Can't set new password/pin/fingerprint after deleting locksettings.db

[thunderteaser]

As I was trying to update my EEA global stable rom 10.2.7 to the latest release (10.3.3), I followed a guide to accomplish that without losing TWRP and my /data partition. I flashed a zip called DisableForceEncryption_Treble_v18.0.zip after flashing the new rom but before reflashing magisk. As a matter of fact I could boot into the new ROM with all my data intact, but TWRP was overwritten by the official MIUI recovery.

As I flashed TWRP again via fastboot, my device was encrypted again and I had to format my /data partition.

So I restored my /data backup and booted into MIUI again, that asked for my PIN. The PIN I previously set was not working anymore so I had to delete /data/system/locksettings.db and I was able to access the OS again. Funny thing, my fingerprints were still there and still worked to unlock the phone.

Finally, I wanted to create a new PIN or Password. It asked me for a new PIN and then again to confirm it. As it seems to have accepted my newly registered PIN, it does not work when I try to unlock my phone! So I have to delete locksettings.db again (which seems to be the only file I could find that relates to lock settings). Everytime I create a new PIN, it lets me register it but then it's like it doesn't match with what I type when it asks for it to unlock the phone.

What did I do wrong? How I can restore my lock settings?

Thanks for reading so far!

 

[Schnedi]

That's weird.

Something similar happened to me a few days ago and I could set a new lock again with no problem.

Does it happen only with PIN? Have you tried with PATTERN?

 

[thunderteaser]

That's weird.

Something similar happened to me a few days ago and I could set a new lock again with no problem.

Does it happen only with PIN? Have you tried with PATTERN?

Yes, it happens with PIN, password or pattern regardlessly. Whatever I set, it stores it, but when asked to unlock the screen or enter security settings it just rejects it.

P.S.: This might be unrelated: I don't know if Magisk 19.3 behaves like this or not, but since I installed it the Mi Unlock status is uncertain (it said "Unlocked" before, now it lets me enter on the prompt as it was the first time unlocking the phone). So I rebooted to bootloader and ran "fastboot oem device-info" which correctly reported that my device was unlocked.

 

[thunderteaser]

Just in case... here is what i found in logcat.

Here is when I create a new PIN:

:/ # logcat |grep password
06-09 05:07:05.130  1453  1453 E LockSettingsStorage: Cannot read file java.io.FileNotFoundException: /data/system/gatekeeper.password.key: open failed: ENOENT (No such file or directory)
06-09 05:07:05.130  1453  1453 E LockSettingsStorage: Cannot read file java.io.FileNotFoundException: /data/system/password.key: open failed: ENOENT (No such file or directory)
06-09 05:14:16.049  1453  5555 W LockSettingsService: Synthetic password not enabled

Then i put it in again to confirm that it is right (it accepts it)

06-09 05:14:16.902  1453  5555 W LockSettingsService: Synthetic password not enabled

And finally when I click OK and the screen goes back to settings and it shows that I have set a lockscreen password.

06-09 05:14:22.326  1043  1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.328  1043  1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.329  1043  1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.333  1043  1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.334  1043  1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.335  1043  1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.733  1043  1043 I keystore: del USRPKEY_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.734  1043  1043 I keystore: del USRCERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.735  1043  1043 I keystore: del CACERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.736  1043  1043 I keystore: del USRPKEY_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.737  1043  1043 I keystore: del USRCERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.737  1043  1043 I keystore: del CACERT_synthetic_password_743cd98993860e51 1000
06-09 05:14:22.803  1043  1043 I keystore: del USRPKEY_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.815  1043  1043 I keystore: del USRCERT_synthetic_password_8719d7af3fc103f4 1000
06-09 05:14:22.817  1043  1043 I keystore: del CACERT_synthetic_password_8719d7af3fc103f4 1000

And here is the error when I try to unlock the screen with the (correct) PIN that gets rejected:

06-09 05:19:37.552   634   634 E GatekeeperHalDevice: verify
06-09 05:19:37.552   634   634 E GatekeeperHalDevice: ret: 0
06-09 05:19:37.552   634   634 E GatekeeperHalDevice: resp->status: -24
06-09 05:19:37.558  2305  2305 D KeyguardSecurityView: [B]reportFailedPatternAttempt[/B]: #2
06-09 05:19:37.591  1453  1543 E UsbDeviceManager: handle message = 6
06-09 05:19:37.592  2305  2667 D KeyguardViewMediator: setKeyguardEnabled(true)
06-09 05:19:37.612  2305  2305 D KeyguardViewMediator: handleKeyguardDoneDrawing
06-09 05:19:37.621  2305  2305 V KeyguardUpdateMonitor: startListeningForFingerprint()

 

[DarthJabba9]

... As I flashed TWRP again via fastboot, my device was encrypted again and I had to format my /data partition.

So I restored my /data backup and booted into MIUI again, that asked for my PIN. The PIN I previously set was not working anymore so I had to delete /data/system/locksettings.db and I was able to access the OS again. Funny thing, my fingerprints were still there and still worked to unlock the phone.

Do I understand correctly that you restored a backup of an encrypted data partition to an unencrypted data partition? If so, you will definitely have problems. If your device is encrypted, you probably should try restoring the backup again. If you are not encrypted, then you need to understand that, on lavender, setting pins/passwords, etc., will not work correctly if the device is not encrypted. Why? You would need to ask Xiaomi's programmers. But that is the situation.

In the end, you might need to do a clean flash ...

 

[thunderteaser]

Do I understand correctly that you restored a backup of an encrypted data partition to an unencrypted data partition? If so, you will definitely have problems. If your device is encrypted, you probably should try restoring the backup again. If you are not encrypted, then you need to understand that, on lavender, setting pins/passwords, etc., will not work correctly if the device is not encrypted. Why? You would need to ask Xiaomi's programmers. But that is the situation.

In the end, you might need to do a clean flash ...

Thanks for your answer. My backup comes from a /data partition that was originally formatted via TWRP when I unlocked the bootloader and rooted it, so it should be decrypted. If setting a PIN means encrypting data once again, then you are correct, as I backed up my partition with all of my lock settings stored. But to answer your question: I don't know. It just makes no sense to me, as I was able to restore my data and everything works smoothly besides the lock settings. I just know that most of my problems come from having an unreliable TWRP which doesn't support MIUI encryption (I'm waiting for OrangeFox to be released), but other than that I don't understand what is going on with Android security since Marshmallow was released (I'm coming from a OnePlus One stuck on Marshmallow).

So, should I factory reset?

 

[DarthJabba9]

Thanks for your answer. My backup comes from a /data partition that was originally formatted via TWRP when I unlocked the bootloader and rooted it, so it should be decrypted. If setting a PIN means encrypting data once again, then you are correct, as I backed up my partition with all of my lock settings stored. But to answer your question: I don't know. It just makes no sense to me, as I was able to restore my data and everything works smoothly besides the lock settings. I just know that most of my problems come from having an unreliable TWRP which doesn't support MIUI encryption (I'm waiting for OrangeFox to be released), but other than that I don't understand what is going on with Android security since Marshmallow was released (I'm coming from a OnePlus One stuck on Marshmallow).

So, should I factory reset?

Rooting the device doesn't mean that it is decrypted. The lavender ROMs have a nasty habit of encrypting the device again when you boot to system (unless you have effectively disabled forced-encryption after formatting data - but this situation can change quickly). If you are not encrypted, then no attempt at securing the phone will work. It will allow you to set a pin/password, but they will always be declared to be "wrong" when you try to unlock the phone. You can easily check whether you are encrypted or not (in the ROM's security settings). Another clue - if you don't see any option of setting a fingerprint, then it means that you are not encrypted. What does the debug screen show when you boot up TWRP? If it shows something like "dm-0" somewhere on the page, then you are encrypted.

The long and short of it is this - if you want to be able to use pins/passwords/fingerprint, then your phone needs to be encrypted. IMHO all these problems with encryption are due to bugs in Xiaomi's Pie firmwares (and this is getting worse by the day). The other possible interpretation is that this is all deliberate - but I am not a conspiracy theorist, so I choose to believe that these problems are not due to malice.

Doing a factory reset is a good way of starting afresh (I don't know whether formatting data again would be better). However, if you do this, don't try to restore the data backup again - you will just return to "square one".

PS: there are already stable betas of OrangeFox for lavender (see my signature) ...

 

[thunderteaser]

Rooting the device doesn't mean that it is decrypted. The lavender ROMs have a nasty habit of encrypting the device again when you boot to system (unless you have effectively disabled forced-encryption after formatting data - but this situation can change quickly). If you are not encrypted, then no attempt at securing the phone will work. It will allow you to set a pin/password, but they will always be declared to be "wrong" when you try to unlock the phone. You can easily check whether you are encrypted or not (in the ROM's security settings). Another clue - if you don't see any option of setting a fingerprint, then it means that you are not encrypted.

Thanks for your superclear answer. I still don't get how to check for encryption on MIUI 10. I can't see anything related to encryption in security settings, but I still see the options to add fingerprints. Also, "adb shell ro.crypto.status" fails because there is no such file.

What does the debug screen show when you boot up TWRP? If it shows something like "dm-0" somewhere on the page, then you are encrypted.

Can't see any result for dm-* in my recovery log.

The long and short of it is this - if you want to be able to use pins/passwords/fingerprint, then your phone needs to be encrypted. IMHO all these problems with encryption are due to bugs in Xiaomi's Pie firmwares (and this is getting worse by the day). The other possible interpretation is that this is all deliberate - but I am not a conspiracy theorist, so I choose to believe that these problems are not due to malice.

Doing a factory reset is a good way of starting afresh (I don't know whether formatting data again would be better). However, if you do this, don't try to restore the data backup again - you will just return to "square one".

So do you think this happened because I originally flashed a lazyflasher version that disabled dm-verity AND force-encryption in the attempt to not lose my data partition when I flashed an updated rom?

PS: there are already stable betas of OrangeFox for lavender (see my signature) ...

I will definitely follow its development, thank you so much!

 

[DarthJabba9]

Thanks for your superclear answer. I still don't get how to check for encryption on MIUI 10. I can't see anything related to encryption in security settings, but I still see the options to add fingerprints. Also, "adb shell ro.crypto.status" fails because there is no such file.

Send me your recovery log via PM, and I will tell you whether you are encrypted.

So do you think this happened because I originally flashed a lazyflasher version that disabled dm-verity AND force-encryption in the attempt to not lose my data partition when I flashed an updated rom?

I am not sure what is the cause. But you might just want to cut your losses and reset to defaults (or, better still, format data, and let MIUI encrypt again when you restart the phone). You will of course lose all your data (and if you format data, you will lose the contents of your internal storage). However, IMHO, life is too short, and setting up a pristine system is much better than the pain endured in trying to fix these fiddly problems (always a good idea to have your data backed up on the cloud anyway - whether it is GDrive or MiCloud). This makes it less painful to set up your phone again from the start.

 

[thunderteaser]

Send me your recovery log via PM, and I will tell you whether you are encrypted.

I am not sure what is the cause. But you might just want to cut your losses and reset to defaults (or, better still, format data, and let MIUI encrypt again when you restart the phone). You will of course lose all your data (and if you format data, you will lose the contents of your internal storage). However, IMHO, life is too short, and setting up a pristine system is much better than the pain endured in trying to fix these fiddly problems (always a good idea to have your data backed up on the cloud anyway - whether it is GDrive or MiCloud). This makes it less painful to set up your phone again from the start.

Well, you are absolutely right but I can't stop thinking of it as an entertaining part of being an Android user, or I won't be on xda . I've sent you my log, I really appreciate your help. <3

 

[thunderteaser]

I'm back here just to update the thread with a solution for encryption problems, hoping it will help people with similar issues.

If you are going to stay on official MIUI 10 global stable and plan to install root/magisk and still lock the device by any means (pin, pattern, fingerprints, face unlock, etc.) your data partition MUST be encrypted. If your data partition is decrypted, the only way to encrypt it properly again would be by flashing a stock data partition via fastboot (using Mi Flash Tool to flash a whole stock ROM from scratch would be even better), so backup everything as you are going to lose your data.

Then, I absolutely recommend flashing the latest OrangeFox recovery by @DarthJabba9 (see his signature), which is the only recovery I found that properly supports MIUI encryption and also supports OTA updates (and has a lot of amazing features too and a pretty cool design!).

Since the fastboot image I flashed was 10.3.2 EU, I wanted to update to 10.3.3 EU via recovery without losing data and encryption. Here is what I did (you may follow these steps as a generic guide to update to any OTA version):

1) In OrangeFox recovery click on the Settings icon on the top right and enter "MIUI OTA" settings
2) Keep everything on, but make sure to untick "disable dm-verity" and "disable force-encryption" as you want to keep them enabled (the MIUI OTA main switch on top will switch off but everything you have set will still be applied)
3) Flash the full recovery ROM zip you want to update to
4) Flash Magisk and everything else you need
5) Reboot

If you did everything correctly, Magisk installer will tell you that it's keeping dm-verity and encryption untouched (this settings are also reflected in Magisk Manager app: in the main screen go to Advanced Settings and you will see both dm verity and encryption settings checked).

Thanks to @DarthJabba9 again for the awesome support! :highfive: