FED-Patcher for the Robin (ForceEncrypt Disable Patcher)

Recognized Developer

FED-Patcher for the Robin (ForceEncrypt Disable Patcher)

[ Edited ]

This tool was created for the nexus 9 by @gladiac to get rid of the ForceEncrypt flag in a generic way (meaning it should work no matter what rom you are on). It does that by patching the currently installed boot.img.

This is a better implementation then having to manually patch every boot.img especially once custom aosp roms come along because cyanogenmod will have force encrypt enabled just like the nexus's. It also makes it easy to patch ota boot.img's by yourself.

The Android CDD (Compatibility Definition Document) suggests that all devices SHOULD enable full disk-encryption (FDE) by default. Even though I support every step towards more security I have to criticize this approach. FDE comes at a price. Encryption takes time because some component has to de- and encrypt the stuff on the disk at some point and in the case of the nexus 9 (aka flounder) it's the CPU's task. Even though the nexus 9's CPU has 2 pretty fast cores you can still easily feel the difference between FDE in the on- or off-state. The I/O is faster and boot-times take only half as long. (I did not do any measurements)
There is an old discussion about this topic in cyanogenmod's gerrit. Although it's a fun read it is pretty clear that this exchange of views is not going anywhere near a useful outcome.
Because performance is important to me and my tablet does not need the extra security I created the FED-Patcher (ForceEncrypt Disable Patcher)

How does it work?
FED-Patcher is a simple flashable ZIP that is supposed to be run in a recovery that has busybox integrated (like TWRP). This is what it does:

  1. Checks if your device is compatible
  2. Dumps the currently installed boot.img.
  3. Unpacks the dump of your currently installed boot.img. The unpacking process is done via a self-compiled, statically linked version of unmkbootimg.
  4. It patches the filesystem tables which include the force-encrypt flags. This process will change "forceencrypt" to "encryptable".
  5. Then it patches the filesystem tables to not use dm-verity. This is done by removing the "verify" mount-parameter.
  6. Creates a new boot.img. The unpacking process is done via a self-compiled, statically linked version of mkbootimg.
  7. Flashes the modified boot.img

What do I need to make this work?

  1. A supported device (Your Robin)
  2. An unlocked bootloader
  3. An already installed ROM with forceencrypt flag. (like stock or cyanogenmod)
  4. A recovery that includes busybox (TWRP)

How do I use it?

  1. Make a through, conservative backup of your data if there is any on your device.
  2. Go into your recovery (TWRP)
  3. Flash fed_patcher_robin.zip
  4. If your device is already encrypted (You booted your ROM at least once) you need to do a full wipe to get rid of the encryption. This full wipe will clear all your data on your data-partition (where your apps as well as their settings are stored) as well as on your internal storage so please, do a backup before. If you don't do a backup and want to restore your data... well... Call obama

How do I know if it worked?
Go into your "Settings"-App. In "Security", if it offers you to encrypt your device it is unencrypted. If it says something like "Device is encrypted" it indeed is encrypted.

IMPORTANT: If you update your ROM you have to run FED-Patcher again because ROM-updates also update the boot-partition which effectively removes my patch. So, if you are on the first ota for example and you used the patch and do an update to a newer nightly you have to run FED-Patcher again. If you don't do so Android will encrypt your device at the first boot.

Is it dangerous?
Well, I implemented tons of checks that prevent pretty much anything bad from happening. But, of course, we're dealing with the boot-partition here. Even though I tested FED-Patcher quite a lot there is still room for crap hitting the fan.


* @gladiac he did all of the work for this i just edited a few things for it to work on the robin Link to his original thread

Rebel on the Rise Rebel on the Rise

Re: FED-Patcher for the Robin (ForceEncrypt Disable Patcher)

Nice work @deadman96385! Very helpful to many Robins who want a decrypted phone!

Join the force! ->https://programs.nextbit.com/

Dancing cat approves!
Rebel 3.0

Re: FED-Patcher for the Robin (ForceEncrypt Disable Patcher)

Question. Would I have to perform this before or after every OTA update? or just once before performing any update.

I'm currently on Robin stock, un-encrypted, unlocked boot and rooted with Xposed. Waiting for the April OTA update before I start the un-rooting/ uninstall xposed process and I'd like to not lose my user partition.