Related
This is a basic gui I wrote to unlock my encrypted partitions during boot.
I'm running my /data and /sdcard partitions encrypted, and the "luksunlock" binary is launched from init.rc to read the password and unlock the encrypted partitions.
I have included my somewhat modified init.rc for those interested.
For more information about LUKS on Android see this blogpost, written by shawn (Seems I'm not allowed to have urls in the post, but Google for 'android luks' , first hit)
This works good on Wildfire, altough it should work fine on other phones as well. Just remember that you need to set up your partitions as in the luksunlock.c (or change the defines).
Dont forget to backup before you start playing around!
Good luck!
Thanks! i'll give a try!
Hi,
I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:
I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...
Any clue?
Thanks in advance!
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
tusabe said:
Hi,
I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:
I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...
Any clue?
Thanks in advance!
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
Click to expand...
Click to collapse
CM6.1 for wildfire uses a 2.6.32 kernel (see HCDR.jacob's post about his custom kernel for more info)
tusabe said:
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
Click to expand...
Click to collapse
Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.
sigkill1337 said:
Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.
Click to expand...
Click to collapse
Hi! Yeah, that's what I was afraid of.... ok, but the problem is that i'm running CM6.1 with 2.6.35.9 which has no dm-crypt module neither compiled in kernel... where can i find some kernel with this modules included? Is for an HTC Desire (@Sympnotic )
Thanks in advance!
Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.
BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.
wow! awesome work!!! Very exciting news. Gonna give this a go on my MyTouch Slide
NathanFreitas said:
Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.
BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.
Click to expand...
Click to collapse
Seems really nice. I like the secure phone concept.
New Makefile and wiki info up
_hc from the @guardianproject has a new build process up for Crypsetup/LUKS which includes a Makefile compatible with Android NDK r5.
We have new instructions up on our wiki, as well.
I cannot post links under this account, but you can find the info on github if you search "LUKS" or just under our guardianproject account.
How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?
Calavera1 said:
How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?
Click to expand...
Click to collapse
Hi, sorry for the late answer,
/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 [email protected] /encrypted-data nosuid nodev
The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted
I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.
The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.
I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.
Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)
Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy
I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.
I hope this post makes sense, it was written in haste =) Good luck!
sigkill1337 said:
Hi, sorry for the late answer,
/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 [email protected] /encrypted-data nosuid nodev
The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted
I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.
The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.
I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.
Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)
Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy
I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.
I hope this post makes sense, it was written in haste =) Good luck!
Click to expand...
Click to collapse
I figured most of that out without your post and tried it on my desire (I created the luks partitions with adb on the phone though, worked anyway ). Then I couldn't figure out where my regular init.rc is stored (I could only find the one used by Clockwork Recovery), and then I figured I already spent enough time, tried a reboot (which of course didn't work). Then I couldn't even get into recovery (probably because its init.rc tries to mount /data which doesn't work? I didn't investigate any further). Flashed my backup with fastboot and was stuck again with my un-encrypted pre-experiment state
Oddly enough, it was no problem to unlock my encrypted SD-card from my computer (running ubuntu) while in recovery (clockword has an option to present the sd card to a computer connected via usb). Maybe the booted system handles this differently than recovery though? I didn't get a chance to try, as I couldn't boot after my encryption attempt.
I will try again after my algorithm and data structure exam this friday and report back
Is anybody using the UI on another device than the Wildfire? Does it work?
How much is the performance drain when using an encrypted /data partition?
Amazing work!
Did anyone manage to make sigkill1337's luksunlock build from source ?
I would like to change the path of the data/sdcard partitions to match my device but I tried many ways using the NDK and I can't get it to compile properly.
Is there any way to do this ?
I have been trying for days, I am getting literaly insane !
@sigkill1337 : could you give me some pointers ? I would appreciate a lot.
mount manpage said:
The bind mounts.
Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
mount --bind olddir newdir
or shortoption
mount -B olddir newdir
or fstab entry is:
/olddir /newdir none bind
After this call the same contents is accessible in two places. One can also remount a single file (on a single file).
This call attaches only (part of) a single filesystem, not possible submounts. The entire file hierarchy including submounts is attached a second place using
mount --rbind olddir newdir
or shortoption
mount -R olddir newdir
Note that the filesystem mount options will remain the same as those on the original mount point, and cannot be changed by passing the -o option along with --bind/--rbind. The mount options can be changed by a separate remount command, for example:
mount --bind olddir newdir
mount -o remount,ro newdir
Click to expand...
Click to collapse
If nothing helps, you should always be able to bindmount it
I'd rather get sigkill1337's UI to compile...
Lots of nice security tweaks and settings could be done with a pre-boot GUI
Anyway, concerning encryption, I'll use the bind option for now, thanks for the tip.
But if anyone here could give me some pointers about compiling this stuff it would be great.
I managed to compile it by integrating luksunlock in Android source externals and main.mk but when I push it to my phone and modify init.rc to call it, it just does not work...
Other modifications are working (mount, mkdir, etc.) but the GUI won't show up
Sorry for the late reply.. But you could try running it from a shell when the phone is booted, just to verify that the binary starts (thats how I tested it without having to reboot my phone all the time)
My environment for building the source was setup using one of the tutorials online, nothing out of the ordinary
Im still running this on my phone, for almost 8 months now, I havent noticed that much in performance problems, the Wildfire was slow before i started using luks.
When i get a new phone (maybe SE Arc) i will be easier to see if performance is affected
There is an Issue for getting CM support for encrypted filesystems during boot:
Issue 2736: support encrypted filesystem from boot
If you want to get that feature, just "star" it, so it may get more attention.
I have a complete setup for the Nexus 7, part of a product we are working on, that I need to easily clone on "virgin" tablets for production. The app requires a rooted OS.
I want to write an installation script using fastboot to unlock the bootloader, erase partitions, then flash them with .img files for each partition (kernel, system, cache, etc.).
How do I extract .img files from my "master" tablet? I have an understanding from some where that these are simple byte-for-byte dumps of the partition -- is this true? As such can I create a .img file by simple doing 'cat blkfile >file.img' where "blkfile" is the appropriate block device for the partition in question?
Or do I need to use 'dd'? Or something else?
I have searched and searched, and can't find an anwer. I've found other answers using some tools to create these files from a build on a PC, but nothing about creating them from an existing tablet.
Thanks in advance!
Use the dd command. You can use it both to dump and write a partition. It's how I install recovery programs like TWRP
Sent from my Nexus 7
You can use dd for the boot partition and recovery partition - they are raw binary blobs. (Don't use dd on other Android devices, esp. those that have MTD flash devices, though - it only works most of the time there)
If you want to use the same fastboot-based scenario that Google uses for factory image sets, then for the system & userdata image files you will need to find out about "sparse ext4 filesystem images"
If you took a raw block-device based dump of any of your tablet ext4 partitions, you could actually take those image files and mount them on any other linux machine (using a loopback mount procedure).
But you will find that if you attempt to do that with the Google factory ".img" files (for system & userdata partitions), they will not mount. It's not a simple matter of a offset superblock, either.
Since these are the formats that the stock recovery expects, I suppose you ought to use those formats if you want to do the "all at once all partitions" fastboot flashing if you plan on using the stock recovery.
Note that there is absolutely nothing that prevents you from unpacking whatever you want from whatever archive format you want - so long as the recovery's busybox supports the archive format correctly - you could use cpio or pax or tar archives for that matter. (The stock recovery's "toolbox" has very little functionality, so this comment applies to custom recoveries, which typically have more robust functionality in their busybox) You will be writing your own scripts to do those things though, typically either in one of two ways:
1.A mount target filesystem partition
1.B do a deep recursive remove at that mountpoint ( rm -rf * )
1.C unpack your archive into same mount point ( tar xf archive.tar, etc)
1.D unmount the mount point
OR
2.A unmount target partition and zero it out (dd if=/dev/zero, flash_erase, etc)
2.B recreate filesystem in partition (mke2fs -t ext4 etc)
2.C mount target filesystem
2.D unpack your archive into the same mount point (tar xf archive, pax, cpio, unyaffs2, etc)
2.E unmount that mountpoint
Even though this post is for the Samsung Galaxy S II, the same thing applies to the factory Nexus 7 images from Google:
http://forum.xda-developers.com/showthread.php?t=1081239
As that thread mentions, the simg2img and mkuserimg.sh programs are part of the Android project.
Here's a Nexus 7 thread where the contributor built the tools for both x86 linux and arm linux
Finally, I should note that because /system is typically mounted read-only, imaging /system from the live OS is no big deal. Trying to do the same thing with /data is an extremely dopey idea, however. Accurate backups are rarely made from live read-write filesystems.
cheers
Thank you so much for all the great information! I hit thanks for both of you.
The link to the nexus 7 thread is what I need... This is for my company, and I need a simple cloning solution that can be performed by a non-technical assembly person. The fastboot install procedure is about as simple as it gets.
Thanks again!
Not revolutionary (especially since zips work on stock recovery), maybe not even new on other variations, but still I thought worth bring up as at least it's new for for this variant in JB:
Now in JB for korean GSII we finally have a hidden partition(for better or worse) and it can be used to get root. I have no idea if this can apply at all to other variants of the gs2
On the SK ROM this partition contains nothing but apps (apks) which are all readable (I think they must be to work, but anyway they are). Most are probably arguably bloatware anyway, but it looks like some might be desirable or even fairly fundamental, I'm not sure yet.
It also turns out that it is possible to execute setuid-root files from this partition but of course it's not writable without flashing it.
So it's easy to copy all the files off the so called "hidden" partition through adb without root access... add an su binary, repack with make_ext4fs and tar and reflash with odin. Then you can adb in, run /preload/su to get root, and then copy/install su/supersu into the more normal place to make it more readily available to apps.
Of course the only thing preventing this method with the /system partition was that a few files in /system were not readable without root access and copying all the file permissions, links etc correctly could be a minor pain using only toolbox or whatever. For the hidden partition, for now at least, the directory layout is very simple and all readable.
If hemidall actually worked right in linux on this device for me I could do this with one linux script.
I have not tested a straight through trial of this because I got root already, but I've tested all steps.
In the past I got stock root without flashing unsigned kernels by hijacking the ROM through KIES (freeze it right after it's decrypted), unpacking the factoryfs, adding su/supersu, repacking and flashing. This allows some other customizations anyway so is at least sort of useful, not sure this hidden partition method has any added value. Maybe it will be a useful idea at point in time though.
Hi,
After checking my Nexus, I have noticed that my system partition is quite small:
Filesystem Size Used Available Use% Mounted on
tmpfs 548.8M 52.0K 548.8M 0% /dev
tmpfs 548.8M 648.0K 548.2M 0% /tmp
/dev/block/mmcblk0p7 519.7M 8.7M 510.9M 2% /cache
/dev/block/mmcblk0p9 13.1G 441.0M 12.7G 3% /data
/dev/block/mmcblk0p9 13.1G 441.0M 12.7G 3% /sdcard
/dev/block/mmcblk0p8 787.4M 13.4M 774.0M 2% /system
Click to expand...
Click to collapse
This have two effects, as far as I know:
I can't install any Gapps greather than pico.
My apps seem to be installed in the system partition. Therefore, once it is full, the whole system gets broken.
I can't barely have apps without Trebuchet crashing in LineageOS or the app optimization failure in the stock ROM.
I have tried to increase the system partition manually by using parted and increasing the number of sectors:
System before: 1253376s to 2891775s
System after: 1253376s to 5963775s
But TWRP seems to detect the system partition always as 700MB, no matter the repartition that I have made.
I am wondering if you have ever been able to increase the system partition or if there is any room with a bigger one.
Thanks!
CodingFree said:
Hi,
After checking my Nexus, I have noticed that my system partition is quite small:
This have two effects, as far as I know:
I can't install any Gapps greather than pico.
My apps seem to be installed in the system partition. Therefore, once it is full, the whole system gets broken.
I can't barely have apps without Trebuchet crashing in LineageOS or the app optimization failure in the stock ROM.
I have tried to increase the system partition manually by using parted and increasing the number of sectors:
System before: 1253376s to 2891775s
System after: 1253376s to 5963775s
But TWRP seems to detect the system partition always as 700MB, no matter the repartition that I have made.
I am wondering if you have ever been able to increase the system partition or if there is any room with a bigger one.
Thanks!
Click to expand...
Click to collapse
You have to customize TWRP too as it is programmed for manta that has 700MB.
mr.natural said:
You have to customize TWRP too as it is programmed for manta that has 700MB.
Click to expand...
Click to collapse
Thanks, would you know if there is any specific procedure to customize it?
CodingFree said:
Thanks, would you know if there is any specific procedure to customize it?
Click to expand...
Click to collapse
You can start here: https://forum.xda-developers.com/showthread.php?t=1943625
Cannot boot recovery partition failed
Hi everyone,
I have an issue,
Yesterday I tried to install LineageOS 16 and GappsPico
Since my Manta Nexus 10 only have space for 700M, I couldnt install any type of Gapps.
So I do a partition changed.
After deleting and recreating partition, I mistakenly reboot the linux kernel. So it means my Nexus doesnt have any TWRP or anything
Right now, if I pressed power + volume up - hoping to get the recovery option - which I dont get, I only got start.
Is theres a way to fix this? or its just doom for me?
really appreciate it
Cannot boot recovery partition failed
Hi everyone,
I have an issue,
Yesterday I tried to install LineageOS 16 and GappsPico
Since my Manta Nexus 10 only have space for 700M, I couldnt install any type of Gapps.
So I do a partition changed.
After deleting and recreating partition, I mistakenly reboot the linux kernel. So it means my Nexus doesnt have any TWRP or anything
Right now, if I pressed power + volume up - hoping to get the recovery option - which I dont get, I only got start.
Is theres a way to fix this? or its just doom for me?
really appreciate it
@tongqabiz This may help you: https://forum.xda-developers.com/showpost.php?p=77992510&postcount=3
Yes it's possible. YMMV.
I was able to grab some space from the userdata partition using this guide: https://forum.xda-developers.com/nexus-4/general/guide-increase-nexus-4s-partition-space-t3800264
This guide is for Nexus 4s, but was taken from other guides built for other Nexus devices, so I took a chance with my Nexus 10 manta. The guide explains how to take the space from the cache partition which also works, but i repeated the process to set the cache back to its default size, and take the space from the userdata partition instead. Now I'm able to flash LineageOS 16 and open-gapps pico. I have some display issues with icons disappearing, and I don't seem to be ale to set any wallpaper, but I've not seen anything else causing any problem (yet). I've rooted it using addonsu (specifically for LineageOS I think?) https://mirrorbits.lineageos.org/su/20190709/addonsu-16.0-arm-signed.zip, and installed remote desktop and busybox in order to run kali.
I had to repeat some steps in the guide where i got some odd error messages about device busy and stuff e.g. when running mke2fs on newly created partitions. Naturally, don't expect to keep any data on your device if you follow this guide, and also expect to brick your device if you're careless with entering the commands.
CodingFree said:
Hi,
After checking my Nexus, I have noticed that my system partition is quite small:
This have two effects, as far as I know:
I can't install any Gapps greather than pico.
My apps seem to be installed in the system partition. Therefore, once it is full, the whole system gets broken.
I can't barely have apps without Trebuchet crashing in LineageOS or the app optimization failure in the stock ROM.
I have tried to increase the system partition manually by using parted and increasing the number of sectors:
System before: 1253376s to 2891775s
System after: 1253376s to 5963775s
But TWRP seems to detect the system partition always as 700MB, no matter the repartition that I have made.
I am wondering if you have ever been able to increase the system partition or if there is any room with a bigger one.
Thanks!
Click to expand...
Click to collapse
Hi,
I thought there was a TWRP Special image written for SELinux (TWRP-3.1.1-0-manta.img MD5: 4290afd6b1697d7f7b0d958131010676) written specifically for N10 to address this issue.
It is not the one from the TWRP site tough. Not sure where i got it from either. Check for the above checksum once you find it. I guess can't post any URL's or upload anything atm.
Cheers :fingers-crossed:
Hello,
unfortunately, my Google Keep app had just decided to wipe its db file up. (/data/data/com.google.android.keep/databases/keep.db)
It is not (and never was) synchronized to Google.
When it happened I just copied (dd'ed over adb) /dev/block/sda13.
From mount command output, I could recognized /dev/block/sda13 as /data backing block device.
Then I did some searches in the output image file and noticed it actually encrypted per file.
I learned from it OP uses FBE (file-based-encryption). I wanted to try and run some ext4 recovery tools (autopsy, undelete ...).
FBE encrypts also filenames so I can't use the generated image as is.
I checked what caused FBE on /data partition and it's the encryption setting. I read it uses the fingerprint/pattern/password to decrypt the encrypted /data.
I didn't power-off the phone since then to avoid any more losses.
My questions:
1. Given /dev/block/sda13 as an image file, how can one decrypt it and use forensics/restoration tools on it?
2. Another option - how to acquire the unencrypted /dev/block/sda13 from the running device?
3. Maybe there is some backup partition for files in /data?
4. Can I run the mentioned tools straight on some unencrypted device file? (Assuming cross-compilation to android)
5. Any caches/other places I can search for residues? (I tried dumping CursorWindow ashmem the Keep app used but the app has restarted since then)
6. OP compiled the kernel without DEVMEM. Maybe there is other option to acquire the whole RAM to try to scan for residues?
More side-notes:
- I tried other files in the Keep app directory to try to recover some residues, pictures where saved outside the db file so I was able to restore them (but what is important are the notes stored in the db itself(
- I was able to notice keep.db was replaced with an empty sqlite3 db file (for some strange reason ...). My guess was it didn't overridden the original db file so if I had the ext4 /data partition, I will be able to scan it with the tools mentioned above.
References:
* https://forum.xda-developers.com/t/...-encrypt-data-partition-on-oneplus-5.3642144/
* https://www.cs1.tf.fau.de/research/system-security-group/one-key-to-rule/
If some details are missing, please let me know!
https://www.cs1.tf.fau.de/research/system-security-group/one-key-to-rule/ is really interesting.
The problem now is how to get a full memory dump without /proc/mem and signed kernel modules.
Any help? I'm out of ideas but it seems like a solvable problem.