Possible explanation why nexus 5 didn't have the new device protection

[awaaas]

So, just posted this a while ago at reddit, and some guy over there points out that maybe XDA is better place for this.

I'm just realized this afternoon by looking my android one device (sprout_b, indonesian version).
The Indian version (sprout) got updated to lollipop, and have the new device protection. Even if I flashed and used the said update on my device, I can't use the new device protection.

So I tried to compare both system files and boot.img, and found 1 partition missing on my device, FRP.
I investigated more about this, and it seems that both nexus 6 and 9 got this partition too (under the name PST).

And then, wild sudden clarity appears! FRP = Factory Reset Protection.
So, both my devices (nexus 5 and nexian journey 1 -android one- ) probably didn't receive this protection, because the partition needed for it isn't there.

For more info, here's the fstabs from both android one branch (sprout and sprout_b):

sprout:

# Android fstab file.
#<src>           <mnt_point>         <type>    <mnt_flags and options>                 <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

/dev/block/platform/mtk-msdc.0/by-name/system    /system     ext4  ro                                                          wait
/dev/block/platform/mtk-msdc.0/by-name/userdata  /data       ext4  noatime,nosuid,nodev,noauto_da_alloc,discard                wait,check,encryptable=/dev/block/platform/mtk-msdc.0/by-name/metadata
/dev/block/platform/mtk-msdc.0/by-name/cache     /cache      ext4  noatime,nosuid,nodev,noauto_da_alloc,discard                wait,check
/dev/block/platform/mtk-msdc.0/by-name/protect1  /protect_f  ext4  noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc    wait,check
/dev/block/platform/mtk-msdc.0/by-name/protect2  /protect_s  ext4  noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc    wait,check
/dev/block/platform/mtk-msdc.0/by-name/oem       /oem        ext4  ro,context=u:object_r:oemfs:s0,nosuid,nodev                 wait
/devices/platform/mtk-msdc.1/mmc_host*           auto        vfat  defaults                                                    voldmanaged=sdcard0:auto,noemulatedsd
/dev/block/platform/mtk-msdc.0/by-name/frp       /persistent emmc  defaults                                                    defaults

sprout_b:

# Android fstab file.
#<src>           <mnt_point>         <type>    <mnt_flags and options>                 <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

/dev/block/platform/mtk-msdc.0/by-name/system    /system     ext4  ro                                                          wait
/dev/block/platform/mtk-msdc.0/by-name/userdata  /data       ext4  noatime,nosuid,nodev,noauto_da_alloc,discard                wait,check,encryptable=/dev/block/platform/mtk-msdc.0/by-name/metadata
/dev/block/platform/mtk-msdc.0/by-name/cache     /cache      ext4  noatime,nosuid,nodev,noauto_da_alloc,discard                wait,check
/dev/block/platform/mtk-msdc.0/by-name/protect1  /protect_f  ext4  noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc    wait,check
/dev/block/platform/mtk-msdc.0/by-name/protect2  /protect_s  ext4  noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc    wait,check
/dev/block/platform/mtk-msdc.0/by-name/oem       /oem        ext4  ro,context=u:object_r:oemfs:s0,nosuid,nodev                 wait
/devices/platform/mtk-msdc.1/mmc_host*           auto        vfat  defaults                                                    voldmanaged=sdcard1:auto

FRP is also mentioned in file_contexts file in boot.img:

/dev/block/mmcblk0p18 u:object_r:frp_block_device:s0

So, what do you guys think?

 

[doctor_droid]

So its a hardware partition that attaches itself to a google account? pardon my knwledge..m a dental surgeon..

 

[bitdomo]

Interesting. Creating a FRP partition by taking away some space from userdata would not hurt.
The rest is to find the files which responsible to the factory reset protect.

 

[awaaas]

Interesting. Creating a FRP partition by taking away some space from userdata would not hurt.
The rest is to find the files which responsible to the factory reset protect.

there's also this build.prop entry:

ro.frp.pst=/dev/block/platform/mtk-msdc.0/by-name/frp

in case of nexus 6:

ro.frp.pst=/dev/block/platform/msm_sdcc.1/by-name/frp

and nexus 9:

ro.frp.pst=/dev/block/platform/sdhci-tegra.3/by-name/PST

also, this article.

 

[bitdomo]

there's also this build.prop entry:

ro.frp.pst=/dev/block/platform/mtk-msdc.0/by-name/frp

in case of nexus 6:

ro.frp.pst=/dev/block/platform/msm_sdcc.1/by-name/frp

and nexus 9:

ro.frp.pst=/dev/block/platform/sdhci-tegra.3/by-name/PST

also, this article.

What is the size of the FRP partition?

Can you light me up what is this factory reset protection actually do? Does it prevent to perfrom a factory reset or event after you do factory reset you still have to enter the pin lock or enter the pattern? How do you enable it on a supported device? How do you know it is enabled?

 

[ConorCX]

Can you light me up what is this factory reset protection actually do? Does it prevent to perfrom a factory reset or event after you do factory reset you still have to enter the pin lock or enter the pattern? How do you enable it on a supported device? How do you know it is enabled?

I believe it will not let you factory reset the device unless you enter your Google account username and password.

 

[awaaas]

What is the size of the FRP partition?

Can you light me up what is this factory reset protection actually do? Does it prevent to perfrom a factory reset or event after you do factory reset you still have to enter the pin lock or enter the pattern? How do you enable it on a supported device? How do you know it is enabled?

Let say that X's phone is stolen by Y, Y then proceed to factory reset the phone from recovery mode because the lockscreen is protected by a password.

The system will let Y to do that, but, upon starting the system, the setup wizard will not allow him to pass unless you gave him the last google account username and password that was active on that phone.

Bootloader is locked and you must toggle the unlock state in developer options (like nexus 6), so no custom recovery to wipe the frp partition, and re-flashing with factory image also doesn't touching that partition too.

From android police

I don't have a device that support it, but will search about the size around.

 

[bitdomo]

Let say that X's phone is stolen by Y, Y then proceed to factory reset the phone from recovery mode because the lockscreen is protected by a password.

The system will let Y to do that, but, upon starting the system, the setup wizard will not allow him to pass unless you gave him the last google account username and password that was active on that phone.

Bootloader is locked and you must toggle the unlock state in developer options (like nexus 6), so no custom recovery to wipe the frp partition, and re-flashing with factory image also doesn't touching that partition too.

From android police

I don't have a device that support it, but will search about the size around.

I played a little.
I made frp partition. As I saw from the previous link it is a 512 kb large unformated partition.
I built a kernel with adding the frp partition to the fstab and context file.
I edited the build.prop to add the ro.frp.pst string.
I could not make it work, but some data appeared on the frp partition. 35 bytes of data
I am lost at the moment what else I could do. I should somehow get logs but have no idea what I have to look for in dmesg or logcat.
Maybe there are some libs and scripts? Or we need some reverse engineering? Or it needs stock rom? Anyone knows if this feature works on the custom roms of nexus 6 or 9?

 

[opssemnik]

I played a little.
I made frp partition. As I saw from the previous link it is a 512 kb large unformated partition.
I built a kernel with adding the frp partition to the fstab and context file.
I edited the build.prop to add the ro.frp.pst string.
I could not make it work, but some data appeared on the frp partition. 35 bytes of data
I am lost at the moment what else I could do. I should somehow get logs but have no idea what I have to look for in dmesg or logcat.
Maybe there are some libs and scripts? Or we need some reverse engineering? Or it needs stock rom? Anyone knows if this feature works on the custom roms of nexus 6 or 9?

maybe the GServices check for the device?, also take a look at the note edge, the OTA to Lollipop on the sprint variant has an interesting comment
Added Factory Reset Protection. so by this thread, it also got the device protection feature?

 

[awaaas]

I played a little.
I made frp partition. As I saw from the previous link it is a 512 kb large unformated partition.
I built a kernel with adding the frp partition to the fstab and context file.
I edited the build.prop to add the ro.frp.pst string.
I could not make it work, but some data appeared on the frp partition. 35 bytes of data
I am lost at the moment what else I could do. I should somehow get logs but have no idea what I have to look for in dmesg or logcat.
Maybe there are some libs and scripts? Or we need some reverse engineering? Or it needs stock rom? Anyone knows if this feature works on the custom roms of nexus 6 or 9?

In the article I mentioned earlier, it mentioned the new service for this, android.service.persistentdata.IPersistentDataBlockService (frameworks/base/services/core/java/com/android/server/PersistentDataBlockService.java) for it to be active.

Also, for sprout, I had to dig in more:
So, in fstab.sprout, it listed like this:

/dev/block/platform/mtk-msdc.0/by-name/frp       /persistent emmc  defaults                                                    defaults

and in file_contexts, it listed like this:

/dev/block/mmcblk0p18 u:object_r:frp_block_device:s0

after downloading several stock rom for sprout, I looked at their scatter file (like PIT for samsung devices), and didn't found about FRP partition. So, I searched about this mmcblk0p18 mentioned earlier in file_contexts, turns out it is actually a partition called "gen", and the size is 71.5 MB. This partition is actually available in my sprout_b device, yet the corresponding feature didn't work out.

 

[bitdomo]

In the article I mentioned earlier, it mentioned the new service for this, android.service.persistentdata.IPersistentDataBlockService (frameworks/base/services/core/java/com/android/server/PersistentDataBlockService.java) for it to be active.

Also, for sprout, I had to dig in more:
So, in fstab.sprout, it listed like this:

/dev/block/platform/mtk-msdc.0/by-name/frp       /persistent emmc  defaults                                                    defaults

and in file_contexts, it listed like this:

/dev/block/mmcblk0p18 u:object_r:frp_block_device:s0

after downloading several stock rom for sprout, I looked at their scatter file (like PIT for samsung devices), and didn't found about FRP partition. So, I searched about this mmcblk0p18 mentioned earlier in file_contexts, turns out it is actually a partition called "gen", and the size is 71.5 MB. This partition is actually available in my sprout_b device, yet the corresponding feature didn't work out.

Awesome! I am checking the source code of the persistent datablock service. Now atleast I know what do I have to look for to find errors (hope i will find).
I will give it a try tomorrow. My poor phone was wiped like 10 times today.

 

[bitdomo]

I could not rest.... my mind was constantly ticking on this.
Well this is something.
I tell the rest tomorrow, but at first look it is working. It didnt let me pass by entering other email addresses it just jumped back to the wifi selection mode without saying anything (is that normal?). Anyway after I loged in with my google account it let me pass.

 

[bitdomo]

I got it working without making any new partition.
I am using the partition called "grow", 5,5 kiB in size, as it is not being used by or for anyithing. It looks like that amount of space is enough.

What I did to make it work:

I went back to stock LMY47I rom from my AOSP rom.
I added this line to /system/build.prop:

ro.frp.pst=/dev/block/platform/msm_sdcc.1/by-name/grow

I extracted the kernel's ramdisk and added the folowing lines to the following files:
fstab.hammerhead

/dev/block/platform/msm_sdcc.1/by-name/grow	    /peristent      emmc    defaults

file_contexts

/dev/block/platform/msm_sdcc\.1/by-name/grow           u:object_r:frp_block_device:s0

ueventd.hammerhead.rc

/dev/block/platform/msm_sdcc.1/by-name/grow 0600 system system

Then I packed the kernel (get it) and flashed it to the phone.

I added these changes to the hammerhead device tree if someone is intrested.

 

[frankusb]

Bootloader is locked and you must toggle the unlock state in developer options (like nexus 6), so no custom recovery to wipe the frp partition, and re-flashing with factory image also doesn't touching that partition too.

So 'fastboot oem unlock' no longer works? With that you could load a custom recovery and wipe any partition.

 

[awaaas]

So 'fastboot oem unlock' no longer works? With that you could load a custom recovery and wipe any partition.

Fastboot oem unlock will be disallowed by default. You must toggle the option under developer settings to be able to do that.

 

[frankusb]

Fastboot oem unlock will be disallowed by default. You must toggle the option under developer settings to be able to do that.

It will be disallowed by default? By the Nexus 5 boot loader? In what cases? It either is or it isn't today. I can't try it on my Nexus 5.

I looked for that option under development options on my Nexus 5 and did not find anything.

 

[bitdomo]

It will be disallowed by default? By the Nexus 5 boot loader? In what cases? It either is or it isn't today. I can't try it on my Nexus 5.

I looked for that option under development options on my Nexus 5 and did not find anything.

That option comes up only if you have a dedicated frp partition, but for nexus 5 it is useless to enable or disable it because the bootloader will not check the OEM enable bit on the dedicated frp partition unlike nexus 6's bootloader.

 

[awaaas]

It will be disallowed by default? By the Nexus 5 boot loader? In what cases? It either is or it isn't today. I can't try it on my Nexus 5.

I looked for that option under development options on my Nexus 5 and did not find anything.

that is the case of nexus 6 (and probably 9).

Today, my Indonesian android one device got update to LMY47O, and lazy google is lazy, they didn't rip out the device protection option bit from my device, it didn't work at the first place. They didn't even bother to edit the boot.img ramdisk, leaving Indian setting there.