diff --git a/crypto/vold_decrypt/Android.mk b/crypto/vold_decrypt/Android.mk
index e371c24..ddfad03 100644
--- a/crypto/vold_decrypt/Android.mk
+++ b/crypto/vold_decrypt/Android.mk
@@ -16,7 +16,6 @@
 
 ifeq ($(TW_INCLUDE_CRYPTO), true)
     ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),)
-    ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),false)
 
 
         # Parse TW_CRYPTO_USE_SYSTEM_VOLD
@@ -54,6 +53,17 @@
                     cp -f "$(LOCAL_PATH)/$(item)" "$(TARGET_ROOT_OUT)"/; \
                 fi; \
             )
+
+        ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 26; echo $$?),0)
+            # Truncate service_name to max 16 characters
+            LOCAL_POST_INSTALL_CMD += \
+                $(foreach item, $(rc_files), \
+                    if [ -f "$(TARGET_ROOT_OUT)/$(item)" ]; then \
+                        sed -i 's/\([ \t]*service[ \t]*\)\(.\{16\}\).*\([ \t].*\)/\1\2\3/' "$(TARGET_ROOT_OUT)/$(item)"; \
+                    fi; \
+                )
+        endif
+
         include $(BUILD_PREBUILT)
 
 
@@ -66,7 +76,14 @@
         endif
 
         ifneq ($(services),)
-            LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_SERVICES='"$(services)"'
+            ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 26; echo $$?),0)
+                # Truncate service_name to max 12 characters due to the 4 character prefix
+                truncated_services := $(foreach item,$(services),$(shell echo -n "$(item)" | sed 's/\(.\{12\}\).*/\1/'))
+                LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_SERVICES='"$(truncated_services)"'
+                LOCAL_CFLAGS += -D_USING_SHORT_SERVICE_NAMES
+            else
+                LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_SERVICES='"$(services)"'
+            endif
         endif
 
         ifeq ($(TW_CRYPTO_SYSTEM_VOLD_DEBUG),true)
@@ -74,14 +91,9 @@
             LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_DEBUG
         endif
 
-        ifeq ($(TW_CRYPTO_SYSTEM_VOLD_DISABLE_TIMEOUT),true)
-            LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_DISABLE_TIMEOUT
-        endif
-
         LOCAL_SRC_FILES = vold_decrypt.cpp
         LOCAL_SHARED_LIBRARIES := libcutils
         include $(BUILD_STATIC_LIBRARY)
 
     endif
-    endif
 endif
diff --git a/crypto/vold_decrypt/init.recovery.vold_decrypt.hwservicemanager.rc b/crypto/vold_decrypt/init.recovery.vold_decrypt.hwservicemanager.rc
new file mode 100755
index 0000000..ab8b4ac
--- /dev/null
+++ b/crypto/vold_decrypt/init.recovery.vold_decrypt.hwservicemanager.rc
@@ -0,0 +1,18 @@
+# Service names must be less than 16 characters in android-7.1 and
+# below. The makefile will truncate service names if needed in any
+# init.recovery.vold_decryp.*.rc file found in the vold_decrypt
+# directory.
+# It cannot however do this for any .rc file(s) that may be
+# overridden by the device tree files!
+
+# The seclabels are not needed when built in Android 8.0 tree
+# in 7.1 however the below do not exist, so run them under vold
+service sys_hwservicemanager /system/bin/hwservicemanager
+    user root
+    group root
+    setenv PATH /system/bin
+    setenv LD_LIBRARY_PATH /system/lib64:/system/lib
+    onrestart setprop hwservicemanager.ready false
+    disabled
+    oneshot
+    seclabel u:r:vold:s0
diff --git a/crypto/vold_decrypt/init.recovery.vold_decrypt.keymaster-3-0.rc b/crypto/vold_decrypt/init.recovery.vold_decrypt.keymaster-3-0.rc
new file mode 100755
index 0000000..e9f0b02
--- /dev/null
+++ b/crypto/vold_decrypt/init.recovery.vold_decrypt.keymaster-3-0.rc
@@ -0,0 +1,17 @@
+# Service names must be less than 16 characters in android-7.1 and
+# below. The makefile will truncate service names if needed in any
+# init.recovery.vold_decryp.*.rc file found in the vold_decrypt
+# directory.
+# It cannot however do this for any .rc file(s) that may be
+# overridden by the device tree files!
+
+# The seclabels are not needed when built in Android 8.0 tree
+# in 7.1 however the below do not exist, so run them under vold
+service ven_keymaster-3-0 /vendor/bin/hw/android.hardware.keymaster@3.0-service
+    user root
+    group root
+    setenv PATH /vendor/bin:/system/bin
+    setenv LD_LIBRARY_PATH /vendor/lib64:/system/lib64:/vendor/lib:/system/lib
+    disabled
+    oneshot
+    seclabel u:r:vold:s0
diff --git a/crypto/vold_decrypt/init.recovery.vold_decrypt.qseecomd.rc b/crypto/vold_decrypt/init.recovery.vold_decrypt.qseecomd.rc
index 06bdebc..0866608 100755
--- a/crypto/vold_decrypt/init.recovery.vold_decrypt.qseecomd.rc
+++ b/crypto/vold_decrypt/init.recovery.vold_decrypt.qseecomd.rc
@@ -5,6 +5,10 @@
     chmod 0664 /dev/ion
     chown system system /dev/ion
 
+
+# Oreo has qseecomd in /vendor/bin so add the additional
+# service. Only an existing binary will be started, never both.
+
 service sys_qseecomd /system/bin/qseecomd
     user root
     group root
@@ -12,3 +16,11 @@
     setenv LD_LIBRARY_PATH /system/lib64:/system/lib
     disabled
     oneshot
+
+service ven_qseecomd /vendor/bin/qseecomd
+    user root
+    group root
+    setenv PATH /vendor/bin:/system/bin
+    setenv LD_LIBRARY_PATH /vendor/lib64:/system/lib64:/vendor/lib:/system/lib
+    disabled
+    oneshot
diff --git a/crypto/vold_decrypt/vold_decrypt.cpp b/crypto/vold_decrypt/vold_decrypt.cpp
index d535a25..f6e6e34 100644
--- a/crypto/vold_decrypt/vold_decrypt.cpp
+++ b/crypto/vold_decrypt/vold_decrypt.cpp
@@ -16,28 +16,32 @@
     along with TWRP.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
+#include <fcntl.h>
+#include <sys/mount.h>
 #include <sys/time.h>
+#include <dirent.h>
+#include <fnmatch.h>
 
-#ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
 #include <signal.h>
 #include <sys/types.h>
 #include <sys/wait.h>
-#endif
 
+#include <fstream>
 #include <string>
 #include <vector>
 #include <sstream>
 
-#include "../../twcommon.h"
+#ifdef _USING_SHORT_SERVICE_NAMES
+#include <map>
+#endif
+
 #include "../../partitions.hpp"
 #include "../../twrp-functions.hpp"
-#include "../../gui/gui.hpp"
 
 using namespace std;
 
@@ -45,6 +49,10 @@
 	#include <cutils/properties.h>
 }
 
+#include "vold_decrypt.h"
+
+namespace {
+
 /* Timeouts as defined by ServiceManager */
 
 /* The maximum amount of time to wait for a service to start or stop,
@@ -55,51 +63,90 @@
 #define  SLEEP_MIN_USEC      200000  /* 200 msec */
 
 
-#define LOGDECRYPT(...) do { printf(__VA_ARGS__); if (fp_kmsg) { fprintf(fp_kmsg, "[VOLD_DECRYPT]" __VA_ARGS__); fflush(fp_kmsg); } } while (0)
-#define LOGDECRYPT_KMSG(...) do { if (fp_kmsg) { fprintf(fp_kmsg, "[VOLD_DECRYPT]" __VA_ARGS__); fflush(fp_kmsg); } } while (0)
+/* vold response codes defined in ResponseCode.h */
+// 200 series - Requested action has been successfully completed
+#define COMMAND_OKAY           200
+#define PASSWORD_TYPE_RESULT   213
 
-#ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
-typedef struct {
-	string service_name;
-	string twrp_svc_name;
-	bool is_running;
-	bool resume;
-} AdditionalService;
-#endif
+
+#define LOGINFO(...)  do { printf(__VA_ARGS__); if (fp_kmsg) { fprintf(fp_kmsg, "[VOLD_DECRYPT]I:" __VA_ARGS__); fflush(fp_kmsg); } } while (0)
+#define LOGKMSG(...)  do { if (fp_kmsg) { fprintf(fp_kmsg, "[VOLD_DECRYPT]K:" __VA_ARGS__); fflush(fp_kmsg); } } while (0)
+#define LOGERROR(...) do { printf(__VA_ARGS__); if (fp_kmsg) { fprintf(fp_kmsg, "[VOLD_DECRYPT]E:" __VA_ARGS__); fflush(fp_kmsg); } } while (0)
 
 FILE *fp_kmsg = NULL;
-bool has_timeout = false;
 
+
+/* Debugging Functions */
 #ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
-bool has_strace = false;
 
-pid_t strace_init(void) {
-	if (!has_strace)
-		return -1;
+#ifndef VD_STRACE_BIN
+#define VD_STRACE_BIN "/sbin/strace"
+#endif
+
+bool has_strace = false;
+pid_t pid_strace = 0;
+
+void Strace_init_Start(void) {
+	has_strace = TWFunc::Path_Exists(VD_STRACE_BIN);
+	if (!has_strace) {
+		LOGINFO("strace binary (%s) not found, disabling strace in vold_decrypt!\n", VD_STRACE_BIN);
+		return;
+	}
 
 	pid_t pid;
 	switch(pid = fork())
 	{
 		case -1:
-			LOGDECRYPT_KMSG("forking strace_init failed: %d!\n", errno);
-			return -1;
+			LOGKMSG("forking strace_init failed: %d (%s)!\n", errno, strerror(errno));
+			return;
 		case 0: // child
-			execl("/sbin/strace", "strace", "-q", "-tt", "-ff", "-v", "-y", "-s", "1000", "-o", "/tmp/strace_init.log", "-p", "1" , NULL);
-			LOGDECRYPT_KMSG("strace_init fork failed: %d!\n", errno);
+			execl(VD_STRACE_BIN, "strace", "-q", "-tt", "-ff", "-v", "-y", "-s", "1000", "-o", "/tmp/strace_init.log", "-p", "1" , NULL);
+			LOGKMSG("strace_init fork failed: %d (%s)!\n", errno, strerror(errno));
 			exit(-1);
 		default:
-			LOGDECRYPT_KMSG("Starting strace_init (pid=%d)\n", pid);
-			return pid;
+			LOGKMSG("Starting strace_init (pid=%d)\n", pid);
+			pid_strace = pid;
+			return;
 	}
 }
-#endif
+
+void Strace_init_Stop(void) {
+	if (pid_strace > 0) {
+		LOGKMSG("Stopping strace_init (pid=%d)\n", pid_strace);
+		int timeout;
+		int status;
+		pid_t retpid = waitpid(pid_strace, &status, WNOHANG);
+
+		kill(pid_strace, SIGTERM);
+		for (timeout = 5; retpid == 0 && timeout; --timeout) {
+			sleep(1);
+			retpid = waitpid(pid_strace, &status, WNOHANG);
+		}
+		if (retpid)
+			LOGKMSG("strace_init terminated successfully\n");
+		else {
+			// SIGTERM didn't work, kill it instead
+			kill(pid_strace, SIGKILL);
+			for (timeout = 5; retpid == 0 && timeout; --timeout) {
+				sleep(1);
+				retpid = waitpid(pid_strace, &status, WNOHANG);
+			}
+			if (retpid)
+				LOGKMSG("strace_init killed successfully\n");
+			else
+				LOGKMSG("strace_init took too long to kill, may be a zombie process\n");
+		}
+	}
+}
+#endif // TW_CRYPTO_SYSTEM_VOLD_DEBUG
+
 
 /* Convert a binary key of specified length into an ascii hex string equivalent,
  * without the leading 0x and with null termination
  *
  * Original code from cryptfs.c
  */
-string convert_key_to_hex_ascii(string master_key) {
+string convert_key_to_hex_ascii(const string& master_key) {
 	size_t i;
 	unsigned char nibble;
 	string master_key_ascii = "";
@@ -117,7 +164,46 @@
 	return master_key_ascii;
 }
 
-string wait_for_property(string property_name, int utimeout = SLEEP_MAX_USEC, string expected_value = "not_empty") {
+/* Helper Functions */
+#define PATH_EXISTS(path)  (access(path, F_OK) >= 0)
+
+int vrename(const string& oldname, const string& newname, bool verbose = false) {
+	const char *old_name = oldname.c_str();
+	const char *new_name = newname.c_str();
+
+	if (!PATH_EXISTS(old_name))
+		return 0;
+
+	if (rename(old_name, new_name) < 0) {
+		LOGERROR("Moving %s to %s failed: %d (%s)\n", old_name, new_name, errno, strerror(errno));
+		return -1;
+	} else if (verbose)
+		LOGINFO("Renamed %s to %s\n", old_name, new_name);
+	else
+		LOGKMSG("Renamed %s to %s\n", old_name, new_name);
+	return 0;
+}
+
+int vsymlink(const string& oldname, const string& newname, bool verbose = false) {
+	const char *old_name = oldname.c_str();
+	const char *new_name = newname.c_str();
+
+	if (!PATH_EXISTS(old_name))
+		return 0;
+
+	if (symlink(old_name, new_name) < 0) {
+		LOGERROR("Symlink %s -> %s failed: %d (%s)\n", new_name, old_name, errno, strerror(errno));
+		return -1;
+	} else if (verbose)
+		LOGINFO("Symlinked %s -> %s\n", new_name, old_name);
+	else
+		LOGKMSG("Symlinked %s -> %s\n", new_name, old_name);
+	return 0;
+}
+
+
+/* Properties and Services Functions */
+string Wait_For_Property(const string& property_name, int utimeout = SLEEP_MAX_USEC, const string& expected_value = "not_empty") {
 	char prop_value[PROPERTY_VALUE_MAX];
 
 	if (expected_value == "not_empty") {
@@ -125,7 +211,7 @@
 			property_get(property_name.c_str(), prop_value, "error");
 			if (strcmp(prop_value, "error") != 0)
 				break;
-			LOGDECRYPT_KMSG("waiting for %s to get set\n", property_name.c_str());
+			LOGKMSG("waiting for %s to get set\n", property_name.c_str());
 			utimeout -= SLEEP_MIN_USEC;
 			usleep(SLEEP_MIN_USEC);;
 		}
@@ -135,7 +221,7 @@
 			property_get(property_name.c_str(), prop_value, "error");
 			if (strcmp(prop_value, expected_value.c_str()) == 0)
 				break;
-			LOGDECRYPT_KMSG("waiting for %s to change from '%s' to '%s'\n", property_name.c_str(), prop_value, expected_value.c_str());
+			LOGKMSG("waiting for %s to change from '%s' to '%s'\n", property_name.c_str(), prop_value, expected_value.c_str());
 			utimeout -= SLEEP_MIN_USEC;
 			usleep(SLEEP_MIN_USEC);;
 		}
@@ -145,62 +231,531 @@
 	return prop_value;
 }
 
-bool Service_Exists(string initrc_svc) {
+string Get_Service_State(const string& initrc_svc) {
 	char prop_value[PROPERTY_VALUE_MAX];
 	string init_svc = "init.svc." + initrc_svc;
 	property_get(init_svc.c_str(), prop_value, "error");
-	return (strcmp(prop_value, "error") != 0);
+	return prop_value;
 }
 
-bool Is_Service_Running(string initrc_svc) {
-	char prop_value[PROPERTY_VALUE_MAX];
-	string init_svc = "init.svc." + initrc_svc;
-	property_get(init_svc.c_str(), prop_value, "error");
-	return (strcmp(prop_value, "running") == 0);
+bool Service_Exists(const string& initrc_svc) {
+	return (Get_Service_State(initrc_svc) != "error");
 }
 
-bool Is_Service_Stopped(string initrc_svc) {
-	char prop_value[PROPERTY_VALUE_MAX];
-	string init_svc = "init.svc." + initrc_svc;
-	property_get(init_svc.c_str(), prop_value, "error");
-	return (strcmp(prop_value, "stopped") == 0);
+bool Is_Service_Running(const string& initrc_svc) {
+	return (Get_Service_State(initrc_svc) == "running");
 }
 
-bool Start_Service(string initrc_svc, int utimeout = SLEEP_MAX_USEC) {
+bool Is_Service_Stopped(const string& initrc_svc) {
+	return (Get_Service_State(initrc_svc) == "stopped");
+}
+
+bool Start_Service(const string& initrc_svc, int utimeout = SLEEP_MAX_USEC) {
 	string res = "error";
 	string init_svc = "init.svc." + initrc_svc;
 
 	property_set("ctl.start", initrc_svc.c_str());
 
-	res = wait_for_property(init_svc, utimeout, "running");
+	res = Wait_For_Property(init_svc, utimeout, "running");
 
-	LOGDECRYPT("Start service %s: %s.\n", initrc_svc.c_str(), res.c_str());
+	LOGINFO("Start service %s: %s.\n", initrc_svc.c_str(), res.c_str());
 
 	return (res == "running");
 }
 
-bool Stop_Service(string initrc_svc, int utimeout = SLEEP_MAX_USEC) {
+bool Stop_Service(const string& initrc_svc, int utimeout = SLEEP_MAX_USEC) {
 	string res = "error";
 
 	if (Service_Exists(initrc_svc)) {
 		string init_svc = "init.svc." + initrc_svc;
 		property_set("ctl.stop", initrc_svc.c_str());
-		res = wait_for_property(init_svc, utimeout, "stopped");
-		LOGDECRYPT("Stop service %s: %s.\n", initrc_svc.c_str(), res.c_str());
+		res = Wait_For_Property(init_svc, utimeout, "stopped");
+		LOGINFO("Stop service %s: %s.\n", initrc_svc.c_str(), res.c_str());
 	}
 
 	return (res == "stopped");
 }
 
-void output_dmesg_to_recoverylog(void) {
-	TWFunc::Exec_Cmd(
-		"echo \"---- DMESG LOG FOLLOWS ----\";"
-		"dmesg | grep 'DECRYPT\\|vold\\|qseecom\\|QSEECOM\\|keymaste\\|keystore\\|cmnlib';"
-		"echo \"---- DMESG LOG ENDS ----\""
-	);
+
+/* Vendor, Firmware and fstab symlink Functions */
+bool is_Vendor_Mounted(void) {
+	static int is_mounted = -1;
+	if (is_mounted < 0)
+		is_mounted = PartitionManager.Is_Mounted_By_Path("/vendor") ? 1 : 0;
+	return is_mounted;
 }
 
-void set_needed_props(void) {
+bool is_Firmware_Mounted(void) {
+	static int is_mounted = -1;
+	if (is_mounted < 0)
+		is_mounted = PartitionManager.Is_Mounted_By_Path("/firmware") ? 1 : 0;
+	return is_mounted;
+}
+
+bool will_VendorBin_Be_Symlinked(void) {
+	return (!is_Vendor_Mounted() && TWFunc::Path_Exists("/system/vendor"));
+}
+
+bool Symlink_Vendor_Folder(void) {
+	bool is_vendor_symlinked = false;
+
+	if (is_Vendor_Mounted()) {
+		LOGINFO("vendor partition mounted, skipping /vendor substitution\n");
+	}
+	else if (TWFunc::Path_Exists("/system/vendor")) {
+		LOGINFO("Symlinking vendor folder...\n");
+		if (!TWFunc::Path_Exists("/vendor") || vrename("/vendor", "/vendor-orig") == 0) {
+			TWFunc::Recursive_Mkdir("/vendor/firmware/keymaster");
+			vsymlink("/system/vendor/lib64", "/vendor/lib64");
+			vsymlink("/system/vendor/lib", "/vendor/lib");
+			vsymlink("/system/vendor/bin", "/vendor/bin");
+			is_vendor_symlinked = true;
+			property_set("vold_decrypt.symlinked_vendor", "1");
+		}
+	}
+	return is_vendor_symlinked;
+}
+
+void Restore_Vendor_Folder(void) {
+	property_set("vold_decrypt.symlinked_vendor", "0");
+	TWFunc::removeDir("/vendor", false);
+	vrename("/vendor-orig", "/vendor");
+}
+
+bool Symlink_Firmware_Folder(void) {
+	bool is_firmware_symlinked = false;
+
+	if (is_Firmware_Mounted()) {
+		LOGINFO("firmware partition mounted, skipping /firmware substitution\n");
+	}
+	else {
+		LOGINFO("Symlinking firmware folder...\n");
+		if (!TWFunc::Path_Exists("/firmware") || vrename("/firmware", "/firmware-orig") == 0) {
+			TWFunc::Recursive_Mkdir("/firmware/image");
+			is_firmware_symlinked = true;
+			property_set("vold_decrypt.symlinked_firmware", "1");
+		}
+	}
+	return is_firmware_symlinked;
+}
+
+void Restore_Firmware_Folder(void) {
+	property_set("vold_decrypt.symlinked_firmware", "0");
+	TWFunc::removeDir("/firmware", false);
+	vrename("/firmware-orig", "/firmware");
+}
+
+int Find_Firmware_Files(const string& Path, vector<string> *FileList) {
+	int ret;
+	DIR* d;
+	struct dirent* de;
+	string FileName;
+
+	d = opendir(Path.c_str());
+	if (d == NULL) {
+		closedir(d);
+		return -1;
+	}
+	while ((de = readdir(d)) != NULL) {
+		if (de->d_type == DT_DIR) {
+			if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0)
+				continue;
+			FileName = Path + "/" + de->d_name;
+			ret = Find_Firmware_Files(FileName, FileList);
+			if (ret < 0)
+				return -1;
+		} else if (de->d_type == DT_REG) {
+			if (fnmatch("keymaste*.*", de->d_name, 0) == 0 || fnmatch("cmnlib.*", de->d_name, 0) == 0) {
+				FileName = Path + "/" + de->d_name;
+				FileList->push_back(FileName);
+			}
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+void Symlink_Firmware_Files(bool is_vendor_symlinked, bool is_firmware_symlinked) {
+	if (!is_vendor_symlinked && !is_firmware_symlinked)
+		return;
+
+	LOGINFO("Symlinking firmware files...\n");
+
+	vector<string> FirmwareFiles;
+	Find_Firmware_Files("/system", &FirmwareFiles);
+
+	for (size_t i = 0; i < FirmwareFiles.size(); ++i) {
+		string base_name = TWFunc::Get_Filename(FirmwareFiles[i]);
+
+		if (is_firmware_symlinked)
+			vsymlink(FirmwareFiles[i], "/firmware/image/" + base_name);
+
+		if (is_vendor_symlinked) {
+			vsymlink(FirmwareFiles[i], "/vendor/firmware/" + base_name);
+			vsymlink(FirmwareFiles[i], "/vendor/firmware/keymaster/" + base_name);
+		}
+	}
+	LOGINFO("%d file(s) symlinked.\n", (int)FirmwareFiles.size());
+}
+
+// Android 8.0 fs_mgr checks for "/sbin/recovery", in which case it will
+// use /etc/recovery.fstab -> symlink it temporarily. Reference:
+// https://android.googlesource.com/platform/system/core/+/android-8.0.0_r17/fs_mgr/fs_mgr_fstab.cpp#693
+bool Symlink_Recovery_Fstab(void) {
+	bool is_fstab_symlinked = false;
+
+	if (vrename("/etc/recovery.fstab", "/etc/recovery-fstab-orig") == 0) {
+		is_fstab_symlinked = true;
+
+		// now attempt to symlink to /fstab.{ro.hardware}, but even if that
+		// fails, keep TWRP's fstab hidden since it cannot be parsed by fs_mgr
+		char prop_value[PROPERTY_VALUE_MAX];
+		property_get("ro.hardware", prop_value, "error");
+		if (strcmp(prop_value, "error")) {
+			string fstab_device = "/fstab."; fstab_device += prop_value;
+			vsymlink(fstab_device, "/etc/recovery.fstab");
+		}
+	}
+	return is_fstab_symlinked;
+}
+
+void Restore_Recovery_Fstab(void) {
+	unlink("/etc/recovery.fstab");
+	vrename("/etc/recovery-fstab-orig", "/etc/recovery.fstab");
+}
+
+
+/* Additional Services Functions */
+#ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
+typedef struct {
+	string Service_Name;
+	string Service_Path;
+	string Service_Binary;
+
+	string VOLD_Service_Name;
+	string TWRP_Service_Name;
+	bool is_running;
+	bool resume;
+	bool exists;
+} AdditionalService;
+
+typedef struct {
+	string Service_Name;
+	string Service_Path;
+	string Service_Binary;
+} RC_Service;
+
+// expand_props() courtesy of platform_system_core_init_util.cpp
+bool expand_props(const std::string& src, std::string* dst) {
+	const char* src_ptr = src.c_str();
+
+	if (!dst) {
+		return false;
+	}
+
+	/* - variables can either be $x.y or ${x.y}, in case they are only part
+	 *   of the string.
+	 * - will accept $$ as a literal $.
+	 * - no nested property expansion, i.e. ${foo.${bar}} is not supported,
+	 *   bad things will happen
+	 * - ${x.y:-default} will return default value if property empty.
+	 */
+	while (*src_ptr) {
+		const char* c;
+
+		c = strchr(src_ptr, '$');
+		if (!c) {
+			dst->append(src_ptr);
+			return true;
+		}
+
+		dst->append(src_ptr, c);
+		c++;
+
+		if (*c == '$') {
+			dst->push_back(*(c++));
+			src_ptr = c;
+			continue;
+		} else if (*c == '\0') {
+			return true;
+		}
+
+		std::string prop_name;
+		std::string def_val;
+		if (*c == '{') {
+			c++;
+			const char* end = strchr(c, '}');
+			if (!end) {
+				// failed to find closing brace, abort.
+				return false;
+			}
+			prop_name = std::string(c, end);
+			c = end + 1;
+			size_t def = prop_name.find(":-");
+			if (def < prop_name.size()) {
+				def_val = prop_name.substr(def + 2);
+				prop_name = prop_name.substr(0, def);
+			}
+		} else {
+			prop_name = c;
+			c += prop_name.size();
+		}
+
+		if (prop_name.empty()) {
+			return false;
+		}
+
+		char prop_value[PROPERTY_VALUE_MAX];
+		property_get(prop_name.c_str(), prop_value, "");
+		std::string prop_val = prop_value;
+		if (prop_val.empty()) {
+			if (def_val.empty()) {
+				return false;
+			}
+			prop_val = def_val;
+		}
+
+		dst->append(prop_val);
+		src_ptr = c;
+	}
+
+	return true;
+}
+
+string GetArgument(const string& line, size_t argument_number, bool expand_properties) {
+	size_t beg;
+	size_t end;
+	string argument;
+
+	beg = line.find_first_not_of(" \t\r");
+	if (beg == string::npos)
+		return "";
+
+	for (size_t i = 0; i < argument_number; ++i) {
+		end = line.find_first_of(" \t\r", beg);
+		if (end == string::npos)
+			return "";
+
+		beg = line.find_first_not_of(" \t\r", end);
+		if (beg == string::npos)
+			return "";
+	}
+
+	end = line.find_first_of(" \t\r", beg);
+	if (end == string::npos)
+		argument = line.substr(beg);
+	else
+		argument = line.substr(beg, end - beg); // exclude trailing whitespace
+
+	if (expand_properties) {
+		string expanded_property_argument;
+		if (expand_props(argument, &expanded_property_argument))
+			return expanded_property_argument;
+		else
+			return "";
+	} else {
+		return argument;
+	}
+}
+
+// Very simplified .rc parser to get services
+void Parse_RC_File(const string& rc_file, vector<RC_Service>& RC_Services) {
+	ifstream file;
+
+	file.open(rc_file.c_str(), ios::in);
+	if (!file.is_open())
+		return;
+
+	size_t beg;                 // left trim
+	size_t end;                 // right trim
+	bool continuation = false;  // backslash continuation
+	string line;                // line
+	string real_line;           // trimmed line with backslash continuation removal
+	vector<string> imports;     // file names of imports (we don't want to recursively do while the file is open)
+
+	while (getline(file, line)) {
+		beg = line.find_first_not_of(" \t\r");
+		end = line.find_last_not_of(" \t\r");
+		if (end == string::npos)
+			end = line.length();
+
+		if (beg == string::npos) {
+			if (continuation)
+				continuation = false;
+			else
+				continue;
+		} else if (line[end] == '\\') {
+			continuation = true;
+			real_line += line.substr(beg, end - beg); // excluding backslash
+			continue;
+		} else if (continuation) {
+			continuation = false;
+			real_line += line.substr(beg, end - beg + 1);
+		} else {
+			real_line = line.substr(beg, end - beg + 1);
+		}
+
+		if (GetArgument(real_line, 0, false) == "import") {
+			// handle: import <file>
+			string file_name = GetArgument(real_line, 1, true);
+			if (file_name.empty()) {
+				// INVALID IMPORT
+			} else
+				imports.push_back(file_name);
+		} else if (GetArgument(real_line, 0, false) == "service") {
+			// handle: service <name> <path>
+			RC_Service svc;
+
+			svc.Service_Name = GetArgument(real_line, 1, false);
+			svc.Service_Path = GetArgument(real_line, 2, true);
+
+			if (svc.Service_Name.empty() || svc.Service_Path.empty()) {
+				// INVALID SERVICE ENTRY
+			} else {
+				beg = svc.Service_Path.find_last_of("/");
+				if (beg == string::npos)
+					svc.Service_Binary = svc.Service_Path;
+				else
+					svc.Service_Binary = svc.Service_Path.substr(beg + 1);
+
+/*
+#ifdef _USING_SHORT_SERVICE_NAMES
+				if (svc.Service_Name.length() > 16) {
+					LOGERROR("WARNING: Ignoring service %s (-> %s)\n"
+					         "         defined in %s is greater than 16 characters and will\n"
+					         "         not be able to be run by init on android-7.1 or below!\n",
+					         svc.Service_Name.c_str(), svc.Service_Path.c_str(), rc_file.c_str()
+					        );
+				}
+				else
+#endif
+*/
+				RC_Services.push_back(svc);
+			}
+		}
+		real_line.clear();
+	}
+	file.close();
+
+	for (size_t i = 0; i < imports.size(); ++i) {
+		Parse_RC_File(imports[i], RC_Services);
+	}
+}
+
+vector<AdditionalService> Get_List_Of_Additional_Services(void) {
+	vector<AdditionalService> services;
+
+	// Additional Services needed by vold_decrypt (eg qseecomd, hwservicemanager, etc)
+	vector<string> service_names = TWFunc::Split_String(TW_CRYPTO_SYSTEM_VOLD_SERVICES, " ");
+	for (size_t i = 0; i < service_names.size(); ++i) {
+		AdditionalService svc;
+		svc.Service_Name = service_names[i];
+		svc.exists = false;
+		services.push_back(svc);
+
+#ifdef _USING_SHORT_SERVICE_NAMES
+		// Fallback code for >16 character service names which
+		// allows for multiple definitions in custom .rc files
+		if (service_names[i].length() > 12) {
+			svc.Service_Name = service_names[i].substr(0, 12); // 16-4(prefix)=12
+			svc.exists = false;
+			services.push_back(svc);
+		}
+#endif
+	}
+
+	// Read list of all services defined in all .rc files
+	vector<RC_Service> RC_Services;
+	Parse_RC_File("/init.rc", RC_Services);
+
+
+	// Cross reference Additional Services against the .rc Services and establish
+	// availability of the binaries, otherwise disable it to avoid unnecessary
+	// delays and log spam.
+	// Also check for duplicate entries between TWRP and vold_decrypt so we can
+	// stop and restart any conflicting services.
+	for (size_t i = 0; i < RC_Services.size(); ++i) {
+		string prefix = RC_Services[i].Service_Name.substr(0, 4);
+
+#ifdef _USING_SHORT_SERVICE_NAMES
+		map<string,size_t> rc_indeces;
+#endif
+
+		if (prefix != "sys_" && prefix != "ven_") {
+#ifdef _USING_SHORT_SERVICE_NAMES
+			if (RC_Services[i].Service_Name.length() > 12) {
+				// save this entry for potential binary name match
+				rc_indeces.insert(pair<string,size_t>(RC_Services[i].Service_Binary, i));
+			}
+#endif
+			continue;
+		}
+
+		for (size_t j = 0; j < services.size(); ++j) {
+			string path = RC_Services[i].Service_Path;
+			if (prefix == "ven_" && will_VendorBin_Be_Symlinked()) {
+				path = "/system" + path; // vendor is going to get symlinked to /system/vendor
+			}
+
+			if (RC_Services[i].Service_Name == prefix + services[j].Service_Name) {
+				if (!services[j].VOLD_Service_Name.empty() && TWFunc::Path_Exists(path)) {
+					// Duplicate match, log but use previous definition
+					LOGERROR("Service %s: VOLD_Service_Name already defined as %s\n", RC_Services[i].Service_Name.c_str(), services[j].VOLD_Service_Name.c_str());
+				}
+				else if (TWFunc::Path_Exists(path)) {
+					services[j].exists = true;
+					services[j].VOLD_Service_Name = RC_Services[i].Service_Name; // prefix + service_name
+					services[j].Service_Path = RC_Services[i].Service_Path;
+					services[j].Service_Binary = RC_Services[i].Service_Binary;
+
+					if (Service_Exists(services[j].Service_Name))
+						services[j].TWRP_Service_Name = services[j].Service_Name;
+					else if (Service_Exists("sbin" + services[j].Service_Name))
+						services[j].TWRP_Service_Name = "sbin" + services[j].Service_Name;
+					else
+						services[j].TWRP_Service_Name.clear();
+
+#ifdef _USING_SHORT_SERVICE_NAMES
+					if (services[j].TWRP_Service_Name.empty()) {
+						// Try matching Service_Binary (due to 16 character service_name limit in 7.1 and below)
+						map<string,size_t>::iterator it = rc_indeces.find(services[j].Service_Binary);
+						if (it != rc_indeces.end()) {
+							services[j].TWRP_Service_Name = RC_Services[it->second].Service_Name;
+						}
+					}
+#endif
+				}
+				break;
+			}
+		}
+	}
+
+	LOGINFO("List of additional services for vold_decrypt:\n");
+	for (size_t i = 0; i < services.size(); ++i) {
+		if (services[i].exists) {
+			if (services[i].TWRP_Service_Name.empty()) {
+				LOGINFO("    %s: Enabled as %s -> %s\n",
+				        services[i].Service_Name.c_str(),
+				        services[i].VOLD_Service_Name.c_str(), services[i].Service_Path.c_str()
+				       );
+			} else {
+				LOGINFO("    %s: Enabled as %s -> %s (temporarily replacing TWRP's %s service)\n",
+				        services[i].Service_Name.c_str(),
+				        services[i].VOLD_Service_Name.c_str(), services[i].Service_Path.c_str(),
+				        services[i].TWRP_Service_Name.c_str()
+				       );
+			}
+		}
+		else
+			LOGINFO("    %s: Disabled due to lack of matching binary\n", services[i].Service_Name.c_str());
+	}
+	return services;
+}
+#endif
+
+
+/* Misc Functions */
+void Set_Needed_Properties(void) {
 	// vold won't start without ro.storage_structure on Kitkat
 	string sdkverstr = TWFunc::System_Property_Get("ro.build.version.sdk");
 	int sdkver = 20;
@@ -214,241 +769,247 @@
 	}
 }
 
-string vdc_cryptfs_cmd(string log_name) {
-	string cmd = "LD_LIBRARY_PATH=/system/lib64:/system/lib /system/bin/vdc cryptfs";
 
-#ifndef TW_CRYPTO_SYSTEM_VOLD_DEBUG
-	(void)log_name; // do nothing, but get rid of compiler warning in non debug builds
-#else
-	if (has_timeout && has_strace)
-		cmd = "/sbin/strace -q -tt -ff -v -y -s 1000 -o /tmp/strace_vdc_" + log_name + " /sbin/timeout -t 30 -s KILL env " + cmd;
-	else if (has_strace)
-		cmd = "/sbin/strace -q -tt -ff -v -y -s 1000 -o /tmp/strace_vdc_" + log_name + " -E " + cmd;
-	else
+/* vdc Functions */
+typedef struct {
+	string Output;     // Entire line excluding \n
+	int ResponseCode;  // ResponseCode.h (int)
+	int Sequence;      // Sequence (int)
+	int Message;       // Message (string) but we're only interested in int
+} vdc_ReturnValues;
+
+int Exec_vdc_cryptfs(const string& command, const string& argument, vdc_ReturnValues* vdcResult) {
+	pid_t pid;
+	int status;
+	int pipe_fd[2];
+	vdcResult->Output.clear();
+
+	if (pipe(pipe_fd)) {
+		LOGERROR("exec_vdc_cryptfs: pipe() error!\n");
+		return -1;
+	}
+
+	const char *cmd[] = { "/system/bin/vdc", "cryptfs" };
+	const char *env[] = { "LD_LIBRARY_PATH=/system/lib64:/system/lib", NULL };
+
+#ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
+	string log_name = "/tmp/strace_vdc_" + command;
 #endif
-	if (has_timeout)
-		cmd = "/sbin/timeout -t 30 -s KILL env " + cmd;
 
-	return cmd;
+	switch(pid = fork())
+	{
+		case -1:
+			LOGERROR("exec_vdc_cryptfs: fork failed: %d (%s)!\n", errno, strerror(errno));
+			return -1;
+
+		case 0: // child
+			fflush(stdout); fflush(stderr);
+			close(pipe_fd[0]);
+			dup2(pipe_fd[1], STDOUT_FILENO);
+			dup2(pipe_fd[1], STDERR_FILENO);
+			close(pipe_fd[1]);
+
+#ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
+			if (has_strace) {
+				if (argument.empty())
+					execl(VD_STRACE_BIN, "strace", "-q", "-tt", "-ff", "-v", "-y", "-s", "1000", "-o", log_name.c_str(),
+						"-E", env[0], cmd[0], cmd[1], command.c_str(), NULL);
+				else
+					execl(VD_STRACE_BIN, "strace", "-q", "-tt", "-ff", "-v", "-y", "-s", "1000", "-o", log_name.c_str(),
+						  "-E", env[0], cmd[0], cmd[1], command.c_str(), argument.c_str(), NULL);
+			} else
+#endif
+			if (argument.empty())
+				execle(cmd[0], cmd[0], cmd[1], command.c_str(), NULL, env);
+			else
+				execle(cmd[0], cmd[0], cmd[1], command.c_str(), argument.c_str(), NULL, env);
+			_exit(127);
+			break;
+
+		default:
+		{
+			int timeout = 30*100;
+			vdcResult->Output.clear();
+			close(pipe_fd[1]);
+
+			// Non-blocking read loop with timeout
+			int flags = fcntl(pipe_fd[0], F_GETFL, 0);
+			fcntl(pipe_fd[0], F_SETFL, flags | O_NONBLOCK);
+
+			char buffer[128];
+			ssize_t count;
+			pid_t retpid = waitpid(pid, &status, WNOHANG);
+			while (true) {
+				count = read(pipe_fd[0], buffer, sizeof(buffer));
+				if (count == -1) {
+					if (errno == EINTR)
+						continue;
+					else if (errno != EAGAIN)
+						LOGERROR("exec_vdc_cryptfs: read() error %d (%s)\n!", errno, strerror(errno));
+				} else if (count > 0) {
+					vdcResult->Output.append(buffer, count);
+				}
+
+				retpid = waitpid(pid, &status, WNOHANG);
+				if (retpid == 0 && --timeout)
+					usleep(10000);
+				else
+					break;
+			};
+			close(pipe_fd[0]);
+			if (vdcResult->Output.length() > 0 && vdcResult->Output[vdcResult->Output.length() - 1] == '\n')
+				vdcResult->Output.erase(vdcResult->Output.length() - 1);
+			vdcResult->ResponseCode = vdcResult->Sequence = vdcResult->Message = -1;
+			sscanf(vdcResult->Output.c_str(), "%d %d %d", &vdcResult->ResponseCode, &vdcResult->Sequence, &vdcResult->Message);
+
+			// Error handling
+			if (retpid == 0 && timeout == 0) {
+				LOGERROR("exec_vdc_cryptfs: took too long, killing process\n");
+				kill(pid, SIGKILL);
+				for (timeout = 5; retpid == 0 && timeout; --timeout) {
+					sleep(1);
+					retpid = waitpid(pid, &status, WNOHANG);
+				}
+				if (retpid)
+					LOGINFO("exec_vdc_cryptfs: process killed successfully\n");
+				else
+					LOGERROR("exec_vdc_cryptfs: process took too long to kill, may be a zombie process\n");
+				return VD_ERR_VOLD_OPERATION_TIMEDOUT;
+			} else if (retpid > 0) {
+				if (WIFSIGNALED(status)) {
+					LOGERROR("exec_vdc_cryptfs: process ended with signal: %d\n", WTERMSIG(status)); // Seg fault or some other non-graceful termination
+					return -1;
+				}
+			} else if (retpid < 0) { // no PID returned
+				if (errno == ECHILD)
+					LOGINFO("exec_vdc_cryptfs: no child process exist\n");
+				else {
+					LOGERROR("exec_vdc_cryptfs: Unexpected error %d (%s)\n", errno, strerror(errno));
+					return -1;
+				}
+			}
+			return 0;
+		}
+	}
 }
 
-int run_vdc(string Password) {
-	int res = -1;
+int Run_vdc(const string& Password) {
+	int res;
 	struct timeval t1, t2;
-	string vdc_res;
-	int vdc_r1, vdc_r2, vdc_r3;
+	vdc_ReturnValues vdcResult;
 
-	LOGDECRYPT("About to run vdc...\n");
+	LOGINFO("About to run vdc...\n");
 
 	// Wait for vold connection
 	gettimeofday(&t1, NULL);
 	t2 = t1;
 	while ((t2.tv_sec - t1.tv_sec) < 5) {
-		vdc_res.clear();
 		// cryptfs getpwtype returns: R1=213(PasswordTypeResult)   R2=?   R3="password", "pattern", "pin", "default"
-		res = TWFunc::Exec_Cmd(vdc_cryptfs_cmd("connect") + " getpwtype", vdc_res);
-		std::replace(vdc_res.begin(), vdc_res.end(), '\n', ' '); // remove newline(s)
-		vdc_r1 = vdc_r2 = vdc_r3 = -1;
-		sscanf(vdc_res.c_str(), "%d", &vdc_r1);
-		if (vdc_r1 == 213) {
-			char str_res[sizeof(int) + 1];
-			snprintf(str_res, sizeof(str_res), "%d", res);
-			vdc_res += "ret=";
-			vdc_res += str_res;
+		res = Exec_vdc_cryptfs("getpwtype", "", &vdcResult);
+		if (vdcResult.ResponseCode == PASSWORD_TYPE_RESULT) {
+			char str_res[4 + sizeof(int) + 1];
+			snprintf(str_res, sizeof(str_res), "ret=%d", res);
+			vdcResult.Output += str_res;
 			res = 0;
 			break;
 		}
-		LOGDECRYPT("Retrying connection to vold\n");
+		LOGINFO("Retrying connection to vold (Reason: %s)\n", vdcResult.Output.c_str());
 		usleep(SLEEP_MIN_USEC); // vdc usually usleep(10000), but that causes too many unnecessary attempts
 		gettimeofday(&t2, NULL);
 	}
 
-	if (res != 0)
-		return res;
+	if (res == 0 && (t2.tv_sec - t1.tv_sec) < 5)
+		LOGINFO("Connected to vold (%s)\n", vdcResult.Output.c_str());
+	else if (res == VD_ERR_VOLD_OPERATION_TIMEDOUT)
+		return VD_ERR_VOLD_OPERATION_TIMEDOUT; // should never happen for getpwtype
+	else if (res)
+		return VD_ERR_FORK_EXECL_ERROR;
+	else if (vdcResult.ResponseCode != -1)
+		return VD_ERR_VOLD_UNEXPECTED_RESPONSE;
+	else
+		return VD_ERR_VDC_FAILED_TO_CONNECT;
 
-	LOGDECRYPT("Connected to vold (%s)\n", vdc_res.c_str());
 
 	// Input password from GUI, or default password
-	vdc_res.clear();
-	res = TWFunc::Exec_Cmd(vdc_cryptfs_cmd("passwd") + " checkpw '" + Password + "'", vdc_res);
-	std::replace(vdc_res.begin(), vdc_res.end(), '\n', ' '); // remove newline(s)
-	LOGDECRYPT("vdc cryptfs result (passwd): %s (ret=%d)\n", vdc_res.c_str(), res);
-	vdc_r1 = vdc_r2 = vdc_r3 = -1;
-	sscanf(vdc_res.c_str(), "%d %d %d", &vdc_r1, &vdc_r2, &vdc_r3);
+	res = Exec_vdc_cryptfs("checkpw", Password, &vdcResult);
+	if (res == VD_ERR_VOLD_OPERATION_TIMEDOUT)
+		return VD_ERR_VOLD_OPERATION_TIMEDOUT;
+	else if (res)
+		return VD_ERR_FORK_EXECL_ERROR;
 
-	if (vdc_r3 != 0) {
+	LOGINFO("vdc cryptfs result (passwd): %s (ret=%d)\n", vdcResult.Output.c_str(), res);
+	/*
+	if (res == 0 && vdcResult.ResponseCode != COMMAND_OKAY)
+		return VD_ERR_VOLD_UNEXPECTED_RESPONSE;
+	*/
+
+	if (vdcResult.Message != 0) {
 		// try falling back to Lollipop hex passwords
 		string hexPassword = convert_key_to_hex_ascii(Password);
-		vdc_res.clear();
-		res = TWFunc::Exec_Cmd(vdc_cryptfs_cmd("hex_pw") + " checkpw '" + hexPassword + "'", vdc_res);
-		std::replace(vdc_res.begin(), vdc_res.end(), '\n', ' '); // remove newline(s)
-		LOGDECRYPT("vdc cryptfs result (hex_pw): %s (ret=%d)\n", vdc_res.c_str(), res);
-		vdc_r1 = vdc_r2 = vdc_r3 = -1;
-		sscanf(vdc_res.c_str(), "%d %d %d", &vdc_r1, &vdc_r2, &vdc_r3);
+		res = Exec_vdc_cryptfs("checkpw", hexPassword, &vdcResult);
+		if (res == VD_ERR_VOLD_OPERATION_TIMEDOUT)
+			return VD_ERR_VOLD_OPERATION_TIMEDOUT;
+		else if (res)
+			return VD_ERR_FORK_EXECL_ERROR;
+
+		LOGINFO("vdc cryptfs result (hex_pw): %s (ret=%d)\n", vdcResult.Output.c_str(), res);
+		/*
+		if (res == 0 && vdcResult.ResponseCode != COMMAND_OKAY)
+			return VD_ERR_VOLD_UNEXPECTED_RESPONSE;
+		*/
 	}
 
 	// vdc's return value is dependant upon source origin, it will either
-	// return 0 or vdc_r1, so disregard and focus on decryption instead
-	if (vdc_r3 == 0) {
+	// return 0 or ResponseCode, so disregard and focus on decryption instead
+	if (vdcResult.Message == 0) {
 		// Decryption successful wait for crypto blk dev
-		wait_for_property("ro.crypto.fs_crypto_blkdev");
-		res = 0;
+		Wait_For_Property("ro.crypto.fs_crypto_blkdev");
+		res = VD_SUCCESS;
+	} else if (vdcResult.ResponseCode != COMMAND_OKAY) {
+		res = VD_ERR_VOLD_UNEXPECTED_RESPONSE;
 	} else {
-		res = -1;
+		res = VD_ERR_DECRYPTION_FAILED;
 	}
 
 	return res;
 }
 
-bool Symlink_Vendor_Folder(void) {
-	bool is_vendor_symlinked = false;
-
-	if (PartitionManager.Is_Mounted_By_Path("/vendor")) {
-		LOGDECRYPT("vendor partition mounted, skipping /vendor substitution\n");
-	}
-	else if (TWFunc::Path_Exists("/system/vendor")) {
-		LOGDECRYPT("Symlinking vendor folder...\n");
-		if (TWFunc::Path_Exists("/vendor") && rename("/vendor", "/vendor-orig") != 0) {
-			LOGDECRYPT("Failed to rename original /vendor folder: %s\n", strerror(errno));
-		} else {
-			TWFunc::Recursive_Mkdir("/vendor/firmware/keymaster");
-			LOGDECRYPT_KMSG("Symlinking /system/vendor/lib64 to /vendor/lib64 (res=%d)\n",
-				symlink("/system/vendor/lib64", "/vendor/lib64")
-			);
-			LOGDECRYPT_KMSG("Symlinking /system/vendor/lib to /vendor/lib (res=%d)\n",
-				symlink("/system/vendor/lib", "/vendor/lib")
-			);
-			is_vendor_symlinked = true;
-			property_set("vold_decrypt.symlinked_vendor", "1");
-		}
-	}
-	return is_vendor_symlinked;
-}
-
-void Restore_Vendor_Folder(void) {
-	property_set("vold_decrypt.symlinked_vendor", "0");
-	TWFunc::removeDir("/vendor", false);
-	rename("/vendor-orig", "/vendor");
-}
-
-bool Symlink_Firmware_Folder(void) {
-	bool is_firmware_symlinked = false;
-
-	if (PartitionManager.Is_Mounted_By_Path("/firmware")) {
-		LOGDECRYPT("firmware partition mounted, skipping /firmware substitution\n");
-	} else {
-		LOGDECRYPT("Symlinking firmware folder...\n");
-		if (TWFunc::Path_Exists("/firmware") && rename("/firmware", "/firmware-orig") != 0) {
-			LOGDECRYPT("Failed to rename original /firmware folder: %s\n", strerror(errno));
-		} else {
-			TWFunc::Recursive_Mkdir("/firmware/image");
-			is_firmware_symlinked = true;
-			property_set("vold_decrypt.symlinked_firmware", "1");
-		}
-	}
-	return is_firmware_symlinked;
-}
-
-void Restore_Firmware_Folder(void) {
-	property_set("vold_decrypt.symlinked_firmware", "0");
-	TWFunc::removeDir("/firmware", false);
-	rename("/firmware-orig", "/firmware");
-}
-
-void Symlink_Firmware_Files(bool is_vendor_symlinked, bool is_firmware_symlinked) {
-	if (!is_vendor_symlinked && !is_firmware_symlinked)
-		return;
-
-	LOGDECRYPT("Symlinking firmware files...\n");
-	string result_of_find;
-	TWFunc::Exec_Cmd("find /system -name keymaste*.* -type f -o -name cmnlib.* -type f 2>/dev/null", result_of_find);
-
-	stringstream ss(result_of_find);
-	string line;
-	int count = 0;
-
-	while(getline(ss, line)) {
-		const char *fwfile = line.c_str();
-		string base_name = TWFunc::Get_Filename(line);
-		count++;
-
-		if (is_firmware_symlinked) {
-			LOGDECRYPT_KMSG("Symlinking %s to /firmware/image/ (res=%d)\n", fwfile,
-				symlink(fwfile, ("/firmware/image/" + base_name).c_str())
-			);
-		}
-
-		if (is_vendor_symlinked) {
-			LOGDECRYPT_KMSG("Symlinking %s to /vendor/firmware/ (res=%d)\n", fwfile,
-				symlink(fwfile, ("/vendor/firmware/" + base_name).c_str())
-			);
-
-			LOGDECRYPT_KMSG("Symlinking %s to /vendor/firmware/keymaster/ (res=%d)\n", fwfile,
-				symlink(fwfile, ("/vendor/firmware/keymaster/" + base_name).c_str())
-			);
-		}
-	}
-	LOGDECRYPT("%d file(s) symlinked.\n", count);
-}
-
-#ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
-vector<AdditionalService> Get_List_Of_Additional_Services (void) {
-	vector<AdditionalService> services;
-
-	vector<string> service_names = TWFunc::Split_String(TW_CRYPTO_SYSTEM_VOLD_SERVICES, " ");
-
-	for (size_t i = 0; i < service_names.size(); ++i) {
-		AdditionalService svc;
-		svc.service_name = service_names[i];
-		services.push_back(svc);
-	}
-
-	return services;
-}
-#endif
-
-int vold_decrypt(string Password)
-{
+int Vold_Decrypt_Core(const string& Password) {
 	int res;
-	bool output_dmesg_to_log = false;
 	bool is_vendor_symlinked = false;
 	bool is_firmware_symlinked = false;
+	bool is_fstab_symlinked = false;
 	bool is_vold_running = false;
 
 	if (Password.empty()) {
-		LOGDECRYPT("vold_decrypt: password is empty!\n");
-		return -1;
+		LOGINFO("vold_decrypt: password is empty!\n");
+		return VD_ERR_PASSWORD_EMPTY;
 	}
 
 	// Mount system and check for vold and vdc
 	if (!PartitionManager.Mount_By_Path("/system", true)) {
-		return -1;
+		return VD_ERR_UNABLE_TO_MOUNT_SYSTEM;
 	} else if (!TWFunc::Path_Exists("/system/bin/vold")) {
-		LOGDECRYPT("ERROR: /system/bin/vold not found, aborting.\n");
-		gui_msg(Msg(msg::kError, "decrypt_data_vold_os_missing=Missing files needed for vold decrypt: {1}")("/system/bin/vold"));
-		return -1;
+		LOGINFO("ERROR: /system/bin/vold not found, aborting.\n");
+		return VD_ERR_MISSING_VOLD;
 	} else if (!TWFunc::Path_Exists("/system/bin/vdc")) {
-		LOGDECRYPT("ERROR: /system/bin/vdc not found, aborting.\n");
-		gui_msg(Msg(msg::kError, "decrypt_data_vold_os_missing=Missing files needed for vold decrypt: {1}")("/system/bin/vdc"));
-		return -1;
+		LOGINFO("ERROR: /system/bin/vdc not found, aborting.\n");
+		return VD_ERR_MISSING_VDC;
 	}
 
 	fp_kmsg = fopen("/dev/kmsg", "a");
 
-	LOGDECRYPT("TW_CRYPTO_USE_SYSTEM_VOLD := true\n");
-	LOGDECRYPT("Attempting to use system's vold for decryption...\n");
+	LOGINFO("TW_CRYPTO_USE_SYSTEM_VOLD := true\n");
 
-#ifndef TW_CRYPTO_SYSTEM_VOLD_DISABLE_TIMEOUT
-	has_timeout = TWFunc::Path_Exists("/sbin/timeout");
-	if (!has_timeout)
-		LOGDECRYPT("timeout binary not found, disabling timeout in vold_decrypt!\n");
-#endif
+	// just cache the result to avoid unneeded duplicates in recovery.log
+	LOGINFO("Checking existence of vendor and firmware partitions...\n");
+	is_Vendor_Mounted();
+	is_Firmware_Mounted();
+
+	LOGINFO("Attempting to use system's vold for decryption...\n");
 
 #ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
-	has_strace = TWFunc::Path_Exists("/sbin/strace");
-	if (!has_strace)
-		LOGDECRYPT("strace binary not found, disabling strace in vold_decrypt!\n");
-	pid_t pid_strace = strace_init();
+	Strace_init_Start();
 #endif
 
 #ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
@@ -456,74 +1017,61 @@
 
 	// Check if TWRP is running any of the services
 	for (size_t i = 0; i < Services.size(); ++i) {
-		if (Service_Exists(Services[i].service_name))
-			Services[i].twrp_svc_name = Services[i].service_name;
-		else if (Service_Exists("sbin" + Services[i].service_name))
-			Services[i].twrp_svc_name = "sbin" + Services[i].service_name;
-		else
-			Services[i].twrp_svc_name.clear();
-
-		if (!Services[i].twrp_svc_name.empty() && !Is_Service_Stopped(Services[i].twrp_svc_name)) {
+		if (!Services[i].TWRP_Service_Name.empty() && !Is_Service_Stopped(Services[i].TWRP_Service_Name)) {
 			Services[i].resume = true;
-			Stop_Service(Services[i].twrp_svc_name);
+			Stop_Service(Services[i].TWRP_Service_Name);
 		} else
 			Services[i].resume = false;
-
-		// vold_decrypt system services have to be named sys_{service} in the .rc files
-		Services[i].service_name = "sys_" + Services[i].service_name;
 	}
 #endif
 
-	LOGDECRYPT("Setting up folders and permissions...\n");
+	LOGINFO("Setting up folders and permissions...\n");
+	is_fstab_symlinked = Symlink_Recovery_Fstab();
 	is_vendor_symlinked = Symlink_Vendor_Folder();
 	is_firmware_symlinked = Symlink_Firmware_Folder();
 	Symlink_Firmware_Files(is_vendor_symlinked, is_firmware_symlinked);
 
-	set_needed_props();
+	Set_Needed_Properties();
 
 	// Start services needed for vold decrypt
-	LOGDECRYPT("Starting services...\n");
+	LOGINFO("Starting services...\n");
 #ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
 	for (size_t i = 0; i < Services.size(); ++i) {
-		Services[i].is_running = Start_Service(Services[i].service_name);
+		if (Services[i].exists)
+			Services[i].is_running = Start_Service(Services[i].VOLD_Service_Name);
 	}
 #endif
 	is_vold_running = Start_Service("sys_vold");
 
 	if (is_vold_running) {
-
 #ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
 		for (size_t i = 0; i < Services.size(); ++i) {
-			if (!Is_Service_Running(Services[i].service_name) && Services[i].resume) {
+			if (Services[i].exists && !Is_Service_Running(Services[i].VOLD_Service_Name) && Services[i].resume) {
 				// if system_service has died restart the twrp_service
-				LOGDECRYPT("%s is not running, resuming %s!\n", Services[i].service_name.c_str(), Services[i].twrp_svc_name.c_str());
-				Start_Service(Services[i].twrp_svc_name);
+				LOGINFO("%s is not running, resuming %s!\n", Services[i].VOLD_Service_Name.c_str(), Services[i].TWRP_Service_Name.c_str());
+				Start_Service(Services[i].TWRP_Service_Name);
 			}
 		}
 #endif
-
-		res = run_vdc(Password);
+		res = Run_vdc(Password);
 
 		if (res != 0) {
-			// Decryption was unsuccessful
-			LOGDECRYPT("Decryption failed\n");
-			output_dmesg_to_log = true;
+			LOGINFO("Decryption failed\n");
 		}
 	} else {
-		LOGDECRYPT("Failed to start vold\n");
-		TWFunc::Exec_Cmd("echo \"$(getprop | grep init.svc)\" >> /dev/kmsg");
-		output_dmesg_to_log = true;
+		LOGINFO("Failed to start vold\n");
+		res = VD_ERR_VOLD_FAILED_TO_START;
 	}
 
 	// Stop services needed for vold decrypt so /system can be unmounted
-	LOGDECRYPT("Stopping services...\n");
+	LOGINFO("Stopping services...\n");
 	Stop_Service("sys_vold");
 #ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
 	for (size_t i = 0; i < Services.size(); ++i) {
-		if (!Is_Service_Running(Services[i].service_name) && Services[i].resume)
-			Stop_Service(Services[i].twrp_svc_name);
-		else
-			Stop_Service(Services[i].service_name);
+		if (!Is_Service_Running(Services[i].VOLD_Service_Name) && Services[i].resume)
+			Stop_Service(Services[i].TWRP_Service_Name);
+		else if (Services[i].exists)
+			Stop_Service(Services[i].VOLD_Service_Name);
 	}
 #endif
 
@@ -531,52 +1079,28 @@
 		Restore_Firmware_Folder();
 	if (is_vendor_symlinked)
 		Restore_Vendor_Folder();
+	if (is_fstab_symlinked)
+		Restore_Recovery_Fstab();
 
 	if (!PartitionManager.UnMount_By_Path("/system", true)) {
 		// PartitionManager failed to unmount /system, this should not happen,
 		// but in case it does, do a lazy unmount
-		LOGDECRYPT("WARNING: system could not be unmounted normally!\n");
-		TWFunc::Exec_Cmd("umount -l /system");
+		LOGINFO("WARNING: system could not be unmounted normally!\n");
+		umount2("/system", MNT_DETACH);
 	}
 
-	LOGDECRYPT("Finished.\n");
+	LOGINFO("Finished.\n");
 
 #ifdef TW_CRYPTO_SYSTEM_VOLD_SERVICES
 	// Restart previously running services
 	for (size_t i = 0; i < Services.size(); ++i) {
 		if (Services[i].resume)
-			Start_Service(Services[i].twrp_svc_name);
+			Start_Service(Services[i].TWRP_Service_Name);
 	}
 #endif
 
 #ifdef TW_CRYPTO_SYSTEM_VOLD_DEBUG
-	if (pid_strace > 0) {
-		LOGDECRYPT_KMSG("Stopping strace_init (pid=%d)\n", pid_strace);
-		int timeout;
-		int status;
-		pid_t retpid = waitpid(pid_strace, &status, WNOHANG);
-
-		kill(pid_strace, SIGTERM);
-		for (timeout = 5; retpid == 0 && timeout; --timeout) {
-			sleep(1);
-			retpid = waitpid(pid_strace, &status, WNOHANG);
-		}
-		if (retpid)
-			LOGDECRYPT_KMSG("strace_init terminated successfully\n");
-		else {
-			// SIGTERM didn't work, kill it instead
-			kill(pid_strace, SIGKILL);
-			for (timeout = 5; retpid == 0 && timeout; --timeout) {
-				sleep(1);
-				retpid = waitpid(pid_strace, &status, WNOHANG);
-			}
-			if (retpid)
-				LOGDECRYPT_KMSG("strace_init killed successfully\n");
-			else
-				LOGDECRYPT_KMSG("strace_init took too long to kill, may be a zombie process\n");
-		}
-	}
-	output_dmesg_to_log = true;
+	Strace_init_Stop();
 #endif
 
 	// Finish up and exit
@@ -585,14 +1109,18 @@
 		fclose(fp_kmsg);
 	}
 
-	if (output_dmesg_to_log)
-		output_dmesg_to_recoverylog();
-
-	// Finally check if crypto device is up
-	if (wait_for_property("ro.crypto.fs_crypto_blkdev", 0) != "error")
-		res = 0;
-	else
-		res = -1;
-
 	return res;
 }
+
+} // namespace
+
+/*
+ * Common vold Response Codes / Errors:
+ * 406 (OpFailedStorageNotFound) -> Problem reading or parsing fstab
+ *
+ */
+
+/* Main function separated from core in case we want to return error info */
+int vold_decrypt(const string& Password) {
+	return Vold_Decrypt_Core(Password);
+}
diff --git a/crypto/vold_decrypt/vold_decrypt.h b/crypto/vold_decrypt/vold_decrypt.h
index 70db404..ba7a747 100644
--- a/crypto/vold_decrypt/vold_decrypt.h
+++ b/crypto/vold_decrypt/vold_decrypt.h
@@ -21,6 +21,22 @@
 
 #include <string>
 
-int vold_decrypt(std::string Password);
+// -_-
+enum {
+	VD_SUCCESS                      = 0,
+	VD_ERR_DECRYPTION_FAILED        = -1,
+	VD_ERR_UNABLE_TO_MOUNT_SYSTEM   = -2,
+	VD_ERR_MISSING_VOLD             = -3,
+	VD_ERR_MISSING_VDC              = -4,
+	VD_ERR_VDC_FAILED_TO_CONNECT    = -5,
+	VD_ERR_VOLD_FAILED_TO_START     = -6,
+	VD_ERR_VOLD_UNEXPECTED_RESPONSE = -7,
+	VD_ERR_VOLD_OPERATION_TIMEDOUT  = -8,
+	VD_ERR_FORK_EXECL_ERROR         = -9,
+	VD_ERR_PASSWORD_EMPTY           = -10,
+};
+
+
+int vold_decrypt(const std::string& Password);
 
 #endif // _VOLD_DECRYPT_H
diff --git a/partitionmanager.cpp b/partitionmanager.cpp
index 54ce691..7adcc9f 100644
--- a/partitionmanager.cpp
+++ b/partitionmanager.cpp
@@ -1658,6 +1658,16 @@
 #ifdef TW_CRYPTO_USE_SYSTEM_VOLD
 	if (pwret != 0) {
 		pwret = vold_decrypt(Password);
+		switch (pwret) {
+			case VD_SUCCESS:
+				break;
+			case VD_ERR_MISSING_VDC:
+				gui_msg(Msg(msg::kError, "decrypt_data_vold_os_missing=Missing files needed for vold decrypt: {1}")("/system/bin/vdc"));
+				break;
+			case VD_ERR_MISSING_VOLD:
+				gui_msg(Msg(msg::kError, "decrypt_data_vold_os_missing=Missing files needed for vold decrypt: {1}")("/system/bin/vold"));
+				break;
+		}
 	}
 #endif // TW_CRYPTO_USE_SYSTEM_VOLD