FORUMS
Remove All Ads from XDA
Win Honor 9 Lite

[FIX] FED-Patcher v8 (ForceEncrypt Disable Patcher)

331 posts
Thanks Meter: 472
 
By gladiac, Senior Member on 27th October 2015, 01:27 PM
Post Reply Email Thread
Announcement from gladiac: This tool gets rid of the ForceEncrypt flag on any rom on supported devices.
Hello everybody,

I created a tool - initially for the nexus 9 (flounder|flounder_lte) - that gets rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.
I enhanced that tool to make it work for other devices too. (See the list below to see if your device is supported)

Disclaimer
Code:
/*
 * Your warranty is now void.
 *
 * I am not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about the features in this tool
 * before using it! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, I will laugh at you. Hard. A lot.
 */
Background
The Android CDD (Compatibility Definition Document) suggests demands that all devices with the appropriate horse power SHOULD MUST enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. Full-disk-encryption comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in current devices it's the CPU's task. Even though modern devices have quite fast CPU cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any scientific measurements though)
There is an ongoing discussion about this topic in cyanogenmod's gerrit for the nexus 9. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome. Additionally, Google's stock ROMs always have forced encryption enabled on newer devices.
Because performance is important to me and at least my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher).

How does it work?
FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP or CWM). This is what it does:
  1. Checks if your device is compatible
  2. Dumps the currently installed boot.img.
  3. Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
  4. It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
  5. Then, if necessary, it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
  6. Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
  7. Flashes the modified boot.img

Supported devices
  • HTC Nexus 9 WiFi (flounder)
  • HTC Nexus 9 LTE (flounder_lte)
  • Motorola Nexus 6 (shamu)
  • LG Nexus 5X (bullhead)
  • Huawei Nexus 6P (angler)

Version History
  • v1 - Initial version with HTC Nexus 9 WiFi (flounder) support
  • v2 - Added Motorola Nexus 6 (shamu) support
  • v3 - Added support for HTC Nexus 9 LTE (flounder_lte)
  • v4 - Added support for signed boot-images
  • v5 - Changed error handling to compensate for missing fstab files. Some roms seem not to ship with the complete set of boot-files from AOSP.
  • v6 - FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
  • v7 - FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.
  • v8 - Added support for LG Nexus 5X (bullhead) and Huawei Nexus 6P (angler)

What do I need to make this work?
  1. A supported device
  2. An unlocked bootloader
  3. An already installed ROM with forceencrypt flag. (like cyanogenmod CM12.1)
  4. A recovery that includes busybox (TWRP, CWM)

How do I use it?
  1. Make a thorough, conservative backup of your data if there is any on your device
  2. Go into your recovery (TWRP, CWM)
  3. Flash fed_patcher-signed.zip
  4. If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama.

How do I know if it worked?
Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.

IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on CM12.1 for example and you used my patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.

Is it dangerous?
Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.

Screenshot
Scroll down to the attached thumbnails.

Credits
* pbatard for making (un)mkbootimg (dunno if he is on xda)
* @rovo89 for his xposed framework - I used some of his ideas by reading the source of his xposed installer flashable ZIP for FED-Patcher.

GibHub: https://github.com/gladiac1337/fed-patcher

XDA:DevDB Information
FED-Patcher, Tool/Utility for all devices (see above for details)

Contributors
gladiac, rovo89

Version Information
Status: Beta
Current Beta Version: v8
Beta Release Date: 2015-10-27

Created 2015-10-27
Last Updated 2016-10-23
Attached Thumbnails
Click image for larger version

Name:	Screenshot.jpg
Views:	9904
Size:	114.1 KB
ID:	3520359  
Attached Files
File Type: zip fed_patcher_v8-signed.zip - [Click for QR Code] (1.49 MB, 16364 views)
The Following 79 Users Say Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
 
 
29th October 2015, 04:27 PM |#2  
cyberon's Avatar
Senior Member
Thanks Meter: 385
 
More
Hi @gladiac and first of all thanks for the work and time spent developing this amazing tool.

I'm currently running stock Marshmallow on my Nexus 6 and i plan to stay like that, but would like to test my device with ForceEncrypt disabled. Here are my doubts.

1 - Does this work on stock?

2 - Would i be able to flash the monthly security update images without having to wipe my device every time?

3 - In your opinion, do the speed gains justify the all the work?

Thanks in advance.
29th October 2015, 05:08 PM |#3  
OP Senior Member
Flag Vienna
Thanks Meter: 472
 
More
Quote:
Originally Posted by cyberon

Hi @gladiac and first of all thanks for the work and time spent developing this amazing tool.

I'm currently on stock Marshmallow and i plan to stay like that, but would like to test my device with forcencrypt disabled. Here are my doubts.

1 - Does this work on stock?

2 - Would i be able to flash the monthly security update images without having to wipe my device every time?

3 - In your opinion, do the speed gains justify the all the work?

Thanks in advance.

Hi @cyberon,
good questions!
  1. Yes, FED-Patcher works on stock! Marshmallow made it necessary to do a new release, v7, to get rid of an error message at boot but other than that, FED-Patcher works just fine on Android 6.
  2. Well, I don't know how the monthly security-updates will be deployed. I guess it will be done by OTA (Over the Air) updates. OTA will probably not work after modifying the boot-image. However, flashing factory images should work just fine. Additionally, most of the time, OTA-zips are being posted here on xda or androidpolice whenever they become available so doing manual OTA updates is another possibility to do updates.
    To get back to your question - wiping should not be necessary after an upgrade - be it via OTA or factory images. Google did a fantastic job with the upgrade-functionality in newer Android versions. However, whenever you do an update, be sure to run FED-Patcher afterwards because, in case the boot-partitions got updated, forced encryption will be in place again and on the first boot it will encrypt you device.
  3. Well, I do all my tests on a HTC Nexus 9 (flounder). It is a pretty fast beast. However, on an unmodified stock rom, it was clearly tangible that the GUI had more latency than necessary. Apps loaded pretty slowly - compared to my Sony Xperia Z1 (honami) it took like twice as long to start youtube - and in general it just did not behave like a beast. This was why I started writing FED-Patcher. In my opinion it was worth my time. (it wasn't that much actually)
I hope I could help.
Enjoy, gladiac
The Following 6 Users Say Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
29th October 2015, 05:20 PM |#4  
cyberon's Avatar
Senior Member
Thanks Meter: 385
 
More
Thanks for the quick and detailed answer @gladiac, now regarding point number 2.

I never wait for the OTA, but always flash the images manually.
As far as i understand from your answer, it would it be ok to flash all the img files manually, then flash TWRP and finally flash FED without booting the OS.

Am i missing something?
29th October 2015, 05:24 PM |#5  
OP Senior Member
Flag Vienna
Thanks Meter: 472
 
More
Quote:
Originally Posted by cyberon

Thanks for the quick and detailed answer @gladiac, now regarding point number 2.

I never wait for the OTA, but always flash the images manually.
As far as i understand from your answer, it would it be ok to flash all the img files manually, then flash TWRP and finally flash FED without booting the OS.

That's pretty much how I would do it. You don't even have to flash TWRP if you just skip flashing the recovery.img which is included in the factory-image package.
The Following 2 Users Say Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
29th October 2015, 05:28 PM |#6  
cyberon's Avatar
Senior Member
Thanks Meter: 385
 
More
Thanks @gladiac, will try that way.

PS: I have a feeling that if we had this option added to a toolkit like Wugfresh Nexus Root Toolkit, it would be an instant success.
The Following User Says Thank You to cyberon For This Useful Post: [ View ] Gift cyberon Ad-Free
31st October 2015, 02:18 PM |#7  
provolinoo's Avatar
Senior Member
Flag Milano
Thanks Meter: 228
 
More
hi @gladiac
first of all thanks for your patch

I'm on Nexus 6 with stock Marshmallow and all I want to do is disable encryption and enable root.
Is your patch + SuperSU enough or I need something else?

Thanks a lot
The Following User Says Thank You to provolinoo For This Useful Post: [ View ] Gift provolinoo Ad-Free
1st November 2015, 01:24 PM |#8  
stonebear's Avatar
Senior Member
Thanks Meter: 564
 
More
Worked on my N9 - thanks!
The Following User Says Thank You to stonebear For This Useful Post: [ View ] Gift stonebear Ad-Free
1st November 2015, 04:23 PM |#9  
OP Senior Member
Flag Vienna
Thanks Meter: 472
 
More
Quote:
Originally Posted by provolinoo

hi @gladiac
first of all thanks for your patch

I'm on Nexus 6 with stock Marshmallow and all I want to do is disable encryption and enable root.
Is your patch + SuperSU enough or I need something else?

Thanks a lot

Hi @provolinoo,
well, FED Patcher will disable the forced encryption for you. However, SuperSU will not work so easily. The reason for that is that the stock ROM has SeLinux enabled in "enforcing" mode. SuperSU does not work without adding more SeLinux Policies to the stock ROM. Unfortunately, it's not in the scope of FED Patcher to add SeLinux policies for SuperSU. This should be done inside the flashable ZIP of SuperSU instead.
The last time I tested SuperSU with marshmallow stock was with version 2.52 BETA. It did not work. The result was a boot-loop because of one or more SeLinux denials. A little more info on that matter is here.
So, to get SuperSU working you would have to set SeLinux to "permissive" mode. Alternatively, you can use @Chainfire's boot.imgs to make SuperSU work.
Have fun, gladiac
The Following 3 Users Say Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
2nd November 2015, 08:24 AM |#10  
Member
Thanks Meter: 21
 
More
Thank you gladiac. Your FED patcher (v8) works flawlessly on my Nexus 9. Edit: I am using TWRP 2.8.7.1

The gerrit conversation you linked is interesting. I am grateful that someone with your skills decided to support our ability to choose whether or not to encrypt. CM thinks I am smart enough for root priveleges but I am too stupid to be trusted with decryption?

Don't some major vendors allow the disabling of encryption from within Android?

Anyway, thanks for the patcher.
The Following User Says Thank You to dmantilal For This Useful Post: [ View ] Gift dmantilal Ad-Free
2nd November 2015, 08:48 AM |#11  
provolinoo's Avatar
Senior Member
Flag Milano
Thanks Meter: 228
 
More
Quote:
Originally Posted by dmantilal

Thank you gladiac. Your FED patcher (v8) works flawlessly on my Nexus 9.

The gerrit conversation you linked is interesting. I am grateful that someone with your skills decided to support our ability to choose whether or not to encrypt. CM thinks I am smart enough for root priveleges but I am too stupid to be trusted with decryption?

Don't some major vendors allow the disabling of encryption from within Android?

Anyway, thanks for the patcher.

I agree, I love CM roms but their decision to force encryption when most of cm users are power-user is a nonsense
The Following 2 Users Say Thank You to provolinoo For This Useful Post: [ View ] Gift provolinoo Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes