SuperSU was simply deleting the su binary in /system/xbin on de-activation and writing it back on activation. And it looked like it wasn't able to write it back after a reboot (probably because of missing permission).

Knowing that, I decided to go a step further: I flashed the TWRP (many thanks to the TeamWin guys!), booted into recovery, mounted /system and copied the su binary manually to /system/xbin. After a reboot I tried once again open SuperSU, but it still said, it couldn't find the su binary. Hmmm... There must be something more... Having another look at the script source of the Update-Super-SU package I found that at the end it was calling the su binary with the option "-install". So I booted back to recovery and tried that as well... Hurra!!! After a reboot SuperSU was finally starting and the root-apps were able to get su access... So this seemed to be the desired solution.

I deactivated su again, rebooted and started the encryption. It ran and finished successfully, as expected. After that I booted to recovery and installed su manually, as I've done it before... Reboot... finger crossed... Tadaa!!! System is back, encrypted and root is working!


Solution approach:
  1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
  2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
  3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
  4. Reboot
  5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
  6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
  7. After the encryption is finished the device will reboot and ask for the password, just log in
  8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
  9. Boot into recovery
  10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
  11. Open the console or ADB shell
  12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
  13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
  14. Reboot
  15. You should be done
 
bruzzy
Old
#5  
Junior Member - OP
Thanks Meter 7
Posts: 19
Join Date: Jun 2014
@EndlessAdventurer,

I'm sorry, but I don't know, what you mean with "more step by step". There are no more steps in between, the steps are as granular as possible. If you use TWRP, there is a menu "Mount" (go there and tick /system) - you should have seen it already (if not, have a look at the TWRP documentation). But you could also mount your system from the console or ADB shell.

If you don't know, what "mount", "console" or "ADB" is and are not able to use google to lern it yourself, then you should really not use this guide and even avoid rooting your device...

Beeing a newbie is not an excuse, it's completely up to you to spend some time and change this!

Please avoid quoting the whole post! If you want to reference some part of a post, pick only the relevant part and quote that.
 
Nickfreedom
Old
#6  
Junior Member
Thanks Meter 0
Posts: 9
Join Date: Dec 2011
Location: Brasília
Default Alternative Method

Hi,

I have used another method that also works. It worked with my Galaxy S4, Note 10.1 and now with Note Pro. Hope this can help:

1-Root your device and install/update SuperSu;

2-Convert SuperSu to system app (there is an option in SU config). Reboot.
-OBS: If your root method has already installed SuperSu as a system app, this step can be skipped;

3-As SuperSu is now a system app, it can be deactivated through Applications Management in settings. Deactivate it;
-OBS: does NOT use deactivate in SU own config;

4- Reboot in Safe Mode. This can be done pressing both Volume Up/Down while rebooting;

5-Start encryption the normal way and wait until it finishes. Enter your password and wait device boot normally;

6-Go to Applications Management in settings and activate SuperSu;

7-Reboot one more time and your system is encrypted with SuperSu working normally.
 
m33rkat
Old
(Last edited by m33rkat; 15th August 2014 at 01:09 AM.) Reason: added info
#7  
m33rkat's Avatar
Junior Member
Thanks Meter 1
Posts: 15
Join Date: Jan 2012
Location: Harrisburg
I was able to follow all of the posted solutions through but for some reason my phone insists on just booting back into Android instead of actually encrypting my phone. Any ideas?

I have a SM-G900T, TWRP, SuperSU
 
Nickfreedom
Old
#8  
Junior Member
Thanks Meter 0
Posts: 9
Join Date: Dec 2011
Location: Brasília
Quote:
Originally Posted by m33rkat View Post
I was able to follow all of the posted solutions through but for some reason my phone insists on just booting back into Android instead of actually encrypting my phone. Any ideas?

I have a SM-G900T, TWRP, SuperSU
There is some more things that you can try with the solution I´ve posted:

1-Put original recovery instead of TWRP. I have never tried to encrypt with custom recovery;
2-When you boot in "Safe Mode", go to Application Management, running applications and stop as much processes as you can (do not stop google services).

OBS: To ensure that you have booted in Safe Mode, look at the bottom left corner of the screen an see if it shows “Safe Mode”.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes