FORUMS
Remove All Ads from XDA

[FIX] FED-Patcher v7 (ForceEncrypt Disable Patcher)

331 posts
Thanks Meter: 483
 
By gladiac, Senior Member on 13th September 2015, 11:29 AM
Post Reply Email Thread
Hello everybody,

I created a tool for the nexus 9 that gets rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.

Background
The Android CDD (Compatibility Definition Document) suggests that all devices SHOULD enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. FDE comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in the case of the nexus 9 (aka flounder) it's the CPU's task. Even though the nexus 9's CPU has 2 pretty fast cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any measurements)
There is an ongoing discussion about this topic in cyanogenmod's gerrit. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome.
Because performance is important to me and my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher)

How does it work?
FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP or CWM). This is what it does:
  1. Checks if your device is compatible
  2. Dumps the currently installed boot.img.
  3. Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
  4. It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
  5. Then it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
  6. Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
  7. Flashes the modified boot.img

Supported devices
  • HTC Nexus 9 WiFi (flounder)
  • HTC Nexus 9 LTE (flounder_lte)
  • Motorola Nexus 6 (shamu)

Version History
  • v1 - Initial version with HTC Nexus 9 WiFi (flounder) support
  • v2 - Added Motorola Nexus 6 (shamu) support
  • v3 - Added support for HTC Nexus 9 LTE (flounder_lte)
  • v4 - Added support for signed boot-images
  • v5 - Changed error handling to compensate for missing fstab files. Some roms seem not to ship with the complete set of boot-files from AOSP.
  • v6 - FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
  • v7 - FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.

What do I need to make this work?
  1. A supported device (Your nexus 9)
  2. An unlocked bootloader
  3. An already installed ROM with forceencrypt flag. (like cyanogenmod CM12.1)
  4. A recovery that includes busybox (TWRP, CWM)

How do I use it?
  1. Make a thorough, conservative backup of your data if there is any on your device
  2. Go into your recovery (TWRP, CWM)
  3. Flash fed_patcher-signed.zip
  4. If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama.

How do I know if it worked?
Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.

IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on CM12.1 for example and you used my patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.

Is it dangerous?
Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.

Screenshot
Scroll down to the attached thumbnails.

Credits
* pbatard for making (un)mkbootimg (dunno if he is on xda)
* @rovo89 for his xposed framework - I used some of his ideas by reading the source of his xposed installer flashable ZIP for FED-Patcher.
Attached Thumbnails
Click image for larger version

Name:	Screenshot.jpg
Views:	2982
Size:	114.1 KB
ID:	3472146  
Attached Files
File Type: zip fed_patcher_v3-signed.zip - [Click for QR Code] (1.49 MB, 142 views)
File Type: zip fed_patcher_v4-signed.zip - [Click for QR Code] (1.49 MB, 58 views)
File Type: zip fed_patcher_v5-signed.zip - [Click for QR Code] (1.49 MB, 210 views)
File Type: zip fed_patcher_v6-signed.zip - [Click for QR Code] (1.49 MB, 346 views)
File Type: zip fed_patcher_v7-signed.zip - [Click for QR Code] (1.49 MB, 4690 views)
The Following 32 Users Say Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
 
 
14th September 2015, 05:07 PM |#2  
Senior Member
Flag San Antonio, TX
Thanks Meter: 187
 
More
Thanks for creating this! In theory, would this work for the Nexus 6 as well? It would seem like it's a similar process.
14th September 2015, 06:33 PM |#3  
OP Senior Member
Flag Vienna
Thanks Meter: 483
 
More
Quote:
Originally Posted by itlnstln

Thanks for creating this! In theory, would this work for the Nexus 6 as well? It would seem like it's a similar process.

Hey there,

yes, it would probably work because the process itself is pretty generic. The only real difference between devices is the device-path for the boot-partition as well as the path(s) for the fstab-file(s) inside the boot.img. Nothing that cannot be done - but I don't have a device for testing. If you feel adventurous I can do a nexus6 (shamu) version for you for testing. I will double check so it should not eff up your device :P.

EDIT: Not to forget, the nexus 9 is a 64bit device. mkbootimg as well as unmkbootimg are compiled for 64bit. I have to rebuild those two programs for 32bit to make them work for 32bit devices.
The Following User Says Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
14th September 2015, 07:21 PM |#4  
Senior Member
Flag San Antonio, TX
Thanks Meter: 187
 
More
If you have time for a N6 build, that would be great. If not, it's not a big deal since there seems to be more support for that device.
14th September 2015, 08:13 PM |#5  
OP Senior Member
Flag Vienna
Thanks Meter: 483
 
More
Quote:
Originally Posted by itlnstln

If you have time for a N6 build, that would be great. If not, it's not a big deal since there seems to be more support for that device.

Well, it's pretty much done. Do you want to test a version that does not actually flash anything but do everything else - just to see if it works correctly?
The Following User Says Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
14th September 2015, 08:35 PM |#6  
Senior Member
Flag San Antonio, TX
Thanks Meter: 187
 
More
Absolutely!
14th September 2015, 10:14 PM |#7  
OP Senior Member
Flag Vienna
Thanks Meter: 483
 
More
Quote:
Originally Posted by itlnstln

Absolutely!

Alright, here you go!

If no error occurs there will be the already modified boot.img file in your temp-directory of your nexus 6. You can send me this file to be completely sure that everything went according to plan. Here is the adb-command:
Code:
adb pull /tmp/fed_patcher/boot-new.img
If all goes well I will upload the new version with nexus 6 (shamu) support tomorrow.

Good night!
Attached Files
File Type: zip fed_patcher-signed-dryrun.zip - [Click for QR Code] (1.49 MB, 20 views)
The Following User Says Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
14th September 2015, 10:24 PM |#8  
Senior Member
Flag San Antonio, TX
Thanks Meter: 187
 
More
Quote:
Originally Posted by gladiac

Alright, here you go!

If no error occurs there will be the already modified boot.img file in your temp-directory of your nexus 6. You can send me this file to be completely sure that everything went according to plan. Here is the adb-command:

Code:
adb pull /tmp/fed_patcher/boot-new.img
If all goes well I will upload the new version with nexus 6 (shamu) support tomorrow.

Good night!

Thanks! It seemed to work OK. Here's the boot image.
Attached Files
File Type: img boot-new.img - [Click for QR Code] (7.56 MB, 190 views)
The Following User Says Thank You to itlnstln For This Useful Post: [ View ] Gift itlnstln Ad-Free
14th September 2015, 10:37 PM |#9  
OP Senior Member
Flag Vienna
Thanks Meter: 483
 
More
Quote:
Originally Posted by itlnstln

Thanks! It seemed to work OK. Here's the boot image.

Thanks for your help! I just updated the flashable ZIP in the first post. Enjoy
The Following User Says Thank You to gladiac For This Useful Post: [ View ] Gift gladiac Ad-Free
14th September 2015, 10:38 PM |#10  
Senior Member
Flag San Antonio, TX
Thanks Meter: 187
 
More
Quote:
Originally Posted by gladiac

Thanks for your help! I just updated the flashable ZIP in the first post. Enjoy

You're the best! Thanks!
15th September 2015, 01:02 AM |#11  
madbat99's Avatar
Senior Member
Thanks Meter: 3,203
 
More
I noticed in op it says "4 pretty fast cores". This puppy only has 2 cores. Just throwing it out there for readers that don't know. I'm sure it was just a minor oversight.

Sent from my Nexus 9
Post Reply Subscribe to Thread

Tags
encryptable, fde, fed-patcher, forceencrypt

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes