[UNOFFICIAL][ENCRYPTION][wrappedkey] TWRP 3.3.1-6: proper system_as_root & decryption


Senior Member
Jul 15, 2013
[UNOFFICIAL][ENCRYPTION][wrappedkey] TWRP 3.3.1-6: proper system_as_root & decryption

 * I'm not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed (like it did for me...). 
 * Please do some research if you have any concerns about features included in the products you find here before flashing it! 
 * YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you. 
 * Your warranty will be void if you tamper with any part of your device / software.
 * Same statement for XDA.

This is an unofficial build of TWRP for Redmi Note 7 Pro (violet). Differences with the official one include:

- Supports CAF-based wrappedkey encryption (decryption) properly (tested with MIUI
- Supports decrypting devices that have screen lock set up after Android 9 May update, which introduced a new key derivation function.
- Mounts the system partition at /system_root as per AOSP standards. This makes the auto-backup scripts (e.g. GApps / Magisk survival script) work properly during updates, and you no longer need any 'patch' to flash GApps / Magisk properly. However, this may break some existing ROMs. See below FAQ section for details.
- Appended DTBO to the recovery image so it doesn't depend on the dtbo partition. No standalone DTBO image required.

Flashing instructions

- Download and extract the img file
- Reboot to fastboot mode
- fastboot flash recovery whatever_img_file_you_extracted.img
- Reboot and press Volume + to enter recovery
- DO NOT try to run 'fastboot boot recovery.img', it won't work.
- DO NOT flash the fcrypt disabler if you use my recovery. There is no need to do so, and it is possible to mess stuff up if you don't know what you are doing.
- You have to format the data partition if and ONLY IF:
1) You were not encrypted, now going to an encrypted state, or vice-versa OR
2) You were on a ROM other than MIUI that does not support "wrappedkey" (ROMs would often state it supports wrappedkey if it does), now going to a ROM that supports it


DO NOT boot this recovery with empty system and vendor partitions. It will fail to decrypt any data partition with empty /system and /vendor. DO NOT wipe system and vendor partitions without installing a new one before rebooting. I am working to remove this limitation.

Now works even with empty system and vendor partitions after 3.3.1-5. No need to worry about formatting system and vendor breaking TWRP any more.

The restore zip created by the Migrate app is NOT compatible with this recovery. It's a problem of the Migrate app, not this recovery. Please DO NOT try to flash the restore zip created by Migrate.


- Q: Do I need any specific DTBO image to make this recovery working?
- A: Nope. It is appended to the recovery image so it will work with any DTBO.

- Q: What is wrappedkey?
- A: It's a different mode of FBE implemented in CAF, the Qualcomm branch of AOSP.

- Q: This cannot install ROM X, why?
- A: Because it mounts the system partition at /system_root, which is AOSP standard behavior for A-only system_as_root devices, but is broken in some custom ROMs currently (MIUI should work though). To make any ROM work again, they will need to include this commit from LineageOS Gerrit https://review.lineageos.org/c/LineageOS/android_build/+/247066

- Q: Decryption doesn't work with ROM X, why?
- A: Decryption should work for most ROMs based on the CAF branch (not AOSP). CAF ROMs (including official MIUI) use a different scheme for key storage, which is why TWRP hasn't supported it till now. I have ported the CAF encryption changes (wrappedkey) to TWRP, but unfortunately this will break ROMs that do not support the CAF wrappedkey mode of encryption. Here is a list of patches non-CAF ROMs need to support CAF-encrypted /data partitions https://mokeedev.review/q/topic:%22fbe-wrapped-key%22+(status:eek:pen%20OR%20status:merged). If you confirm your ROM is CAF-based but the decryption still does not work, please open an issue on my GitHub repository which you could find below. (XDA threads are no good for issue tracking, sorry)

- Q: Why not contribute to the official TWRP?
- A: All the patches to the TWRP code base have been submitted to the official gerrit code review, though not merged yet, which you can see below.


3.3.1-6: https://mega.nz/#!3QIRQYhK!Jq5QrGfJw5VCYZ8sq_BO1qNZecrFqlM9IB1IdSwogvI
changes: updated kernel to support pstore instead of /proc/last_kmsg. If you don't know what this is, it's probably not relevant to you.

Here you can find an unofficial LOS build with wrappedkey encryption and also proper system_as_root support for those survival scripts https://forum.xda-developers.com/redmi-note-7-pro/development/unofficial-lineageos-16-caf-encryption-t3933532. In addition, all official MIUI builds should flash just fine.

History versions:

3.3.1-5: https://mega.nz/#!nMowHKiL!zRvoTM0iIZKArmUDnZzaEFtXQv0_q7hIHUCmTHTOmOM
changes: 1) Now works even with empty /system and /vendor partition 2) Fixed brightness problem; 3) Enabled EDL Reboot
3.3.1-3: https://mega.nz/#!yAYXxAzZ!FNMYLzLphnSmJ-DbBx-OZUgxxYiftgn8e4Jn3kxiQik

Patches and sources

Patches for TWRP are available here:


Patches for ROMs to support wrapped key have been given in the above sections.

Source of the current device tree for TWRP: https://github.com/PeterCxy/android_device_xiaomi_violet-twrp
Kernel source: https://github.com/PeterCxy/android_kernel_xiaomi_sm6150, note that the device tree uses a prebuilt kernel image.

PeterCxy, Dyneteve, merothh
Source Code: https://github.com/PeterCxy/android_device_xiaomi_violet-twrp
Last edited:


Senior Member
Jan 10, 2017
I’m not new to installing custom recoveries and installing ROM, but I am new to Xiaomi devices.

In the simplest form possible,

With this I should be able to just run the ‘fastboot install recovery twrp.img’ and not have to run “fastboot erase userdata’?


Do I still need to flash the zip I have that disables forced encryption?


Senior Member
Jul 15, 2013
I’m not new to installing custom recoveries and installing ROM, but I am new to Xiaomi devices.

In the simplest form possible,

With this I should be able to just run the ‘fastboot install recovery twrp.img’ and not have to run “fastboot erase userdata’?


Do I still need to flash the zip I have that disables forced encryption?
You won't need to erase userdata or flash fcrypt disabler anymore, if all the ROMs will update to support the wrappedkey encryption