• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[FIX] FED-Patcher v7 (ForceEncrypt Disable Patcher)

Search This thread

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
Hello everybody,

I created a tool for the nexus 9 that gets rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.

Background
The Android CDD (Compatibility Definition Document) suggests that all devices SHOULD enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. FDE comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in the case of the nexus 9 (aka flounder) it's the CPU's task. Even though the nexus 9's CPU has 2 pretty fast cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any measurements)
There is an ongoing discussion about this topic in cyanogenmod's gerrit. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome.
Because performance is important to me and my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher)

How does it work?
FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP or CWM). This is what it does:
  1. Checks if your device is compatible
  2. Dumps the currently installed boot.img.
  3. Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
  4. It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
  5. Then it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
  6. Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
  7. Flashes the modified boot.img

Supported devices
  • HTC Nexus 9 WiFi (flounder)
  • HTC Nexus 9 LTE (flounder_lte)
  • Motorola Nexus 6 (shamu)

Version History
  • v1 - Initial version with HTC Nexus 9 WiFi (flounder) support
  • v2 - Added Motorola Nexus 6 (shamu) support
  • v3 - Added support for HTC Nexus 9 LTE (flounder_lte)
  • v4 - Added support for signed boot-images
  • v5 - Changed error handling to compensate for missing fstab files. Some roms seem not to ship with the complete set of boot-files from AOSP.
  • v6 - FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
  • v7 - FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.

What do I need to make this work?
  1. A supported device (Your nexus 9)
  2. An unlocked bootloader
  3. An already installed ROM with forceencrypt flag. (like cyanogenmod CM12.1)
  4. A recovery that includes busybox (TWRP, CWM)

How do I use it?
  1. Make a thorough, conservative backup of your data if there is any on your device
  2. Go into your recovery (TWRP, CWM)
  3. Flash fed_patcher-signed.zip
  4. If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama.

How do I know if it worked?
Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.

IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on CM12.1 for example and you used my patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.

Is it dangerous?
Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.

Screenshot
Scroll down to the attached thumbnails.

Credits
* pbatard for making (un)mkbootimg (dunno if he is on xda)
* @rovo89 for his xposed framework - I used some of his ideas by reading the source of his xposed installer flashable ZIP for FED-Patcher.
 

Attachments

  • Screenshot.jpg
    Screenshot.jpg
    114.1 KB · Views: 3,190
  • fed_patcher_v3-signed.zip
    1.5 MB · Views: 162
  • fed_patcher_v4-signed.zip
    1.5 MB · Views: 65
  • fed_patcher_v5-signed.zip
    1.5 MB · Views: 226
  • fed_patcher_v6-signed.zip
    1.5 MB · Views: 381
  • fed_patcher_v7-signed.zip
    1.5 MB · Views: 5,381
Last edited:

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
Thanks for creating this! In theory, would this work for the Nexus 6 as well? It would seem like it's a similar process.

Hey there,

yes, it would probably work because the process itself is pretty generic. The only real difference between devices is the device-path for the boot-partition as well as the path(s) for the fstab-file(s) inside the boot.img. Nothing that cannot be done - but I don't have a device for testing. If you feel adventurous I can do a nexus6 (shamu) version for you for testing. I will double check so it should not eff up your device :p.

EDIT: Not to forget, the nexus 9 is a 64bit device. mkbootimg as well as unmkbootimg are compiled for 64bit. I have to rebuild those two programs for 32bit to make them work for 32bit devices.
 
Last edited:
  • Like
Reactions: itlnstln

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
If you have time for a N6 build, that would be great. If not, it's not a big deal since there seems to be more support for that device.

Well, it's pretty much done. Do you want to test a version that does not actually flash anything but do everything else - just to see if it works correctly?
 
  • Like
Reactions: itlnstln

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
Absolutely!

Alright, here you go!

If no error occurs there will be the already modified boot.img file in your temp-directory of your nexus 6. You can send me this file to be completely sure that everything went according to plan. Here is the adb-command:
Code:
adb pull /tmp/fed_patcher/boot-new.img

If all goes well I will upload the new version with nexus 6 (shamu) support tomorrow.

Good night!
 

Attachments

  • fed_patcher-signed-dryrun.zip
    1.5 MB · Views: 25
  • Like
Reactions: DanteGR

itlnstln

Senior Member
Sep 1, 2010
544
184
San Antonio, TX
Alright, here you go!

If no error occurs there will be the already modified boot.img file in your temp-directory of your nexus 6. You can send me this file to be completely sure that everything went according to plan. Here is the adb-command:
Code:
adb pull /tmp/fed_patcher/boot-new.img

If all goes well I will upload the new version with nexus 6 (shamu) support tomorrow.

Good night!

Thanks! It seemed to work OK. Here's the boot image.
 

Attachments

  • boot-new.img
    7.6 MB · Views: 198
  • Like
Reactions: gladiac

madbat99

Senior Member
Mar 1, 2014
5,538
3,287
I noticed in op it says "4 pretty fast cores". This puppy only has 2 cores. Just throwing it out there for readers that don't know. I'm sure it was just a minor oversight.

Sent from my Nexus 9
 

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
Hey everybody,
I will enable support for the Nexus 9 LTE (flounder_lte) this afternoon in FED-Pather v3. If you want other devices to be supported please tell me. Is there a list of android devices that have forced encryption?
 

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
So this works great, leaving device unencrypted. But anyone having issues with apps crashing? Most especially Google Play Services?

This problem is new to me. My patch only modifies the boot-image so that it does not enforce encryption. It is merely a flag in fstab that gets changed and should not have anything to do with crashing apps. Anyway, do you have a logcat?
 

itlnstln

Senior Member
Sep 1, 2010
544
184
San Antonio, TX
I'm getting an error with my N9 (WiFi). When I try flashing in TWRP, it throws this error:

! Unpacking failed
=> unmkbootimg return value: 0
E: Error executing updater binary in zip...

All I did was go into fastboot, flash the updated image for LMY48M, then go into TWRP to flash the fix. I even went back into fastboot to try re-flashing the boot.img.
 

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
I'm getting an error with my N9 (WiFi). When I try flashing in TWRP, it throws this error:

! Unpacking failed
=> unmkbootimg return value: 0
E: Error executing updater binary in zip...

All I did was go into fastboot, flash the updated image for LMY48M, then go into TWRP to flash the fix. I even went back into fastboot to try re-flashing the boot.img.

Hi, sorry to hear that. I will have a look into the boot.img that gets shipped with LMY48M. Not sure what is going on here.
 

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
I'm getting an error with my N9 (WiFi). When I try flashing in TWRP, it throws this error:

! Unpacking failed
=> unmkbootimg return value: 0
E: Error executing updater binary in zip...

All I did was go into fastboot, flash the updated image for LMY48M, then go into TWRP to flash the fix. I even went back into fastboot to try re-flashing the boot.img.

Alright - unmkbootimg fails because the boot.img that google ships has 256 Bytes of extra data (it is probably signed or something) at the beginning. If you strip that off it works correctly:
Code:
dd if=boot.img of=boot-stripped.img bs=256 skip=1
Well, this was unexpected. But nothing that cannot be dealt with. I will make my flashable ZIP search for the offset of the boot.img-signature inside the dumped boot.img and strip of the preceding data. The rest of the process should work as usual.
 
  • Like
Reactions: itlnstln

gladiac

Senior Member
Nov 13, 2006
333
480
Vienna
I'm getting an error with my N9 (WiFi). When I try flashing in TWRP, it throws this error:

! Unpacking failed
=> unmkbootimg return value: 0
E: Error executing updater binary in zip...

All I did was go into fastboot, flash the updated image for LMY48M, then go into TWRP to flash the fix. I even went back into fastboot to try re-flashing the boot.img.

Hi @itlnstln,
I just made a new version which should do the trick. I tested the new functionality to the best of my knowledge. If the script fails for some reason it wont flash anything - so the probability for actual damage is very low. Do you feel adventurous xD?
Please tell me if it worked for you or not.
 

Attachments

  • fed_patcher_v4-signed.zip
    1.5 MB · Views: 15
  • Like
Reactions: itlnstln

Top Liked Posts

  • There are no posts matching your filters.
  • 32
    Hello everybody,

    I created a tool for the nexus 9 that gets rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.

    Background
    The Android CDD (Compatibility Definition Document) suggests that all devices SHOULD enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. FDE comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in the case of the nexus 9 (aka flounder) it's the CPU's task. Even though the nexus 9's CPU has 2 pretty fast cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any measurements)
    There is an ongoing discussion about this topic in cyanogenmod's gerrit. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome.
    Because performance is important to me and my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher)

    How does it work?
    FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP or CWM). This is what it does:
    1. Checks if your device is compatible
    2. Dumps the currently installed boot.img.
    3. Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
    4. It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
    5. Then it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
    6. Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
    7. Flashes the modified boot.img

    Supported devices
    • HTC Nexus 9 WiFi (flounder)
    • HTC Nexus 9 LTE (flounder_lte)
    • Motorola Nexus 6 (shamu)

    Version History
    • v1 - Initial version with HTC Nexus 9 WiFi (flounder) support
    • v2 - Added Motorola Nexus 6 (shamu) support
    • v3 - Added support for HTC Nexus 9 LTE (flounder_lte)
    • v4 - Added support for signed boot-images
    • v5 - Changed error handling to compensate for missing fstab files. Some roms seem not to ship with the complete set of boot-files from AOSP.
    • v6 - FED-Patcher will enforce the same structure for the patched boot.img that the original boot.img had. Additionally, the kernel commandline will also be taken over. This should fix pretty much every case where devices would not boot after patching.
    • v7 - FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.

    What do I need to make this work?
    1. A supported device (Your nexus 9)
    2. An unlocked bootloader
    3. An already installed ROM with forceencrypt flag. (like cyanogenmod CM12.1)
    4. A recovery that includes busybox (TWRP, CWM)

    How do I use it?
    1. Make a thorough, conservative backup of your data if there is any on your device
    2. Go into your recovery (TWRP, CWM)
    3. Flash fed_patcher-signed.zip
    4. If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama.

    How do I know if it worked?
    Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.

    IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on CM12.1 for example and you used my patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.

    Is it dangerous?
    Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.

    Screenshot
    Scroll down to the attached thumbnails.

    Credits
    * pbatard for making (un)mkbootimg (dunno if he is on xda)
    * @rovo89 for his xposed framework - I used some of his ideas by reading the source of his xposed installer flashable ZIP for FED-Patcher.
    3
    That was too easy! I don't believe you. :p

    Thanks!!

    Well, I guess it would have been clever if I had added that little piece of information to the op, right? :) (I just did)
    3
    Hello everybody,
    I just released v7!
    FED-Patcher will now disable dm-verity in fstab to get rid of the red error sign on marshmallow roms.
    Enjoy!
    3
    Hello everybody,
    just to let you guys know - I just checked the new marshmallow factory image for flounder (MRA58K) and flounder_lte (MRA58K) => FED-Patcher should work for these new images too.
    Enjoy!
    3
    So if I get this correctly after flashing the FED-PAtcher zip I ONLY have to wipe the "data partition" by going to wipe -> advanced -> and select only data.
    Is this correct?
    If this is correct then why would my Internal Storage be wiped??
    Thank you so much @gladiac for this!
    Makes life much much easier :)

    Hey there,

    you need to do "Wipe" - "Format Data". This will remove all your apps and settings as well as clear the internal storage.

    The problem is that "Advanced Wipe" - "Data" does not really format the partition. It only removes all files in /data without wiping /data/media -> this approach does not get rid of the encryption. The reason why that does not really format /data is because /data and /data/media are 2 distinct things in android which share the same physical partition.