Database Info

[Solved] Any Possible way to have Magisk and any kind of data encryption in S7?

Hi,
I been searching for a way to encrypt the data partition with magisk and i didn't succeded at all. No matter if flash magisk in an already encrypted system (it says "using cache walkaround" but it gets stuck in the glowing samsung boot logo) or if i try to encrypt the terminal after having a magisk working system. I even tried to mark in magisk "Keep Forced Encryption" in MagiskManager with no success. It makes the system hang again in the boot secuence after reflashing magisk and rebooting.
I just want root in the stock firmware to be able to debloat and use titanium and a couple of apps.
Any way to have encrypted data and root in nougat?

Yes.
There are two requirements to support rooted stock firmware and encryption:
- You MUST use the stock kernel binary. Custom kernel binaries are blocked by TIMA, which handles encryption.
- You need to change "ro.config.tima" in the system build.prop to 0. This doesn't entirely disable TIMA, but seems to relax the encryption requirements a bit(less salting?) which will allow a modified ramdisk to work properly. It's slightly less secure, but still more secure than going unencrypted
Notes: You will need to wipe /data initially after making the build.prop change. You'll need to disable dm-verity after modifying /system. If you installed a custom kernel before you should reflash the entire firmware as the kernel installer likely deleted the TIMA trustlet binary. Some success was had before with getting custom kernels past TIMA by killing the TIMA service soon after boot, but this had the tendency to brick the data partition. Perhaps in future...
Edit: attached a flashable zip to make the build.prop change from TWRP

CurtisMJ said:
Yes.
There are two requirements to support rooted stock firmware and encryption:
- You MUST use the stock kernel binary. Custom kernel binaries are blocked by TIMA, which handles encryption.
- You need to change "ro.config.tima" in the system build.prop to 0. This doesn't entirely disable TIMA, but seems to relax the encryption requirements a bit(less salting?) which will allow a modified ramdisk to work properly. It's slightly less secure, but still more secure than going unencrypted
Notes: You will need to wipe /data initially after making the build.prop change. You'll need to disable dm-verity after modifying /system. If you installed a custom kernel before you should reflash the entire firmware as the kernel installer likely deleted the TIMA trustlet binary. Some success was had before with getting custom kernels past TIMA by killing the TIMA service soon after boot, but this had the tendency to brick the data partition. Perhaps in future...
Edit: attached a flashable zip to make the build.prop change from TWRP
Click to expand...
Click to collapse
Hey , thanks a lot for the info and the file . I learned more from it than 2 days on the internet struggling with this "issue"!
Actually I already tried another way and it worked!
I'll try to explain for the record.
I just installed TWRM and formated /data (not wiping. cause you have to write a file there afterwards) and from there I opened the terminal of TWRM and created /data/.magisk (as in magisk FAQ is explained) with KEEPFORCEENCRYPT=true in it . Then installed a rom (ambasadii's one with magisk 13.6 root ) and... that's it. it worked.
Afterwards i did a lot of automatic tasks of secure network daily backups since when you're encrypted it's kind of easy to f^ckup the system and lose everything and now I'm happy.
Probably i was lucky since the kernel probably is the stock one as you said in this ROM.
I still have to try more stuff to be sure everything is working and the data is safe (safe enough at least)
one question:
do you think it would work if i activate dm-verity or this firmware and or magisk modify the ramdisk (so it wont.) ?

forocarlos said:
Probably i was lucky since the kernel probably is the stock one as you said in this ROM.
I still have to try more stuff to be sure everything is working and the data is safe (safe enough at least)
one question:
do you think it would work if i activate dm-verity or this firmware and or magisk modify the ramdisk (so it wont.) ?
Click to expand...
Click to collapse
dm-verity likely won't work on a custom ROM(unless the ROM maker specifically re-signed it, but that's unlikely and bloody difficult). Making any changes to /system (including the build.prop tweak I mentioned!) will necessitate disabling it and there are a bunch of changes in custom Roms. Ambasadii's nougat ROM does indeed make use of the stock kernel and most likely has the TIMA prop already toggled. So an ideal setup I think. The data should be pretty solid provided the TIMA trustlet never goes missing(encryption keys basically self-destruct, which bricks the partition )
EDIT: You also might want to check in TWRP if the data was genuinely encrypted. Android generally won't complain if it isn't. If TWRP can mount it it isn't encrypted.

EDIT: You also might want to check in TWRP if the data was genuinely encrypted. Android generally won't complain if it isn't. If TWRP can mount it it isn't encrypted.
Click to expand...
Click to collapse
checked.
/data unmountable.
So wrapping things up:
- Magisk root
- CTC passed
- Encryption
- Custom Rom
- Lastest Nougat
:good::good::good::good::good:
the only thing left is figuring out how to update the rom without losing data or everything actually.

forocarlos said:
checked.
/data unmountable.
So wrapping things up:
- Magisk root
- CTC passed
- Encryption
- Custom Rom
- Lastest Nougat
:good::good::good::good::good:
the only thing left is figuring out how to update the rom without losing data or everything actually.
Click to expand...
Click to collapse
Hey, have you figured out a way of updating without losing data?

charliebigpot said:
Hey, have you figured out a way of updating without losing data?
Click to expand...
Click to collapse
Little late sorry, but if you keep the TIMA prop disabled you can flash the full firmware with HOME_CSC and it will keep the data. Just reflash twrp after it does the update(needs full reboot into stock recovery first to finish update) and flash the TIMA zip in this thread with a root zip.

Step-by-Step-Guide to a S7 with Nougat+Root+Magisk+Encryption
Hi there,
I am glad that there is a way to use Nougat, Root and Magisk on an encrypted S7. For the last months I have tried every so-called-solution (TWRP, CF-AutoRoot, reflash Stock boot.img, Helios' Stock kernel) but always ended up in bootloops or an unencrypted device.
Can someone provide me with a step-by-step-guide how to achieve a rooted-magisked-encrypted S7 running Nougat?f I am now running unrooted stock 7.0 with VIA CSC, Build G930FXXU1DQH9.
Thanks in advance!

A step by step for this would be great.
i tried several variations of the proposed methods and did not succeed in any way, please clarify
i tried these variations, and many many more:
flash stock
reboot
flash twrp
wipe system
format data
terminal: KEEPFORCEENCRYPT=true >> /data/.magisk
flash ambassadi rom, dirty flash, magisk root, wipe cache
reboot
set fingerprint & password + fast encrypt
bootloop
format data
wipe sys caches
terminal: KEEPFORCEENCRYPT=true >> /data/.magisk
flash ambassadi rom, clean, magisk root, wipe cache
reboot
set fingerprint & password
reboot
encrypt
bootloop
flash stock
reboot
set fingerprint&pw
reboot
flash twrp
tima
format data
magisk
no-veri opt enc
reboot
set up fingerprint + pw
reboot
encrypt
unsucessful but bootable
The most sucess i had with the stock rom, though i dont remember how exactly. I didnt take my password, which i suspect to be a verification error since the password was the right one
On the batman rom the ui hanged itself on first encrypted startup.
On ambassadi rom i got into bootloop every time.
Did i miss something??

Regarding stock rooted encryption there are some notes, in addition to the requirements in my post above(stock kernel etc):
- Samsung's encryption never handles post setup encryption that well. At least from my experience. You need to be encrypted from the get-go. This implies re-wiping data the moment you're finished flashing the custom ROM as TIMA won't encrypt unless the partition is blank(which it won't be with the leftover magisk config file).
- The TIMA prop must be changed before first boot. Data encrypted with prop in either state is incompatible with data encrypted during the other state. State "1" bootloops on rooting. State "0" allows it.
So for stock the step-by-step would be:
- Flash full stock and use CSC(NOT HOME_CSC), let it reboot to the initial setup screen. This is important to apply the CSC settings from the firmware package, which if not done will result in an unusable secure keyboard and cause various other issues.
- Flash TWRP
- Flash the TIMA prop zip in the post above
- Flash a verity disable zip which DOESN'T disable Force Encryption. For convenience I have attached a modified version which doesn't.
- Format /data
- Reboot into setup and run through the wizard.
- Reboot back to TWRP and flash a root solution like Magisk. Don't worry about force encryption now as the data partition should be encrypted already by this stage. Magisk should revert to the /cache workaround.
To update:
- Flash the latest full stock firmware package but this time use HOME_CSC
- Let it reboot into stock recovery and do the upgrade process.
- It should end up on the secure Startup page asking for your password. No password will work at this point because your data was encrypted in TIMA state "0".
- Reboot to download mode and flash TWRP.
- Reboot to TWRP
- Flash the TIMA prop and verity zips.
- Reboot into to Android (password should work now)
- Let it finish the upgrade.
- Reboot to TWRP and flash your root solution.
These are the basic processes which worked for me.

CurtisMJ said:
Regarding stock rooted encryption there are some notes, in addition to the requirements in my post above(stock kernel etc):
- Samsung's encryption never handles post setup encryption that well. At least from my experience. You need to be encrypted from the get-go. This implies re-wiping data the moment you're finished flashing the custom ROM as TIMA won't encrypt unless the partition is blank(which it won't be with the leftover magisk config file).
- The TIMA prop must be changed before first boot. Data encrypted with prop in either state is incompatible with data encrypted during the other state. State "1" bootloops on rooting. State "0" allows it.
So for stock the step-by-step would be:
- Flash full stock and use CSC(NOT HOME_CSC), let it reboot to the initial setup screen. This is important to apply the CSC settings from the firmware package, which if not done will result in an unusable secure keyboard and cause various other issues.
- Flash TWRP
- Flash the TIMA prop zip in the post above
- Flash a verity disable zip which DOESN'T disable Force Encryption. For convenience I have attached a modified version which doesn't.
- Format /data
- Reboot into setup and run through the wizard.
- Reboot back to TWRP and flash a root solution like Magisk. Don't worry about force encryption now as the data partition should be encrypted already by this stage. Magisk should revert to the /cache workaround.
These are the basic processes which worked for me.
Click to expand...
Click to collapse
when first reboot into TWRP wich option should get? "keep read only" or "allow modifications"?
if I select "allow mods" when I try to flash TIMA.prop file I get an error about mount\data
is it necesary to format data before?
thanks

xbizkuit said:
when first reboot into TWRP wich option should get? "keep read only" or "allow modifications"?
if I select "allow mods" when I try to flash TIMA.prop file I get an error about mount\data
is it necesary to format data before?
thanks
Click to expand...
Click to collapse
Actually the TIMA prop zip doesnt even need data. Not sure why I made it try to mount, but any error about mounting can probably be ignored. It modifies /system so you should swipe to allow.

CurtisMJ said:
Actually the TIMA prop zip doesnt even need data. Not sure why I made it try to mount, but any error about mounting can probably be ignored. It modifies /system so you should swipe to allow.
Click to expand...
Click to collapse
First of all, thanks for your reply and for your small guide
What I did was flash lastest full stock official rom from sammobile with odin and let it reboot to the initial setup screen
Reboot to download mode and then I flashed TWRP also with odin and reboot manually to recovery
When first time entered into recovery just selected "allow modifications"
After I flashed the TIMA prop zip and verity disable zip modified version
In both cases, I received error messages about mount/data on the screen but the installation seems to be complete
Finally format/data, reboot and complete the wizard and the installation
The last step, reboot again into recovery and flash magisk v14
At the end of this procedure, all seems ok, magisk is running, safetynet test is OK, superuser is OK and root apps with no problem
Also a couple of mods flashed with recovery (zero camera mod and sound mod by zubi) gave me error messages about format/data but both of them were done
So, the question is how can I check now if my phone encryption is OK and working ??
The only thing seems not work is the OTA firmware updates, it doesnt work, error message about modified phone
I tried to hide root with magisk for the apps in relation with the ota updates but no work for me
Is there any solution for that??
Thanks for all and very appreciated for your help
And sorry for my english hehe

xbizkuit said:
First of all, thanks for your reply and for your small guide
What I did was flash lastest full stock official rom from sammobile with odin and let it reboot to the initial setup screen
Reboot to download mode and then I flashed TWRP also with odin and reboot manually to recovery
When first time entered into recovery just selected "allow modifications"
After I flashed the TIMA prop zip and verity disable zip modified version
In both cases, I received error messages about mount/data on the screen but the installation seems to be complete
Finally format/data, reboot and complete the wizard and the installation
The last step, reboot again into recovery and flash magisk v14
At the end of this procedure, all seems ok, magisk is running, safetynet test is OK, superuser is OK and root apps with no problem
Also a couple of mods flashed with recovery (zero camera mod and sound mod by zubi) gave me error messages about format/data but both of them were done
So, the question is how can I check now if my phone encryption is OK and working ??
The only thing seems not work is the OTA firmware updates, it doesnt work, error message about modified phone
I tried to hide root with magisk for the apps in relation with the ota updates but no work for me
Is there any solution for that??
Thanks for all and very appreciated for your help
And sorry for my english hehe
Click to expand...
Click to collapse
If the recovery is giving errors about /data mount then the phone is encrypted. TWRP simply cannot work with Samsung encryption at all at the moment. Also: If there is no "Encrypt" option for the internal storage in the Security section of the settings app, then the device is encrypted(There may still be one for the external SD). There's no way I know of to fool OTA into working, I've always just fully flashed the latest firmware. Samsung firmware is really easy to get so I've never really looked into using OTAs to update. They'd probably fail horribly anyway due to the modified system in which case the OTA tool is probably correct to block the update. (Newer Android standard requires updates to be done via raw block writes so dm-verity remains intact. Could lead to corruption if done wrong...)

CurtisMJ said:
If the recovery is giving errors about /data mount then the phone is encrypted. TWRP simply cannot work with Samsung encryption at all at the moment. Also: If there is no "Encrypt" option for the internal storage in the Security section of the settings app, then the device is encrypted(There may still be one for the external SD). There's no way I know of to fool OTA into working, I've always just fully flashed the latest firmware. Samsung firmware is really easy to get so I've never really looked into using OTAs to update. They'd probably fail horribly anyway due to the modified system in which case the OTA tool is probably correct to block the update. (Newer Android standard requires updates to be done via raw block writes so dm-verity remains intact. Could lead to corruption if done wrong...)
Click to expand...
Click to collapse
OK so it seems my phone is finally encrypted and rooted!!!
anyway, I forgot about OTAs and I´ll continue installing updates manually,
so can I flash the full firmware with HOME_CSC without losing the data?
Only reflash TWRP after the update and flash the TIMA prop zip ???
Thank you very much for your help!!!

Thank you CurtisMJ! It finally works!

xbizkuit said:
OK so it seems my phone is finally encrypted and rooted!!!
anyway, I forgot about OTAs and I´ll continue installing updates manually,
so can I flash the full firmware with HOME_CSC without losing the data?
Only reflash TWRP after the update and flash the TIMA prop zip ???
Thank you very much for your help!!!
Click to expand...
Click to collapse
Whoops. Didn't see those were questions. Yes, full flash with HOME_CSC will keep data intact. The TIMA prop will need to be in state "0" to decrypt, so yes again, reflash TWRP and the TIMA and verity zips and you should be good. Just make sure to have "Auto Reboot" checked in Odin. It will do some stuff in stock recovery first (including a screen with "Erasing..." Don't worry! It's just cleaning up the working files in /cache ).

CurtisMJ said:
Whoops. Didn't see those were questions. Yes, full flash with HOME_CSC will keep data intact. The TIMA prop will need to be in state "0" to decrypt, so yes again, reflash TWRP and the TIMA and verity zips and you should be good. Just make sure to have "Auto Reboot" checked in Odin. It will do some stuff in stock recovery first (including a screen with "Erasing..." Don't worry! It's just cleaning up the working files in /cache ).
Click to expand...
Click to collapse
Thanks again mate!!!!!!

WyRM
Hello Guys
Do you think it would work also on Note8 ?
Im stuck on step when i flash 2 files via TWRP, it shows erros with cant mount Data because it is already encrypted somehow, it wouldnt be issue as you said as it does to system.
But when i finish the installation of the Firmware and came back to TWRP for flashing Root solution it is encrypted and cantbe flashed.
Any idea?

WyRmiE said:
Hello Guys
Do you think it would work also on Note8 ?
Im stuck on step when i flash 2 files via TWRP, it shows erros with cant mount Data because it is already encrypted somehow, it wouldnt be issue as you said as it does to system.
But when i finish the installation of the Firmware and came back to TWRP for flashing Root solution it is encrypted and cantbe flashed.
Any idea?
Click to expand...
Click to collapse
That sounds about right actually. The data is supposed to be already encrypted by the time you flash root. TWRP on the S7 and it appears any recent Samsung device cannot decrypt the stock ROMs encryption. The root solution should revert to using the cache workaround. Both Magisk and SuperSU support this setup. Just flash and ignore the /data mount errors.

[WORKING] Decrypt Oneplus 6

WORKING DECRYPT
Instructions:
First be on OOS any version, clean install, no custom kernels/mods. (I recommend flashing the fastboot-flashable version, with the flash-all-partitions.bat option but it's just me. Thanks @mauronofrio) otherwise TWRP is fine.
- Unzip, put the files to somewhere on your phone (/sdcard for ex.) - skip this step if you plan to do it manually.
- Flash desired TWRP, Reboot Recovery
- Format /data
- Flash Magisk (It works with 16.7), Reboot Recovery
- After reboot recovery, mount everything
- Advanced>File Manager, go to /vendor/etc, delete both fstab.qcom, and fstab_nodata.qcom (or copy and edit the files your self, remove "avb". anything with "forceencrypt" change to "encrytpable")
- Now copy/move the changed files back
- Reboot and enjoy
fstab files to move in twrp (put them in /sdcard and move them to vendor/etc)
https://forum.xda-developers.com/attachment.php?attachmentid=4554705&d=1532168314
Alternative way
xXx said:
[MENTION=3433052]=
Today I enhanced my version to support the Android Oreo and Pie Rom base on the OP6. This replaces the manual work to replace the fstab files with the patched files. I tested it with latest OOS 5.1.11 as well as with Android P Hydrogen Beta and worked all fine. Feel free to put that to your OP.
xXx-No-Verity-Treble_v4.zip
https://www.androidfilehost.com/?fid=1322778262903984840
Flash oos
Flash twrp
Reboot recovery
Format data
Flash Magisk 16.7
Flash xXx No verity
Reboot System
Click to expand...
Click to collapse
Keep Decrypt between OS updates
-Flash FULL ZIP in TWRP
-Without booting the OS: Flash TWRP Recovery, reboot recovery, flash Magisk, reboot recovery, and then did the /vendor/etc stuff, then reboot system.
OOS boots & keeps the decryption state, with no issues - SUCCESS
credits @_MartyMan_ for testing my theory and proving it works, also for making the proces easier by uploading edited fstab files.

virtyx said:
So ive come up with a guide to test if decryption works on the OP6 - youll need to do the following (i would try but i am travelling at the moment with no access to a pc to backup and restore)
you'll need to flash magisk 16.4 (so it disables verity)
then go to /vendor/etc/ there are two fstab files
edit both files with the following:
change "forceencrypt=ice" to "encryptable"
change "forceencrypt=footer" to "encryptable"
also remove all instances of "avb" in both fstab files
it should save without an error, if it doesnt then verity is still enabled and you didnt flash magisk properly.
reboot twrp format data (obviously have backups)
boot to OS and check if force encrypt is disabled (settings > security scroll down to where it days encrypt phone, it should say encryptable)
if that didn't work try again with flashing magisk 16.4 after the format
please report back your findings.
Click to expand...
Click to collapse
Why do you need to disable encryption

joemossjr said:
Why do you need to disable encryption
Click to expand...
Click to collapse
multi-boot, i also dont believe i need encryption forced on my phone - it should be an option.
also it may have performance increase (MAY),

virtyx said:
multi-boot, i also dont believe i need encryption forced on my phone - it should be an option.
also it may have performance increase (MAY),
Click to expand...
Click to collapse
Probably won't see a performance increase as there's hardware support for the encryption and the sd845 combined make it a super small difference

NateDev said:
Probably won't see a performance increase as there's hardware support for the encryption and the sd845 combined make it a super small difference
Click to expand...
Click to collapse
only way to to know is to try
plus I don't lile things enforced, I like to be given the option to enable encryption.

Will try that as soon as, thanks for this, cheers.

vtec303 said:
Will try that as soon as, thanks for this, cheers.
Click to expand...
Click to collapse
please let me know how it goes.

Thank you! Will try this today :good:

_MartyMan_ said:
Thank you! Will try this today :good:
Click to expand...
Click to collapse
how did it go
vtec303 said:
Will try that as soon as, thanks for this, cheers.
Click to expand...
Click to collapse
how did you go?

EDIT: Uploaded decrypting fstab files but with nodiscard & barrier=0 for better performance.
Instructions:
First be on OOS 5.1.9, clean install, no custom kernels/mods. (I recommend flashing the fastboot-flashable version, with the flash-all-partitions.bat option but it's just me. Thanks @mauronofrio)
- Make a backup of stock fstab files (fstab.qcom, and fstab_nodata.qcom) in case something goes wrong.
- Download desired fstab .zip
- Unzip, put the files to somewhere on your phone (/sdcard for ex.)
- Flash desired TWRP, Reboot Recovery
- Flash Magisk (It works with 16.7), Reboot Recovery
- After reboot recovery, mount everything
- Advanced>File Manager, go to /vendor/etc, delete both fstab.qcom, and fstab_nodata.qcom
- Now copy/move the changed files back, and chmod 644 for both.
- Reboot Bootloader, fastboot format userdata (It'll WIPE EVERYTHING, make backups)
- Reboot and enjoy (One pop-up will be there every boot but it's nothing serious. You get the same if you install some custom kernels.)
Thank you @virtyx for the instructions/ideas

_MartyMan_ said:
It's not working guys
EDIT: It works, i just misspelled "encrypted" in one of the files lol.
Download the ready-for-decryption files from the attachment.
Instructions:
First be on OOS 5.1.9, clean install, no custom kernels/mods. (I recommend flashing the fastboot-flashable version, with the flash-all-partitions.bat option but it's just me. Thanks @mauronofrio)
- Unzip, put the files to somewhere on your phone (/sdcard for ex.)
- Flash desired TWRP, Reboot Recovery
- Flash Magisk (It works with 16.7), Reboot Recovery
- After reboot recovery, mount everything
- Advanced>File Manager, go to /vendor/etc, delete both fstab.qcom, and fstab_nodata.qcom
- Now copy/move the changed files back, and chmod 644 for both.
- Reboot Bootloader, fastboot format userdata (It'll WIPE EVERYTHING, make backups)
- Reboot and enjoy
Thank you @virtyx for the instructions/ideas
Click to expand...
Click to collapse
FINALLY
we can also edit fstab for performance discard to nodiscard barrier=1 to barrier=0 (this increases performance)
ALSO
I think you must flash magisk after kernel every time as I think kernels somehow re-enable verity
can you test please @_MartyMan_
I. e after decrypted reboot twrp and flash blue_spark for example and boot to OS and see if your still decrypt because after flashing kernel AFTER magisk I can't seem to edit /vendor

virtyx said:
FINALLY
we can also edit fstab for performance discard to nodiscard barrier=1 to barrier=0 (this increases performance)
Click to expand...
Click to collapse
Oh, let me see I'll update the instructions with to choose barrier=0 and nodiscard fstab files :good:
---------- Post added at 12:06 PM ---------- Previous post was at 12:03 PM ----------
virtyx said:
FINALLY
we can also edit fstab for performance discard to nodiscard barrier=1 to barrier=0 (this increases performance)
ALSO
I think you must flash magisk after kernel every time as I think kernels somehow re-enable verity
can you test please @_MartyMan_
I. e after decrypted reboot twrp and flash blue_spark for example and boot to OS and see if your still decrypt because after flashing kernel AFTER magisk I can't seem to edit /vendor
Click to expand...
Click to collapse
On it. Will report back
EDIT: Barrier=0 and nodiscard boots, no issues so far. Updated my instructions :good:
---------- Post added at 12:28 PM ---------- Previous post was at 12:06 PM ----------
Okay, custom kernels are working with decryption. Re-flash Magisk right after flashing custom kernels. (Tested with Smurf Kernel 1.4.7) :good:

Hi @all,
I didn't have any time to test the no encryption/no verify option in my OnePlus 6 but I modified the @snowwolf725 file from this thread.
If anyone would like to test, please leave some feedback. Remember this is not my work, I just edited. All credits ( if it work ) should go to @snowwolf725.
It just flashes the current slot and you must mount vendor partition in TWRP.
Best regards,

_MartyMan_ said:
Oh, let me see I'll update the instructions with to choose barrier=0 and nodiscard fstab files :good:
---------- Post added at 12:06 PM ---------- Previous post was at 12:03 PM ----------
On it. Will report back
EDIT: Barrier=0 and nodiscard boots, no issues so far. Updated my instructions :good:
---------- Post added at 12:28 PM ---------- Previous post was at 12:06 PM ----------
Okay, custom kernels are working with decryption. Re-flash Magisk right after flashing custom kernels. (Tested with Smurf Kernel 1.4.7) :good:
Click to expand...
Click to collapse
what If you don't flash magisk after kernel?

no.one.writeme said:
Hi @all,
I didn't have any time to test the no encryption/no verify option in my OnePlus 6 but I modified the @snowwolf725 file from this thread.
If anyone would like to test, please leave some feedback. Remember this is not my work, I just edited. All credits ( if it work ) should go to @snowwolf725.
It just flashes the current slot and you must mount vendor partition in TWRP.
Best regards,
Click to expand...
Click to collapse
doubt this works but can someone try it?
the only way I know to disable verity is magisk
if this works, great another step we don't need to do.

@OP, _MartyMan_, snowwolf725
Thank you for sharing.
I followed _MartyMan_'s "step by step" and everything worked.
I also installed custom kernel(cleanslate) and all is good and root is achieved
as well. The only thing as mentioned before is the "verity" error message after each boot.
For me everything is snappy, smooth and fast.

updated OP with clear instructions @_MartyMan_ if you get the chance can you try my steps in the 'test' section in OP? trying to keep decrypt between OS updates.

TEST 1: Keep decrypted between OOS updates:
I was on decrypted OOS 5.1.9 with Magisk, Magisk mods, bluspark recovery, and Smurf custom kernel. Did a wipe of everything -the internal storage.
Flashed the fastboot-flashable OOS 5.1.9
Without booting the OS: Flashed blu spark recovery, reboot recovery, flashed Magisk, reboot recovery, and then did the /vendor/etc stuff, then reboot system.
OOS boots & keeps the decryption state, with no issues - SUCCESS :good: (Vendor popup remains)
Also, FYI xXx NoLimits 2.6 is working with decryption.
TEST 2: Keep decrypted with custom kernels - No Magisk flashed.
Flashed custom kernel (SmurfKernel 1.4.7) without flashing Magisk after.
Bad news: The OS does not boot (tried 3 times), Magisk needed - FAILURE
Good news: After flashing Magisk the OS boots up again (decrypted) with no issues. So you need to flash Magisk after, or the OS won't boot whatever you do
TEST 3: Staying decrypted with the file by @snowwolf725, edited for OP6 by @no.one.writeme
(This could save us time, as the /vendor/etc stuff is not needed.)
I was on decrypted OOS 5.1.9 with Magisk, bluspark recovery,and Smurf custom kernel. Did a wipe of everything -the internal storage.
Flashed the fastboot-flashable OOS 5.1.9
Without booting the OS: Flashed bluspark recovery, reboot recovery, flashed Magisk, reboot recovery, and then flashed the "no_verity_op6_v1.zip", reboot system
OOS bootlooping for 3 minutes, then reboots to recovery, bootlogo freezes... FAILURE
So the /vendor/etc stuff is needed :/
Anyway, thank you everybody :good:

@_MartyMan_
Would you care to test this. It is supposed to be a Universal method for decrypting.
Best regards.

no.one.writeme said:
@_MartyMan_
Would you care to test this. It is supposed to be a Universal method for decrypting.
Best regards.
Click to expand...
Click to collapse
It works, just as in the thread's OP ez decryption

Tutorial : Decrypt And Flash Any ROM [ Working on Android 10 ][No data loss]

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
FLASHING INSTRUCTION :
Warning : Always Backup Your Internal Storage For safer side
Points to be Noted :
1 : Dirty Flashing sometime works. But might have hidden bugs.
2 : Remove the pattern and also fingerprints before flashing the rom.
3 : Always you have to flash twrp zip file after flashing rom. Else you will loose twrp.
If you are on some other twrp versions, Kindly download Compatible TWRP recovery IMG file from download Section and Flash it in recovery.
TWRP installer zip by mauronofrio - Supports Android 10
This works Fine. I recommend all to use this recovery.
To Decrypt Your Device : [ For First Time ]
Step 1: Place the Full ROM zip file in internal Storage.
Step 2: Now Reboot the phone to TWRP Recovery.
Step 3: Wipe Dalvik cache ,Data , System and Cache.
Step 4: Now select Full ROM zip file and swipe to flash it and then flash the twrp zip file again
Step 5: Format DATA and reboot to recovery.
Step 6: Now in recovery flash magisk 20.4
Step 7: Now Flash the No-verity file - Pie Supported here and Android 10 Supported from here[Important]
Step 8: Reboot the phone.
Step 9: Voila !! Now your device is successfully decrypted and
Now To Flash OOS updates in Your Decrypted Device : - Works For Android 10 Based OOS
Step 1: Place the Full OOS ROM zip file in internal Storage.
Step 2: Now Reboot the phone to TWRP Recovery.
Step 3: Wipe Dalvik cache ,Data , System and Cache.
Step 4: Now Flash OOS Zip and twrp zip file and reboot to recovery.
Step 5: Now in recovery flash magisk 20.4 only
Step 6: Now Flash the No-verity file - Pie Supported here and Android 10 Supported from here[Important]
Step 7: Reboot the phone. Now both TWRP and Magisk will be there and still your device is decrypted too with android 10
To Flash CustoM ROMs in Your Decrypted Device :
Step 1: Place the Full Custom ROM zip file and required base version Rom zip file ( I.e., OOS BETA OR OOS STABLE) in internal Storage.
Step 2: Now Reboot the phone to TWRP Recovery.
Step 3: Wipe Dalvik cache ,Data , System and Cache.
Step 4: Now Flash OOS Zip and twrp and reboot to recovery and Flash oos zip and twrp again and reboot to recovery. Now select Full Custom ROM zip file and swipe to flash.
Step 5: Flash the twrp zip file again and reboot to recovery.
Step 6: Now in recovery flash magisk 20.4
Step 7: Now Flash the No-verity file - Pie Supported here and Android 10 Supported from here[Important]
Step 8: Reboot the phone.
Credits : @topjohnwu, @virtyx and others .
@mauronofrio for his TWRP.

Download Section :
Recovery:
Official TWRP ||
Blu_Spark TWRP || Unofficial TWRP by joemossjr || TWRP installer zip by mauronofrio - Supports Android 10
For Root :
Magisk
To Decrypt :
No Verity Mod for OP6 ​

HatRiGt said:
Download Section :
Recovery:
Official TWRP ||
Blu_Spark TWRP || Unofficial TWRP by joemossjr
For Root :
Magisk
To Decrypt :
No Verity Mod for OP6 ​
Click to expand...
Click to collapse
Please excuse the dumb questions, I am new to these parts (Device Delivery for Tomorrow), but other then Treble and if TWRP isnt decrypting, why else would you want to decrypt your Device? And finally, the No-Verity MOD is the last part of the instructions, so my question is does the device automatically encrypt when all said and done?

Unlocked.Devices said:
Please excuse the dumb questions, I am new to these parts (Device Delivery for Tomorrow), but other then Treble and if TWRP isnt decrypting, why else would you want to decrypt your Device? And finally, the No-Verity MOD is the last part of the instructions, so my question is does the device automatically encrypt when all said and done?
Click to expand...
Click to collapse
keeping your device decrypt will make you to switch between any roms easily. You dont need to wipe internal storage thereafter.
Flashing Untouched OOS ROM will make your device to get force encrypt, so to avoid that you need to flash no verity mod .

I'm running oos 1.5.11 rooted with magisk 17.1 and twrp 3.2.3-0. can I flash this zip now without starting everything over? Sorry if this has already been asked.
---------- Post added at 08:29 PM ---------- Previous post was at 08:28 PM ----------
Oops....5.1.11

mixlex said:
I'm running oos 1.5.11 rooted with magisk 17.1 and twrp 3.2.3-0. can I flash this zip now without starting everything over? Sorry if this has already been asked.
---------- Post added at 08:29 PM ---------- Previous post was at 08:28 PM ----------
Oops....5.1.11
Click to expand...
Click to collapse
If your device is encrypted, first take backup of your internal storage and follow the steps in op

mixlex said:
I'm running oos 1.5.11 rooted with magisk 17.1 and twrp 3.2.3-0. can I flash this zip now without starting everything over? Sorry if this has already been asked.
---------- Post added at 08:29 PM ---------- Previous post was at 08:28 PM ----------
Oops....5.1.11
Click to expand...
Click to collapse
Sadly no. Data format is required to decrypt phone

m8, I don't get step 4 of decrypting device.
I select Full ROM and at the same time we Format Data?
Thanks for the guide!:good:

refedit said:
m8, I don't get step 4 of decrypting device.
I select Full ROM and at the same time we Format Data?
Thanks for the guide!:good:
Click to expand...
Click to collapse
First flash the rom and then format the data.

HatRiGt said:
First flash the rom and then format the data.
Click to expand...
Click to collapse
After formatting data I'm having issues mounting, I tried fastbooting twrp to get mounted to get files over(any chance this would mess anything up?).
Should the no verity mod always be flashed last and does it require a reflash after say flashing a kernel?

snigor said:
After formatting data I'm having issues mounting, I tried fastbooting twrp to get mounted to get files over(any chance this would mess anything up?).
Should the no verity mod always be flashed last and does it require a reflash after say flashing a kernel?
Click to expand...
Click to collapse
1) Actually never use that twrp that has support for MTP. Always use normal twrp.
If you have got any mounting issue, just flash the fastboot rom and then again boot to twrp and then follow the steps in OP carefully.
2) Yes no verity should be always flashed in the last before you boot into the system .
even if you flash kernel / magisk, then you have to flash no verity.

Now ROMs in your decrypted device Flash
After instruction flashed restart always takes place again and again into the recovery
Is there a reason for that

saleappeal said:
Now ROMs in your decrypted device Flash
After instruction flashed restart always takes place again and again into the recovery
Is there a reason for that
Click to expand...
Click to collapse
could you explain it clearly about what you have done ?

give credit where credit is due
https://forum.xda-developers.com/oneplus-6/how-to/test-decryption-t3818775

virtyx said:
give credit where credit is due
https://forum.xda-developers.com/oneplus-6/how-to/test-decryption-t3818775
Click to expand...
Click to collapse
Done bro.

HatRiGt said:
1) Actually never use that twrp that has support for MTP. Always use normal twrp.
If you have got any mounting issue, just flash the fastboot rom and then again boot to twrp and then follow the steps in OP carefully.
2) Yes no verity should be always flashed in the last before you boot into the system .
even if you flash kernel / magisk, then you have to flash no verity.
Click to expand...
Click to collapse
I'm using blu_spark twrp(was recommended both in OP and for flashing pie OB1) and MTP worked fine. Up until formatting, that is.. it does say you might need to restart to use file system(I'm guessing either for mounting or decrypting filesystem after format?). It'll just show the device with no space total or used, and then times out if i try to create a folder or copy something over.. is the trick here to put the needed files on a partition that's not touched when formatting, if that's a thing?
I feel like I'm missing something, but I think my issue was just flashing kernel last.. I'm gonna look into the manual method at some point to get a better idea of what's what! Thanks a lot!:good:

I mean after formatting you end up with no twrp zip to flash and you cant transfer files in twrp…..
Or at least I couldn't at first. I was stuck with no os and an empty internal storage. My newer computer couldn't transfer files.
However after hooking it up to my old computer I was able to transfer files in twrp using blu spark twrp. I put the liquid remix rom, twrp, magisk, gapps and the no verity zip in internal.
flashed rom, flashed twrp, rebooted recovery, flashed gapps, magisk, then flashed no verity and rebooted system.
Pretty sure the only reason I was able to transfer those file is because liquid remix has adb debugging and mtp checked by default in developer settings.
And i'm still decrypted so all is good.

SelfElevated2 said:
I mean after formatting you end up with no twrp zip to flash and you cant transfer files in twrp…..
Or at least I couldn't at first. I was stuck with no os and an empty internal storage. My newer computer couldn't transfer files.
However after hooking it up to my old computer I was able to transfer files in twrp using blu spark twrp. I put the liquid remix rom, twrp, magisk, gapps and the no verity zip in internal.
flashed rom, flashed twrp, rebooted recovery, flashed gapps, magisk, then flashed no verity and rebooted system.
Pretty sure the only reason I was able to transfer those file is because liquid remix has adb debugging and mtp checked by default in developer settings.
And i'm still decrypted so all is good.
Click to expand...
Click to collapse
Actually u can also flash twrp file before formating data. Or format data and boot to recovery using Fastboot method.

In order overcome this file transfer problem after format data I used a USB flash drive and viola, problem solved, hope this helps. cheers.

HatRiGt said:
Actually u can also flash twrp file before formating data. Or format data and boot to recovery using Fastboot method.
Click to expand...
Click to collapse
Yeah but stock rom has USB debugging off by default. So someone that flashes stock wouldn't be able to use fast boot or file transfer. They would have to use the UNbrick tool. You may want to to change the order in instructions so less knowledgeable people don't run into problems.
Even if you flash TWRP before formatting, you still lose the no verity you put in internal storage. A fresh install of stock rom won't let you use fast boot commands as USB debugging is off by default
vtec303 said:
In order overcome this file transfer problem after format data I used a USB flash drive and viola, problem solved, hope this helps. cheers.
Click to expand...
Click to collapse
Yeah I just ordered one on eBay yesterday. I figured that would be a huge help as long as TWRP let's you access the other storage.
Sent from my OnePlus6 using XDA Labs

Step by step guide "Flashing OTA beta/stable update using OrangeFox Recovery Project"

Step by step guide "Flashing OTA beta/stable update using OrangeFox Recovery Project"
Code:
/*
* Your warranty is now void.
*
* We're not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at us for messing up your device, we will laugh at you.
*/
Credits to @ronks888
@madsponge26
Details about OrangeFox Recovery Project, contributors, FAQ. The thread can be located here https://forum.xda-developers.com/po...cial-orangefox-recovery-project-beta-t3853233
DOWNLOADS
OrangeFox TWRP https://drive.google.com/open?id=1IZrV1VmWkqJOZccxbylbGw_0W4FwInFH
Force Encryption Disabler https://drive.google.com/file/d/1InT96d0tZ0eIIUNRDNuzKlaEKD02yLLM
Magisk v18 https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
MIUI ROM https://forum.xda-developers.com/poco-f1/how-to/xiaomi-poco-f1-unlock-bootloader-custom-t3839405
Step by step Guide flashing OTA update using OrangeFox Recovery Project​
But before proceeding, make sure you did all of the steps here https://forum.xda-developers.com/poco-f1/how-to/xiaomi-poco-f1-unlock-bootloader-custom-t3839405
1. Preparation for the OTA update
-BACKUP YOUR IMPORTANT DATA FIRST
-Download the latest release of OrangeFox Recovery (found above)
-Download your MIUI Full ROM (See above)
1.1 Flash the OrangeFoxRecovery.zip using your current custom recovery
-Reboot to OrangeFox Recovery
1.2 Go to the settings and enable these MIUI OTA settings
-Support MIUI Incremental OTA
-Include system in OTA survival
-Incremental OTA signature verification
-Aggressive stock recovery deactivation
-Disable DM-Verity
-Disable Forced Encryption (Some devices bypass this option, there will be a step on how to fully disable forced encryption later.
1.3 Go to the WIPE menu and tick wipe data, cache and dalvik
1.4 Flash your full MIUI ROM (stable/beta). After the ROM is flashed, OrangeFox will start the "OTA_BAK" process, which will backup your system and boot partitions into the /sdcard/Fox/OTA directory. You must NOT delete any of the files in the /sdcard/Fox/OTA directory. If you do, then incremental OTA updates will most definitely fail.
1.5 Reboot your phone and start to use your phone normally
1.6 When MIUI notifies you that there is an update, download the update, using the MIUI updater app and allow it to reboot automatically to OrangeFox
-If an error shows that the data partition is still encrypted, then time for step 2
-If the ota update succeeded, then Congrats just wait around 5-10 minutes to boot. Ignore the next step
2. Transfer folders Fox and rom_downloads from internal storage to sdcard (Please don't get confused by this, it is explanatory.)
-If you done downloading the OTA, transfer rom_downloads from internal storage to sdcard
-Transfer Fox from internal storage to sdcard, DO NOT SKIP THIS OR YOU'LL BRICK YOUR DEVICE
-Make sure the Force Encryption Disabler and Magisk is in the sdcard. We gonna need it.
2.1 Reboot to OrangeFox
2.2 Wipe Data ONLY, Don't forget to transfer the Fox from internal storage to sdcard or you'll lose the ota survival
2.3 Flash Force Encryption Disabler
2.4 Reboot recovery
-If no pop-up was shown to decrypt data, then Encryption is disabled.
2.5 Reboot the device
2.6 Transfer folders Fox and rom_downloads from sdcard to internal storage
2.7 Go to MIUI updater app then press reboot to flash ota update Don't forget to transfer the Fox from sdcard to internal storage or you'll risk your device to brick because ota_bak never existed during ota update
-Make sure you have 15% battery life or connect it to a plug
2.8 Say your prayers that it worked
2.9 If the ota update succeeded, without bootloop or errors was shown during the flash. Then you are good.
-Takes time to boot after the ota update? Just wait around 10 minutes, in this process, the data partition gets force encrypted again and needed to be disabled again via custom recovery. After boot, you can proceed again to disable force encryption via OrangeFox.
-New ota update? Just repeat the step 1.6
Questions? Feel free to message or reply this thread.

Great job.… :good:
Try modifying /system partition (like removing a bloted system app or editing build.prop) after step 1.5 then update OTA through rest of the process if it get flashed or not.... Let me know, it'll be great help for me!!
Sent from my POCOPHONE F1 using XDA Labs

nilg0lap said:
Great job.… :good:
Try modifying /system partition (like removing a bloted system app or editing build.prop) after step 1.5 then update OTA through rest of the process if it get flashed or not.... Let me know, it'll be great help for me!!
Sent from my POCOPHONE F1 using XDA Labs
Click to expand...
Click to collapse
Alright, will try it for the next test.

nilg0lap said:
Great job.… :good:
Try modifying /system partition (like removing a bloted system app or editing build.prop) after step 1.5 then update OTA through rest of the process if it get flashed or not.... Let me know, it'll be great help for me!!
Sent from my POCOPHONE F1 using XDA Labs
Click to expand...
Click to collapse
Ohhh yeah... About that...
Even though you modified something in the system partition (like flashed a custom kernel, have Magisk/SuperSU installed), it will get removed because of the OTA update and will be replaced by stock kernel, and a non-rooted system. But about removing bloated system app, I will try that next time.
You could try it, before proceeding to step 1.6, you can back-up your system apps using Titanium back-up or other apps available on the play store. Or just BACKUP everything via OrangeFox. If anything gets wrong or something, at least you have a backup to restore with.

Everything you flash on the system (custom kernel, Magisk/SuperSu, performance mod, tweaks, will be wiped.
Just flash it again and everything would be fine.

Sir, is this still working on latest developer rom (9.4.26) ?
Do you prefer R9.0 over R9.0.1 ? Had read that latter has bugs.
Or safest method as of now is from this post via official twrp ? --> https://forum.xda-developers.com/showpost.php?p=79461706&postcount=186
Please help sir as I really want to be on stock miui w/ magisk & OTA support.
Thanks in advance kabayan!

19iceman32 said:
Sir, is this still working on latest developer rom (9.4.26) ?
Do you prefer R9.0 over R9.0.1 ? Had read that latter has bugs.
Or safest method as of now is from this post via official twrp ? --> https://forum.xda-developers.com/showpost.php?p=79461706&postcount=186
Please help sir as I really want to be on stock miui w/ magisk & OTA support.
Thanks in advance kabayan!
Click to expand...
Click to collapse
Backup first. Then try the Twrp with working decryption

Fail to permanent install and access TWRP due to encryption

Recently I just downgraded my Mi Mix 2s to MIUI V9.6.4.0.ODGMIFD via Miflash and planning to stay on this (global) rom. However, after flashing the latest twrp from the official link (v3.1.1-1) it did not ask for the lockscreen password upon entering the interface and my files just showed up with random filenames.
After some reading, I suppose my device is encrypted and twrp did not let me to decrypt it (without asking for lockscreen password). The random filenames still happens even I remove the lockscreen password before flashing twrp meaning the device is still encrypted. Before I could do anything else (flashing zip files, making backups, etc) I must format data to remove the encryption, but twrp will disappear after I booted into system and did the initial phone configuration. Tried different versions (from 3.2.3-0 to 3.3.1-1) but to no avail. The only way I can retain twrp after booting into system is to flash Magisk zip right after formatting data, but if I enter twrp again the filenames are still in random characters as before and I couldn't do anything in it.
So my question is how can I properly install twrp into my device without having the encryption issues? Could it be the rom that caused the problem or did I missed out any steps that fails to disable the encryption? Thanks for your attention.

WannaFly3721 said:
Recently I just downgraded my Mi Mix 2s to MIUI V9.6.4.0.ODGMIFD via Miflash and planning to stay on this (global) rom. However, after flashing the latest twrp from the official link (v3.1.1-1) it did not ask for the lockscreen password upon entering the interface and my files just showed up with random filenames.
After some reading, I suppose my device is encrypted and twrp did not let me to decrypt it (without asking for lockscreen password). The random filenames still happens even I remove the lockscreen password before flashing twrp meaning the device is still encrypted. Before I could do anything else (flashing zip files, making backups, etc) I must format data to remove the encryption, but twrp will disappear after I booted into system and did the initial phone configuration. Tried different versions (from 3.2.3-0 to 3.3.1-1) but to no avail. The only way I can retain twrp after booting into system is to flash Magisk zip right after formatting data, but if I enter twrp again the filenames are still in random characters as before and I couldn't do anything in it.
So my question is how can I properly install twrp into my device without having the encryption issues? Could it be the rom that caused the problem or did I missed out any steps that fails to disable the encryption? Thanks for your attention.
Click to expand...
Click to collapse
Guess I've found a workaround for this by installing the OrangeFox recovery project (ofrp). For those who stuck at the same issue as mine this is what I did:
1. Flash twrp img through adb fastboot.
2. Format data to remove encryption.
3. Paste ofrp zip file into the device and flash it via twrp, which boots the phone into ofrp interface.
4. Paste the recovery zip file into the device and flash it via ofrp. Under setting - MIUI OTA it should show 'enabled' (for android 9 and above might need to uncheck disable dm-verity first according to ofrp page, but my rom is at android 8 so I left it checked as default before flashing).
5. Reboot to system and complete the initial configuration.
6. Reboot to recovery again and ofrp should remain installed. From there I was then able to perform a backup.
Btw, under phone settings it says my device is still encrypted although I can access to ofrp without having the encryption issue as in twrp (random filenames, cannot transfer files or create backups, etc). Anyhow I now have a working custom recovery on the stock rom, cheers.