Related
Hello I am desperately trying to run a shell script from my java app.
I tried to use http://developer.android.com/reference/java/lang/Runtime.html#exec%28java.lang.String%29 Runtime Exec to run it and it works except nothing really happens and the script is not executed.
My command was "/system/bin/sh /data/local/test.sh", of course properly chmodded. I tried running the test.sh directly, even tried opening a SH instance and pushing commands to the console via output buffer - nothing works.
When I try to run SU for example using any of these methods, I get prompted for superuser access, so it does work, just doesn't work like I want.
Anybody has any idea what's wrong? Or alternative way to run a script post-boot? (init.d executes too early in the startup process for my needs)
Are you capturing the error stream, or just the output stream?
This is everything I tried:
Code:
String[] str = { "/system/bin/sh", "/data/local/test.sh" };
Process p = Runtime.getRuntime().exec(str);
p.waitFor();
Code:
Process p2 = Runtime.getRuntime().exec("/system/bin/sh /data/local/test.sh");
p2.waitFor();
Code:
Runtime runtime = Runtime.getRuntime();
Process p = runtime.exec("/system/bin/sh");
OutputStream os = p.getOutputStream();
String str = "/data/local/test.sh";
byte[] cmds = str.getBytes();
os.write(cmds);
os.flush();
os.close();
calling just "/system/bin/sh" or "su" works - it actually waits indefinitely in each approach but once I try to execute a script it won't budge. I also attempted to run other parametrized commands like "setprop persist.sys.use_dithering 0" and it also failed. I'll try to intercept the error stream, good point.
nik3r said:
This is everything I tried:
Code:
String[] str = { "/system/bin/sh", "/data/local/test.sh" };
Process p = Runtime.getRuntime().exec(str);
p.waitFor();
Click to expand...
Click to collapse
You need the "-c" option to execute a script:
Sorry I missed that in your first post.
Code:
String[] str = { "/system/bin/sh", [COLOR="Red"]"-c",[/COLOR] "/data/local/test.sh" };
Process p = Runtime.getRuntime().exec(str);
p.waitFor();
nope, this is what I have
Code:
String[] str = { "/system/bin/sh", "-c", "/data/local/test.sh" };
Process p = Runtime.getRuntime().exec(str);
p.waitFor();
still no effect, the /data/local/test.sh is 0777 and only contains
Code:
echo "success" > /data/local/testresult.txt
The same command works from ADB even without the -c switch but with the exec command nothing happens.
finally progress
Update: according to the error output the file gets executed BUT it doesn't have permission to write in /data/local/ same problem if I try to write to this dir with java API.
My script needs to write there so I have only one question - is there a permission that would allow me to execute a script with access right to /data partition without root?
I want to modify the userdata partition after first boot of the ROM but I can't ask the user for root, I want to execute my tweaks and reboot the device before even the android login wizard appears so asking for root that has a prompt with timeout is not an option.
I know of an alternative way to do it but it's even more hacky than this and I would like to avoid someone vomiting over my code
Does it need to be /data/local? /data/local/tmp is world-writable on most devices.
In the end it needs to be /data/data/ actually, I want to mess with default settings of apps, system settings database for example... does that mean I need root or game over? Is there no permission for app to get access to the userdata partition?
As far as I know, the Dalvik system was set up that way on purpose to prevent errant apps from causing any problems elsewhere, and to maintain decent security (look how out of control Windows has become), so to answer your question, Yes, I believe you will need root.
nik3r said:
In the end it needs to be /data/data/ actually, I want to mess with default settings of apps, system settings database for example... does that mean I need root or game over? Is there no permission for app to get access to the userdata partition?
Click to expand...
Click to collapse
No, you can't write to /data/data without root (as that would be a major security risk).
Ok thanks guys I will try my dirty workaround
I'm running stock android 4.4 on a Nexus 4. I'm trying to learn how the encryption works... Last night I had to reboot my phone and had forgotten my password. After something like 30 failed password attempts the phone was automatically factory reset without notifying me. Can't find anything about this in the source!
But, what I'm really looking for is a way to extract the footer. If I understand correctly it should be the last 16Kb of the undecrypted userdata-partition which should be /dev/block/mmcblk0p23.
I've tried to extract the last 16Kb in this way:
Code:
$ blockdev --getsz /dev/block/mmcblk0p23
27596800
$ adb shell dd if=/dev/block/mmcblk0p23 of=my_footer count=32 bs=512 skip=27596768
$ adb pull my_footer
The problem is no traces of the footer can be found anywhere in this file. Also, if I skip the "count=32"-part shouldn't it stop anyway after 16Kb? It just keeps on writing until I hit ctrl-c or the phone memory is full. The only way I managed to get part of the footer seems to be from the metadata-partition with:
Code:
adb shell dd if=/dev/block/mmcblk0p18 of=my_footer
adb pull my_footer
Problem is this won't give me any keys it seems? The "magic" and version and so on is correct but I get 0x000000(...) as Encryption key and Salt when running the python script from this site:
(google for "santoku how-to-brute-force-android-encryption" I can't post links)
So.. where are the keys?
Okay I gotta correct myself now. I finally found the footer! It was in metadata after all. Here are the correct commands for Nexus 4:
Boot into recovery or anywhere you have access to adb. With the phone booted normally I had to "adb remount" and pull the files to /system because / was read-only.
Code:
dd if=/dev/block/mmcblk0p18 of=my_footer bs=512 count=32
dd if=/dev/block/mmcblk0p23 of=my_header bs=512 count=1
then
Code:
adb pull my_footer
adb pull my_header
then I made a script based on the one referred to in the earlier post and it works!
edit: Here it is
Code:
#!/usr/bin/env python
# Based on a script from https://santoku-linux.com/howto/mobile-forensics/how-to-brute-force-android-encryption
#
# Decrypts the master key found in the footer using a supplied password
# Written for Nexus 4 running 4.4.2
#
# How to get header & footer:
# dd if=/dev/block/mmcblk0p18 of=my_footer bs=512 count=32
# dd if=/dev/block/mmcblk0p23 of=my_header bs=512 count=1
#
from os import path
import sys, itertools
import time
from struct import Struct
from M2Crypto import EVP
import hashlib
import scrypt
_PARAMS = Struct("!BBBB")
KEY_LEN_BYTES = 16
IV_LEN_BYTES = 16
def main(args):
if len(args) < 3:
print 'Usage: python bruteforce_stdcrypto.py [header file] [footer file]'
print ''
print '[] = Mandatory'
else:
footerFile = args[2]
headerFile = args[1]
assert path.isfile(footerFile), "Footer file '%s' not found." % footerFile
assert path.isfile(headerFile), "Header file '%s' not found." % headerFile
fileSize = path.getsize(footerFile)
assert (fileSize >= 16384), "Input file '%s' must be at least 16384 bytes" % footerFile
result = bruteforcePIN(headerFile, footerFile)
if result:
print 'Correct PIN!: ' + result
else:
print 'Wrong PIN. :('
def bruteforcePIN(headerFile, footerFile):
# retrive the key and salt from the footer file
cryptoKey,cryptoSalt = getCryptoData(footerFile)
# load the header data for testing the password
headerData = open(headerFile, 'rb').read(32)
passwdTry = raw_input('Enter password: ')
print 'Trying: ',passwdTry
# make the decryption key from the password
decKey = decryptDecodeKey(cryptoKey,cryptoSalt,passwdTry)
# try to decrypt the first 32 bytes of the header data (we don't need the iv)
decData = decryptData(decKey,"",headerData)
# has the test worked?
#print decData
if decData[16:32] == "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0":
return passwdTry
return None
def getCryptoData(filename):
data = open(filename, 'rb').read()
# structure taken from cryptfs.h in 4.4.2_r1 source.
s = Struct('<'+'L H H L L L L L L L 64s L 48s 16s Q Q L B B B B')
ftrMagic, majorVersion, minorVersion, ftrSize, flags, keySize, spare1, fsSize1, fsSize2, failedDecrypt, cryptoType, spare2, cryptoKey, cryptoSalt, persistoff0, persistoff1, persistsize, kdfType, N_factor, r_factor, p_factor = s.unpack(data[0:192])
cryptoKey = cryptoKey[0:0+keySize]
print 'Footer File :', filename;
print 'Magic :', "0x%0.8X" % ftrMagic
print 'Major Version :', majorVersion
print 'Minor Version :', minorVersion
print 'Footer Size :', ftrSize, "bytes"
print 'Flags :', "0x%0.8X" % flags
print 'Key Size :', keySize * 8, "bits"
print 'FS Size 1 :', fsSize1
print 'FS Size 2 :', fsSize2
print 'Failed Decrypts:', failedDecrypt
print 'Crypto Type :', cryptoType.rstrip("\0")
print 'Encrypted Key :', "0x" + cryptoKey.encode("hex").upper()
print 'Salt :', "0x" + cryptoSalt.encode("hex").upper()
print 'KDF type :', kdfType
print 'N-factor :', N_factor
print 'r-factor :', r_factor
print 'p-factor :', p_factor
print '----------------'
return cryptoKey,cryptoSalt
def decryptDecodeKey(cryptoKey,cryptoSalt,password):
# make the key from the password
ikey = scrypt.hash(password,cryptoSalt,1<<15,1<<3,1<<1, 32)
key = ikey[:KEY_LEN_BYTES]
iv = ikey[KEY_LEN_BYTES:]
# do the decrypt
cipher = EVP.Cipher(alg='aes_128_cbc', key=key, iv=iv, op=0) # 0 is DEC
cipher.set_padding(padding=0)
decKey = cipher.update(cryptoKey)
decKey = decKey + cipher.final()
return decKey
def decryptData(decKey,essiv,data):
# try to decrypt the actual data
cipher = EVP.Cipher(alg='aes_128_cbc', key=decKey, iv=essiv, op=0) # 0 is DEC
cipher.set_padding(padding=0)
decData = cipher.update(data)
decData = decData + cipher.final()
return decData
if __name__ == "__main__":
main(sys.argv)
. Is it giving exact last 16k byte
Hi Guys,
Code:
dd if=/dev/block/mmcblk0p18 of=my_footer bs=512 count=32
I tried with above code to get footer. But I didn't find any footer information there . Is it giving exact last 16k byte?
I used my userdata partition for footer .
help pls - where i can get header? From bin image. Footer you can search in bin image by words aes-cbc-essiv:sha256 and after dd bs=1 skip=$((your found bytes-36)) count=16384 if=footer
How to install this:
1. put copymodulecrc to the /data/local/tmp folder and chmod them to 755
(adb shell chmod 755 /data/local/tmp/copymodulecrc)
2. put ntfs-3g and ntfsmount to the folder /system/bin and chmod them to 755
(adb shell chmod 755 /system/bin/ntfs-3g)
(adb shell chmod 755 /system/bin/ntfsmount)
3. put sdcardfs.ko to the folder /system/lib/modules and chmod them to 644
(adb shell chmod 644 /system/lib/modules/sdcardfs.ko)
What is next? Next:
1. in order to get it working, sdcardfs.ko must be patched to match your kernel version since every kernel modules is paired with kernel by version string, so if version string not match module version it will not work! So you must patch sdcardfs.ko module using tool called copymodulecrc! Copymodulecrc will extract version string from any module of the your stockrom kernel modules and copy them directly to the sdcardfs.ko (patch them). First of all you need to look into your /system/lib/modules folder and use any .ko file NAME for referencie in next commands:
Code:
adb shell /data/local/tmp/copymodulecrc /system/lib/modules/PUT_NAME_OF_THE_KO_YOU_FOUND_IN_STOCK_ROM_KERNEL_MODULES /system/lib/modules/sdcardfs.ko
So replace PUT_NAME_OF_THE_KO_YOU_FOUND_IN_STOCK_ROM_KERNEL_MODULES with the name of the any module you found in modules folder! Done.
2. if you completed step 1 without errors you are ready for this step. You need to locate script called install-recovery.sh (on most devices it is in folder /system/etc) and add next lines:
Code:
insmod /system/lib/modules/sdcardfs.ko
Done. On every next reboot sdcardfs kernel module will be automatically included in your kernel.
3. if you get error in patching sdcardfs.ko whole thing will not work! So these step is important! You can verify success by command: (su -c "insmod /system/lib/modules/sdcardfs.ko") , if you see error than sdcardfs is not working, if you see nothing than it is working
Since you completed these 3 things, you are ready to use NTFS volumes on your device! To understand these things:
1. first of all, you can not mount ntfs volume regulary trought settings menu since android not support ntfs by default! You must mount/umount your ntfs volume manually (you can use for example android terminal emulator when you need to mount/umount ntfs). You will not see any details about ntfs volume in settings menu since android not support ntfs by default, you can see details in most file managers only.
How to mount and unmount:
1. to mount (first connect your usb ntfs volume to your device usb port) :
Code:
su -c "ntfsmount mount"
Done! Your ntfs volume by these command is mounted and you are ready to read/write them using your faworite file manager
2. To umount (do in mind - every time before you going to remove ntfs volume from your device you must unmount it!):
Code:
su -c "ntfsmount umount"
Done! You are ready to remove ntfs volume from your usb port.
NTFS on sdcard? Yes but you need to modify a bit ntfsnount script! Don't ask me how ypu can modify them, do it byself!
Since somebody complain here about gpl licence, I am not ready ready to share sdcardfs source code with you since it is not gpl licenced, instead it is apache 2.0 licenced by Samsung guys @ 2013 and I no need to share it with you since you wanted to see them forced! I not like when somebody forcing me for something! Find it, patch them, make module of them byself
ntfs-3g is not compiled by me, it is used from here -> http://forum.xda-developers.com/showthread.php?t=1724078
ntfsmount script is created by me.
Copymodulecrc I do not know where I found them but here is source code:
Code:
/* copymodulecrc */
/*
* Copyright (C) 2014 CUBE
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
int main(int argc, char **argv) {
struct stat st;
off_t filesize;
int fd;
char *data, *pos;
unsigned int i;
int bFound;
unsigned long crcval;
if (argc != 3) {
printf("usage: copymodulecrc [modulename(src)] [modulename(dst)]\n");
return -1;
}
if (stat(argv[1], &st) != 0) {
fprintf(stderr, "module1 stat failed.\n");
return -1;
}
filesize = st.st_size;
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
fprintf(stderr, "module1 open failed.\n");
return -1;
}
data = mmap(NULL, filesize, PROT_READ, MAP_SHARED, fd, 0);
if (data == MAP_FAILED) {
fprintf(stderr, "module1 mmap failed.\n");
close(fd);
return -1;
}
pos = data;
bFound = 0;
for (i = 0; i < (filesize - 12); ++i) {
if (memcmp((void *)pos, (void *)"module_layout", 13) == 0) {
bFound = 1;
break;
}
pos++;
}
if (bFound == 0) {
fprintf(stderr, "module1 crc not found.\n");
munmap(data, filesize);
close(fd);
return -1;
}
pos -= 4;
memcpy((void *)&crcval, (void *)pos, 4);
munmap(data, filesize);
close(fd);
printf("module crc=%08x\n", (unsigned int)crcval);
if (stat(argv[2], &st) != 0) {
fprintf(stderr, "module2 stat failed.\n");
return -1;
}
filesize = st.st_size;
fd = open(argv[2], O_RDWR);
if (fd < 0) {
fprintf(stderr, "module2 open failed.\n");
return -1;
}
data = mmap(NULL, filesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (data == MAP_FAILED) {
fprintf(stderr, "module2 mmap failed.\n");
close(fd);
return -1;
}
pos = data;
bFound = 0;
for (i = 0; i < (filesize - 12); ++i) {
if (memcmp((void *)pos, (void *)"module_layout", 13) == 0) {
bFound = 1;
break;
}
pos++;
}
if (bFound == 0) {
fprintf(stderr, "module2 crc not found.\n");
munmap(data, filesize);
close(fd);
return -1;
}
pos -= 4;
memcpy((void *)pos, (void *)&crcval, 4);
munmap(data, filesize);
close(fd);
printf("module crc copied.\n");
return 0;
}
And finaly, files you need to install is in attachment, enjoy!
Will try late-night. Just asking, will it work on Galaxy S3-GTi9300?
Just need some clarification, when you say NTFS support, do you mean read and write or just read-only?
munjeni said:
Not going to explain in details, here is my tool which will add ntfs support to your android, run them and folow instructions! If you unable to patch sdcardfs.ko kernel module (giving you error when you doing insmod) than the whole things will not work on your device Curntly tested device is Xperia Z1 Compact on android version 14.4.A.0.108! Important thing is having sdcardfs installable, the rest is easy.
In order to have sdcardfs module insmoded on every reboot, you need to add one line into /system/etc/install-recovery.sh :
The rest of the tutorial you can see under application. Enjoy if you find this usefull!
Click to expand...
Click to collapse
/system/etc/install-recovery.sh :-
- install-recovery.sh file is not available at /system/etc/.
- Is it possible to create the file and then we can insert the line?
Am using AOSP - Carbon ROM on Xperia Z..
Thank you!!
'A Munjeni Work' again!
Thanks a lot! :victory:
Looking forward for what all can I do with it.
Wow this will be amazing, cant wait to try...
anonyo said:
Just need some clarification, when you say NTFS support, do you mean read and write or just read-only?
Click to expand...
Click to collapse
+1
anonyo said:
Just need some clarification, when you say NTFS support, do you mean read and write or just read-only?
Click to expand...
Click to collapse
Quote!
Just a heads up..
On Xperia Z2 tablet with 4.4.2, connected to 1tb NTFS drive.
After modding the ko and setting all permissions, rebooting, will only "half-mount" the drive. It sees it, recognizes it, but claims drive is empty (wants to format it).
Status bar displays "Empty USB Storage"
In settings, when selecting Mount USB Storage, it briefly acts like it will mount. for a split second.
Any files I can get that can possibly help?
UPDATE: After running the mount commands via terminal, now it seems to mount it via ES File explorer. Although it sometimes still gives me the message in statusbar.
But seems to be working well.
Seeing as this patches a kernel module will it work on rooted phones with a locked bootloader?
Aborto said:
Seeing as this patches a kernel module will it work on rooted phones with a locked bootloader?
Click to expand...
Click to collapse
My Z2 Tablet has a locked bootloader. So yes, it should. There's nothing going on that warrants an unlocked bootloader. Just the addition of some files and permission changes, which are normal with a rooted device.
Also note, that in the Settings\Storage, it will not show up as being "mounted". At least not in my case. However, ES File Explorer has no issue with it, and shows as a USB 1052 drive under the "Local" menu. Navigation seems normal within the drive.
I get the "USB Drive Empty or Unsupported" message in the status bar, for a few seconds, but the ES FE displays the drive contents, and the message goes away after it reads drive contents. Note that it may assign a different drive identifier each time you use it.
In testing I have found apps from the market;
StickMount does not work at all on my Stock OS.
Paragon NTFS mount works, but it runs as a system process using memory and probably battery.
This mod seems to work, for the most part, as long as you use ES File Explorer.
OP - you must provide the source for any modified code covered by the GPL that you are distributing - that includes the sdcardfs kernel module, and the ntfs-3g binary. Packing them in an encrypted Windows executable does not help.
spoidar said:
OP - you must provide the source for any modified code covered by the GPL that you are distributing - that includes the sdcardfs kernel module, and the ntfs-3g binary. Packing them in an encrypted Windows executable does not help.
Click to expand...
Click to collapse
No he doesn't. Only the zimage (kernel) is covered under GPL.
UPDATE: Just to clarify, the matter "Has" been brought to the Developers Committee to address any possible GPL violations. The DC is more informed on GPL.
Moscow Desire said:
No he doesn't. Only the zimage (kernel) is covered under GPL.
Click to expand...
Click to collapse
What? No. The ntfs-3g project is licensed under the GPL. And so is the sdcardfs driver. You can't generate binaries from GPL code and distribute them without providing the source.
Need help here
After i Copy copymodulecrc and sdcardfs.ko to /data/local/tmp and gave the permission as rwx-r-r to copymodulecrc. how to run it? can anybody help me here to patch sdcardfs.ko
coolrevi said:
After i Copy copymodulecrc and sdcardfs.ko to /data/local/tmp and gave the permission as rwx-r-r to copymodulecrc. how to run it? can anybody help me here to patch sdcardfs.ko
Click to expand...
Click to collapse
First off, permissions must be set to 755 (rwx-rx-rx) if I'm not mistaken. Root Explorer converts it to the numerical format when you change permissions.
Next, use a terminal program (available from the play store) Make sure you run it as SU. (type SU + Enter, you will get the # sign) Then type in the commands and paths as indicated. (I copied and pasted my paths)
Moscow Desire said:
First off, permissions must be set to 755 (rwx-rx-rx) if I'm not mistaken. Root Explorer converts it to the numerical format when you change permissions.
Next, use a terminal program (available from the play store) Make sure you run it as SU. (type SU + Enter, you will get the # sign) Then type in the commands and paths as indicated. (I copied and pasted my paths)
Click to expand...
Click to collapse
I got it till replacing a line in install-recovery.sh but i am stuck there as there is no line called ntfs.ko to replace with
Thanks for posting this up, can't wait to get home and test this out.
I am recieving the error in the screenshot
The device that i am using is Lenovo A3500HV which contains a Jellybean 4.2.2 AOSP ROM (Hardly any modification)
Please Help
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here we go again
The new Android O developer preview is out, and when I try to boot the TWRP image via fastboot, I get a blank screen after the google logo.
I am absolutely not surprised google is keeping the devs busy all the time by changing little bits and pieces just enough to stop our stuff from working...
At least ADB is working, so I could get the log:
Code:
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
Starting TWRP 3.0.2-0-RC1-f7176b37 on Wed Jul 29 06:02:03 1970
(pid 681)
I:Lun file '/sys/class/android_usb/android0/f_mass_storage/lun0/file' does not exist, USB storage mode disabled
TW_INCLUDE_CRYPTO := true
I:Found brightness file at '/sys/class/leds/lcd-backlight/brightness'
I:Got max brightness 255 from '/sys/class/leds/lcd-backlight/max_brightness'
I:TWFunc::Set_Brightness: Setting brightness control to 80
I:LANG: en
I:AB_OTA_UPDATER := true
Starting the UI...
Overlay graphics may work (mdssfb_90000), but not enabled. Use TW_TARGET_USES_QCOM_BSP := true to enable.
setting DRM_FORMAT_RGB565 and GGL_PIXEL_FORMAT_RGB_565
cannot find/open a drm device: No such file or directory
fb0 reports (possibly inaccurate):
vi.bits_per_pixel = 32
vi.red.offset = 0 .length = 8
vi.green.offset = 8 .length = 8
vi.blue.offset = 16 .length = 8
setting GGL_PIXEL_FORMAT_RGBA_8888
double buffered
framebuffer: 0 (1080 x 1920)
Using fbdev graphics.
I:TWFunc::Set_Brightness: Setting brightness control to 80
I:Loading package: splash (/twres/splash.xml)
I:Load XML directly
I:PageManager::LoadFileToBuffer loading filename: '/twres/splash.xml' directly
I:Checking resolution...
I:Loading resources...
I:Loading variables...
I:Loading mouse cursor...
I:Loading pages...
I:Loading page splash
I:Switching packages (splash)
blacklisting hbtp_vm input device
=> Linking mtab
=> Processing recovery.fstab
I:Processing '/boot'
I:Processing '/system'
I:Processing '/system_image'
I:Processing '/vendor'
I:Processing '/vendor_image'
I:Processing '/data'
I:Processing '/misc'
I:Processing '/efs1'
I:Processing '/efs2'
I:Processing '/usb-otg'
I:Unable to mount '/data'
I:Actual block device: '/dev/block/sda35', current file system: 'ext4'
get_crypt_ftr_info crypto key location: 'footer'
Bad magic for real block device /dev/block/sda35
stack corruption detected
And this repeats. I see two things, if I'm right:
1. the ui fails to start because it doesn't find a DRM device
2. it fails to decrypt the data partition and stops there
I am not enough to solve these things, because I have no clue what is wrong. I'm calling all the devs (pointing to you @Dees_Troy ) to help us again and try to figure out what needs to be done so we can enjoy full freedom on our devices for which we spent a fortune for
I am willing to help, and try things to get this done, just let me know what I should try!
Thanks in advance!
I have ran into this issues since 7.1 lol but i can flash dev prev 2 and then without rebooting just fastboot boot twrp.img (RC1) and it works
I have the same issue where booting twrp RC1 just goes into a blank screen. anyone found a fix?
eqbirvin said:
I have ran into this issues since 7.1 lol but i can flash dev prev 2 and then without rebooting just fastboot boot twrp.img (RC1) and it works
Click to expand...
Click to collapse
hmm... then my guess is that android does something with the encryption.
I flashed DP2, booted (automatic reboot after flash-all) and then tried to fastboot boot twrp.img and got the black screen.
I have already manually flashed twrp since, and can't boot it either. It gets stuck at the splash screen. just like it first did when it failed to decrypt the data patition (around january). Unfortunately this way there is no ADB so no way to see what happens...
I'll try to play around with it a bit, but I have no clue about decrypting the data partition. Don't even know where to start...
Ok well we learned with the first release that it was a bootloader issue so why not attempt to flash the bootloader from the first alpha, boot TWRP and see if SU can be installed? I know you can fastboot boot older bootloaders, I'm at work or I would give it a try
ne0ns4l4m4nder said:
Ok well we learned with the first release that it was a bootloader issue so why not attempt to flash the bootloader from the first alpha, boot TWRP and see if SU can be installed? I know you can fastboot boot older bootloaders, I'm at work or I would give it a try
Click to expand...
Click to collapse
you mean like flash a 7.1 bootloader? hmm i may give that a shot
Okay. I really reached the end of the road, because I can't compile TWRP...
What i found is:
The decryption fails with these lines:
Code:
get_crypt_ftr_info crypto key location: 'footer'
Bad magic for real block device /dev/block/sda35
stack corruption detected
In TWRP source, this Bad magic error message comes from cryptfs.c:
Code:
if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
printf("Bad magic for real block device %s\n", fname);
goto errout;
}
CRYPT_MNT_MAGIC is a static value, defined in cryptfs.h:
Code:
#define CRYPT_MNT_MAGIC 0xD0B5B1C4
crypt_ftr->magic comes from reading some data from fname (which has the value: /dev/block/sda35):
Code:
if ( ([B]fd = open(fname, O_RDWR)[/B]) < 0) {
printf("Cannot open footer file %s for get\n", fname);
return -1;
}
/* Make sure it's 16 Kbytes in length */
fstat(fd, &statbuf);
if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
printf("footer file %s is not the expected size!\n", fname);
goto errout;
}
/* Seek to the start of the crypt footer */
if (lseek64(fd, starting_off, SEEK_SET) == -1) {
printf("Cannot seek to real block device footer\n");
goto errout;
}
if ( (cnt =[B]read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)[/B])) != sizeof(struct crypt_mnt_ftr)) {
printf("Cannot read real block device footer\n");
goto errout;
}
So if we are lucky, we just have to modify the value of CRYPT_MNT_MAGIC. Some changes should be done, to print the value of crypt_ftr->magic, and then change that hardcoded CRYPT_MNT_MAGIC value to that. But as i said, I didn't manage to compile TWRP on my own (yet. since a few months )
I would appreciate the help of someone who did it already for the pixel.
OR someone who knows what the hell that magic number means.
OR someone who tells me that i'm completely wrong, and the problem is only with my device. Although I did clean flash (wiped the whole phone, with userdata and internal storage).
I'm not sure about flashing directly, I was more thinking about fastboot booting it then fastboot booting TWRP over that and then attempting to flash super SU, I'd that's even possible
also wondering what would happen if we flashed the 7.1.2 bootloader to the opposite partition aka ( system is slot A) then you would flash 7.1.2 bootloader to Slot B, and then possibly find away to Fastboot Boot TWRP to that slot but, be able to flash SU to System in Slot A. All just speculation of course im going on the work around that was found to gain root access on the first release of O
It's surprising that a bunch of people are interested in this article. But I have to say that some processes I mentioned in this article just happened to work. I don't necessarily understand why they work, which also means they probably cannot be generalized to any devices. Google is making security patches to every Android releases, which break some procedures in this article, including the vdc command. For anyone who wants to recover data from an encrypted device, I'm afraid you might have to do your own research such as reading the AOSP source code, because I havn't been following the changes in AOSP since this article was written, and sorry I cannot provide useful information. Finally I hope this article is helpful in some way and good luck.
-----------------------------------------------------------------------------------------------------------
About a year ago I encountered such a problem: https://forum.xda-developers.com/mate-9/help/mate-9-how-to-decrypt-fbe-encrypted-t3735545
To summarize, I flashed a newer ROM with the file encryption enabled, while I already had my phone decrypted (userdata was not encrypted). I forced rebooted my phone when it was booting and encrypting my files. As a consequence, I couldn't unlock my phone or access the encrypted files.
This guide is about how to retrieve these encrypted files.
Requirements:
Device: Huawei Mate 9 MHA-AL00
ROM: EMUI 5.0.1 B233
(This guide might also work on other Huawei devices or other EMUI 5.)
Please make sure that your device is "decrypted" (i.e. boot without "fileencryptioninline" option), rooted, has busybox installed and avaliable for using.
A complete userdata partition image that you need to decrypt. Usually you can make this image in TWRP using dd command.
(In this guide, you are supposed to dump the encrypted userdata partition and flash another usable system)
A terminal APP (like juicessh) to execute commands. Alternatively, you can use adb shell.
Backup your current data, just in case.
A linux system (I'm using ubuntu 1804 as example).
(hopefully) you are familiar with some linux commands.
Notes:
If you encounter such situation (I described at the beginning), you can probably try to fix the system first (for example, make a backup and delete /data/system/gatekeeper.password.key and /data/system/gatekeeper.pattern.key to disable lock screen password).
Encryption option:
There is a mount option called "fileencryptioninline" in fstab.hi3660 in rootfs of origin kernel, which could be recognized by init so that it can control whether to perform a file based encryption (FBE). Removing this option (or changing to "encryptable"?) can disable FBE (before userdata partition is encrypted).
How does FBE encrypt files:
Google has developed fscrypt in linux kernel to implement FBE. To use fscrypt, a key with description "fscrypt:xxxxx" should be added to kernel, where "xxxxx" is a 8 byte value in HEX format. This value is unique and used to identify encryption policy. f2fs can retrieve this key. If we want to encrypt some files, we use ioctl to set an encryption policy (which is the 8 byte value) to an empty directory. The files copied to it will be encrypted by the cooresponding key. If we access an encrypted file, f2fs will get its encryption policy and find the key that matches this policy. This key will be used to decrypt the file. Multiple keys and policies are allowed.
In order to protect the fscrypt keys (I described above), FBE uses keymaster to encrypt and store them to userdata partition. A set of encrypted keys usually consists these files: "encrypted_key" "keymaster_key_blob" "secdiscardable" "stretching" "version". Keymaster is able to use them and communicate with a hardware based Trusty TEE to obtain the real key for fscrypt. The decryption is related to hardware so only the device which creates these keys are able to decrypt them.
FBE has at least 3 sets of keys. (assumed that you are user 0):
global device key (global DE): stores in /data/unencrypted/key.
Policy: all directories in /data other than "lost+found", "system_ce", "system_de", "misc_ce", "misc_de", "media", "data", "user", "user_de".
device key (DE): stores in /data/misc/vold/user_keys/de/0.
Policy: usually the directories ended with "_de".
candidate key (CE): stores in /data/misc/vold/user_keys/cd/0/current.
Policy: usually the directories ended with "_ce" and /data/data, /data/media/0.
Please note that CE and DE keys should have already been encrypted by Global DE key
vold (looks like volume daemon)
vold is the volume manager of android (and it runs as a daemon). It can be controlled by vdc (volume daemon control?). In the source code of vold there is a command listener which defines the avaliable commands of vdc. vold controls the key management of FBE.
Steps:
Create a keyring called "e4crypt".
Unfortunately, android does not have a tool to manipulate linux key-management facility. To add this keyring, I'm using "add_key" system call.
A sample program and sample operations:
Code:
#include <stdio.h>
#include <unistd.h>
#include <linux/keyctl.h>
#include <sys/syscall.h>
int main() {
int ret = syscall(__NR_add_key, "keyring", "e4crypt", NULL, 0, KEY_SPEC_USER_SESSION_KEYRING);
if (ret != -1) {
printf("Successfully created keyring \"e4crypt\"\n");
}
else {
perror("add_key");
}
return 0;
}
Compile this code and run it on your phone. You can use android NDK to compile it. (Actually I think any arm/arm64 toolchain for linux will work). I don't want to download a very large NDK so I'm using gcc-aarch64-linux-gnu.
On ubuntu 1804:
(Use "sudo apt install gcc-aarch64-linux-gnu" to install this toolchain)
Code:
[email protected]:~/add_keyring$ cat add_keyring.c
#include <stdio.h>
#include <linux/keyctl.h>
#include <sys/syscall.h>
int main() {
int ret = syscall(__NR_add_key, "keyring", "e4crypt", NULL, 0, KEY_SPEC_USER_SESSION_KEYRING);
if (ret != -1) {
printf("Successfully created keyring \"e4crypt\"\n");
}
else {
perror("add_key");
}
return 0;
}
[email protected]:~/add_keyring$ aarch64-linux-gnu-gcc -static add_keyring.c -o add_keyring
[email protected]:~/add_keyring$ ls
add_keyring add_keyring.c
On your phone (adb shell):
Assume that we've already placed the "add_keyring" executable binary in /data/add_keyring
Code:
HWMHA:/ $ su
HWMHA:/ # cd /data
HWMHA:/data # ls -l add_keyring
-rw-r--r-- 1 root root 546888 2018-12-29 23:31 add_keyring
HWMHA:/data # chmod +x add_keyring
HWMHA:/ # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
HWMHA:/data # ./add_keyring
Successfully created keyring "e4crypt"
HWMHA:/data # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: empty
HWMHA:/data #
This step is completed if you see a keyring called "e4crypt".
Mount the partition image to your device.
You can copy the image file to a USB storage device and use otg so that you can access the partition image on your phone (but it seems to be unstable). In this guide I'll mount a samba share which contains that image on my phone.
My operation logs:
On ubuntu:
I've created a samba share called "image" which points to the directory containing that partition. The partition image file is called "sdd46". The IP address of this computer is 192.168.1.120
On your phone:
Prepare the partition image (sdd46):
Code:
HWMHA:/ $
HWMHA:/ $ su
HWMHA:/ # mkdir /computer
mkdir: '/computer': Read-only file system
HWMHA:/ # busybox mount -o remount,rw /
HWMHA:/ # mkdir /computer
HWMHA:/ # busybox mount -t cifs -o nolock,username=nobody '\\192.168.1.120\image' /computer
HWMHA:/ # ls /computer
sdd46
Mount this image (the "force_no_inline_enc" option is required):
Code:
HWMHA:/ # mkdir /decrypt_data
HWMHA:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /computer/sdd46 /decrypt_data
Check if your image is successfully mounted:
Code:
HWMHA:/ # ls /decrypt_data/
adb camera fusion_daemon_rpipe inv_ipld_wpipe mediadrm ramdump system update
anr cota fusion_daemon_wpipe ioloader misc resource-cache system_ce user
apkpush cust gps ivp misc_ce samba system_de user_de
app cust_ver.bin hcs keyie misc_de sec_storage_data t vsftpd
app-asec custom.bin hisi_logs libnfc-nxp.conf nfc security takess vsftpd.conf
app-ephemeral dalvik-cache hw_init light nvram share takess.sh
app-lib daniuc.dex hwzd_logs local offlinelogs skin themes
app-private data img log ota ss timetest
app_acc drm inotify lost+found pppd_via su.img tmp
backup encrypted_flag inputie lp product.bin suhide.img tombstones
bootchart fpie inv_ipld_rpipe media property supersu unencrypted
HWMHA:/ # cd /decrypt_data/
HWMHA:/decrypt_data # cd misc
misc/ misc_ce/ misc_de/
HWMHA:/decrypt_data # cd misc
HWMHA:/decrypt_data/misc # ls vold
yVsKT2+BrPIOKcQdVYyetC
You can see an encrypted directory in /decrypt_data/misc/vold, which stores the CE and DE keys. If you can't find this directory, it might not be encrypted and should located in /decrypt_data/unencrypted/data/misc/vold.
Install Global DE key:
You need to copy global DE key to /data/unencrypted and execute:
Code:
vdc --wait cryptfs enablefilecrypto
My operation logs:
Copy Global DE key to /data/unencrypted:
Code:
HWMHA:/ $ su
HWMHA:/ # cd /data
HWMHA:/data # mkdir unencrypted
HWMHA:/data # cd unencrypted
HWMHA:/data/unencrypted # ls
HWMHA:/data/unencrypted # cp -nr /decrypt_data/unencrypted/key ./
HWMHA:/data/unencrypted # ls
key
HWMHA:/data/unencrypted # ls key
encrypted_key keymaster_key_blob secdiscardable stretching version
encrypted_key.backup keymaster_key_blob.backup secdiscardable.backup stretching.backup version.backup
then, install this key:
Code:
HWMHA:/data/unencrypted # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: empty
HWMHA:/data/unencrypted # vdc --wait cryptfs enablefilecrypto
200 3966 1
HWMHA:/data/unencrypted #
HWMHA:/data/unencrypted # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 1
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
You can see a new key "fscrypt:773e9f60adca3172" is added to kernel.
Check if you can access CE and DE keys and copy them to /data/misc/vold
My operation logs:
Check if you can access CE and DE keys:
Code:
HWMHA:/data/unencrypted # cd /decrypt_data/misc
HWMHA:/decrypt_data/misc # ls vold
user_keys
Copy CE and DE keys to the right location:
Code:
HWMHA:/decrypt_data/misc # cd /data/misc/vold
HWMHA:/data/misc/vold # ls
bench
HWMHA:/data/misc/vold # cp -nr /decrypt_data/misc/vold/user_keys .
HWMHA:/data/misc/vold # ls
bench user_keys
HWMHA:/data/misc/vold # cd user_keys
HWMHA:/data/misc/vold/user_keys # ls
ce de
HWMHA:/data/misc/vold/user_keys # cd de/0/
HWMHA:/data/misc/vold/user_keys/de/0 # cat version
1HWMHA:/data/misc/vold/user_keys/de/0 #
HWMHA:/data/misc/vold/user_keys/de/0 #
Install DE key
Just set ro.crypto.type to "file" and execute this command:
Code:
vdc --wait cryptfs init_user0
My operation logs:
Before installing DE key you will see some ecrypted files protected by it.
Code:
HWMHA:/decrypt_data/user_de/0 # ls
++gBT,VFvFeD,vgVoSVpUqeDNoC Wno64AdMq3Wde+F8LqWYvWiAFaFIiU810wX84B
+ExRFZKrTrX5PAZWjgzJKV26in24FxSt Ws+aoxf5sborLpV0EZLhvA
+Lyki0vu0dbWrX5PvAq3g932ONE WyHV8MQblZaCmdNpO6WPQSN1TgQoGxzw3mn4vB
+T95aXkKGnakajMwgSxcblTh0+8Vp3RI X0WDXQ5BsVDV6u45CJ9etzjba9JkWeQG
..............
Check the keys in kernel:
Code:
HWMHA:/decrypt_data # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 1
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
You'll need to set a property before installing the key.
Code:
HWMHA:/decrypt_data # getprop ro.crypto.type
HWMHA:/decrypt_data # setprop ro.crypto.type file
HWMHA:/decrypt_data # getprop ro.crypto.type
file
HWMHA:/decrypt_data # vdc --wait cryptfs init_user0
200 10711 Command succeeded
HWMHA:/decrypt_data # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 2
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
3c670371 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:521acd13c187513c: 72
HWMHA:/decrypt_data #
Check whether you can access the files protected by DE key.
Code:
HWMHA:/decrypt_data #
HWMHA:/decrypt_data # cd user_de/0
HWMHA:/decrypt_data/user_de/0 # ls
abcmeasurecorp.com.measureit com.huawei.bluetooth
androdns.android.leetdreams.ch.androdns com.huawei.ca
android com.huawei.camera
androidhwext com.huawei.compass
..............
Install CE key.
Just execute this command:
Code:
vdc --wait cryptfs unlock_user_key 0 0 "" ""
The last two arguments are empty strings.
My operation logs:
Before installing CE key you'll find some encrypted files protected by it.
Code:
HWMHA:/decrypt_data # cd media/0
HWMHA:/decrypt_data/media/0 # ls
0M8msgkIuhwegkVYqu2zvC OK0B0zzWFSQ5pDHwSlAIvA aNrURou98klfwIaGnFAdPA rHzJIvFcgtIcIz,WOjZrRD w59yxPZvec,eu9HMMdDpuB
7VDq++zOwS5xaV35TuZbmB WSWzdKdAYAC2Vc1jOs6tqA jz,xyRZMpSLq2ghtL158yA rokqUTbYC7eMhGrghh0CSB
8rMqWow5AXxsZqHqbZyN9C XyLh+kAVQ5ZWXlWrc7wc5D pjgHBo3uPcxDi13euKN4PB tZkWYvxkrEufTMZ47f89cD
Install the key:
Code:
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 # vdc --wait cryptfs unlock_user_key 0 0 "" ""
200 11848 Command succeeded
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 3
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
30baee27 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:e1294ea7636feee7: 72
3c670371 I--Q--- 407 perm 3d010000 0 0 logon fscrypt:521acd13c187513c: 72
You can see a new key "fscrypt:521acd13c187513c" is added to kernel.
Check whether you can access the files protected by CE key.
Code:
HWMHA:/decrypt_data # cd media/0
HWMHA:/decrypt_data/media/0 # ls
Alarms Android DCIM Download Movies Music Notifications Pictures Podcasts Ringtones backups baidu huawei
Nou you should be able to access the encrypted files.
Clean up:
After you have backuped up the files you wish to retrieve, please delete the keys you copied to /data and reboot your phone. Don't change any security settings (like lock screen password) before rebooting.
Unmount partitions:
Code:
busybox umount /decrypt_data
busybox umount /computer
References and useful links:
Offical FBE doc:
https://source.android.com/security/encryption/file-based
Some FBE source code analysis:
https://blog.csdn.net/myfriend0/article/details/77094890 (Chinese)
https://github.com/novelinux/android/wiki/Android-FBE (Chinese)
http://hooltech.com/android-p-fbe.html (Chinese)
Hardware-backed Keystore:
https://source.android.com/security/keystore/index.html
Trusty TEE:
https://source.android.com/security/trusty/index.html
Something about Huawei's Trustzone:
https://github.com/OpenKirin/Documentation/blob/master/04-Trustzone.md
fscrypt:
https://www.kernel.org/doc/html/v4.15/filesystems/fscrypt.html
Make sure you always backup your data before performing any flashing/upgrading, especially when you are using a non-official ROM. I have spent a lot of time reading posts and analyzing source code. Luckily I succeeded. This was a lesson telling me the importance of backup.
Hi!
First of all, this is a truly amazing guide. The work done is incredible.
I am in a similar situation, although the details are different: my phone is a Oneplus 5, and it got bricked on Android Pie (stock OOS 9). I have an image of the userdata partition (all other partitions as well actually), it is FBE encoded, I used a PIN which I know. Some questions that you might be able to help with:
1) My userdata was encrypted on a stock ROM, bootloader locked (no root). Your guide obviously requires rooting. Can that even work? Would the phone have access to the necessary TEE functionality?
2) The first significant difference I run into is that vold is missing in the locations you suggested. All the directory names in /misc are encrypted. Any ideas?
3) Also, I do not see support for the "force_no_inline_enc" in busybox (or on Ubuntu). Could not find any documentation either. Could you explain what it does? Or provide some reference? The image mounts successfully without it in my case.
Thanks for this incredible guide. However my case is somehow different, I'm wondering whether you could give me some suggestion, thanks!
My phone got bricked after flashing a new ROM, thus I erased the /system and /data, expect my internal storage. After that, I can't decrypt my internal storage any more. The command 'twrp decrypt XXXXX' does not work, too.
So here I know my pin but can't decrypt, follow your guide, I can see /data/unencrypted folder, but /data/misc is not there, what can I do? Thanks.
Besides, running vdc always gives 'Segmentation fault', which I have no idea.
amk43 said:
Hi!
First of all, this is a truly amazing guide. The work done is incredible.
I am in a similar situation, although the details are different: my phone is a Oneplus 5, and it got bricked on Android Pie (stock OOS 9). I have an image of the userdata partition (all other partitions as well actually), it is FBE encoded, I used a PIN which I know. Some questions that you might be able to help with:
1) My userdata was encrypted on a stock ROM, bootloader locked (no root). Your guide obviously requires rooting. Can that even work? Would the phone have access to the necessary TEE functionality?
2) The first significant difference I run into is that vold is missing in the locations you suggested. All the directory names in /misc are encrypted. Any ideas?
3) Also, I do not see support for the "force_no_inline_enc" in busybox (or on Ubuntu). Could not find any documentation either. Could you explain what it does? Or provide some reference? The image mounts successfully without it in my case.
Click to expand...
Click to collapse
Hi @amk43,
1. I'm not sure whether this method will work, because the implementations of TEE are different. But I've known that some version of TWRP for Snapdragon 835 devices supports decrypting data partition (i.e. it allows users to enter password/pattern inside TWRP and then users can access the encrypted files). Based on this, I think the decryption is possible. I would suggest you to have a try using my steps or try to work with such kind of TWRP (https://forum.xda-developers.com/oneplus-5/development/recovery-twrp-3-2-3-pie-encryption-t3837342)
2. Have you installed "global device key" before seeing the encrypted directory names in /misc ? The encryption policy might be applied to the entire /misc so it looks different to my example. Another possible reason is, Android 9.0 has introduced Metadata encryption, which makes things more complicated. (https://source.android.com/security/encryption/metadata) I'm afraid the mechanism might have changed, since it would store the encryption key in another partition called "metadata". Check whether this partition exists first. If your device has enabled Metadata encryption, additional steps will be required.
3. I double checked the AOSP source code and didn't find this option. I think this option is introduced by HUAWEI and not available in other OS. Actually this option is inside this file: (https://github.com/Ante0/MHA-NG_EMUI5.0_opensource/blob/master/kernel/fs/f2fs/super.c) line 126.
So you probably don't need to use "force_no_inline_enc".
Finally, good luck with your files.
lkytal said:
Thanks for this incredible guide. However my case is somehow different, I'm wondering whether you could give me some suggestion, thanks!
My phone got bricked after flashing a new ROM, thus I erased the /system and /data, expect my internal storage. After that, I can't decrypt my internal storage any more. The command 'twrp decrypt XXXXX' does not work, too.
So here I know my pin but can't decrypt, follow your guide, I can see /data/unencrypted folder, but /data/misc is not there, what can I do? Thanks.
Besides, running vdc always gives 'Segmentation fault', which I have no idea.
Click to expand...
Click to collapse
Hi, @lkytal,
If you can't find /data/misc , it means you've lost your "CE key", which is used to decrypt internal storage (/data/media/0). Unfortunately, I think there is no way to get it back, unless you can recover deleted files, which is difficult and almost impossible.
I also have no idea why vdc crashed with 'Segmentation fault'.
hi,my system hadn't vdc,can i used compiled vdc ?
cofface said:
hi,my system hadn't vdc,can i used compiled vdc ?
Click to expand...
Click to collapse
Hi, I think it's a bit weird that your system does not have vdc, since vdc is a basic component of android. Basically vdc only communicates with a running vold process through a socket (some vdc commands will be directly sent to vold). The way of communication might vary in different versions/implementations (refer to its source code). I'm not sure whether it is going to work if you compile vdc from source code. You might have to deal with strange issues when compiling or running it.
Amazing Guide.mine same as your question,i have full root access now.but it is android 9,i cant find Global DE key /data/unencrypted/key ,any idea?
bl4ckluna said:
Amazing Guide.mine same as your question,i have full root access now.but it is android 9,i cant find Global DE key /data/unencrypted/key ,any idea?
Click to expand...
Click to collapse
Hi, bl4ckluna
I suspect the location of keys has changed. I have a quick check of the vold source code of Android 9.0, it seems to change a lot. I can no longer find "unencrypted keys". Instead, a "systemwide_volume_key" (which locates in /data/msic/vold/volume_keys) presents. Besides, Android 9 has introduced metadata encryption, which makes it much more complex. I have no idea how the encryption works before reading all the vold source code. You can probably check the source code here:
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45/Ext4Crypt.cpp
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45/KeyStorage.cpp
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45
Wow. Nice. Excellent information. I was searching in google and didn't find any useful info.
amazing!Where can I contact you? I want to share some interesting things with you! Please contact me as soon as possible! Best wishes!
Have you considered making an automated tool for this? It would help many people.
Does somebody update this script also for Android 10 ?
Hi, and thank you for the effort put into this. Despite software having changed since then I'm wondering if you could provide any kind of insight with my problem.
I'm on a Galaxy s10e (exynos) with LineageOS+MicroG (Android 12), which I broke while trying to install a magisk module. The device is in a bootloop ever since. I've tried many things which didn't work, o now I'm just trying to recover the data which is encrypted. That's how I landed here. I can access the device via adb while it's booting, and that's how I've been interacting with it. Following your guide I dumped the /data partition on an external SDCard, mounted it in the device and looked around. The thing is, everything is decrypted besided /data/media/0. So I'm stuck at stage 3 of the process.
When I try to run `vdc --wait cryptfs unlock_user_key 0 0 "" ""`, it fails with
Code:
ProcessState D 12-27 12:31:36 32158 32158 Binder ioctl to enable oneway spam detection failed: Invalid argument
vdc V 12-27 12:31:36 32158 32158 vdc.cpp:66] Waited 0ms for vold
vdc E 12-27 12:31:36 32158 32158 vdc.cpp:216] Raw commands are no longer supported
From my understanding, manually decrypting doesn't work anymore. The data is all there, and from my understanding so are all the keys. It should be able to be recovered, right?
I'm stuck and don't know what else to try. Has anyone got any insight?
Ștefan Radu said:
Hi, and thank you for the effort put into this. Despite software having changed since then I'm wondering if you could provide any kind of insight with my problem.
I'm on a Galaxy s10e (exynos) with LineageOS+MicroG (Android 12), which I broke while trying to install a magisk module. The device is in a bootloop ever since. I've tried many things which didn't work, o now I'm just trying to recover the data which is encrypted. That's how I landed here. I can access the device via adb while it's booting, and that's how I've been interacting with it. Following your guide I dumped the /data partition on an external SDCard, mounted it in the device and looked around. The thing is, everything is decrypted besided /data/media/0. So I'm stuck at stage 3 of the process.
When I try to run `vdc --wait cryptfs unlock_user_key 0 0 "" ""`, it fails with
Code:
ProcessState D 12-27 12:31:36 32158 32158 Binder ioctl to enable oneway spam detection failed: Invalid argument
vdc V 12-27 12:31:36 32158 32158 vdc.cpp:66] Waited 0ms for vold
vdc E 12-27 12:31:36 32158 32158 vdc.cpp:216] Raw commands are no longer supported
From my understanding, manually decrypting doesn't work anymore. The data is all there, and from my understanding so are all the keys. It should be able to be recovered, right?
I'm stuck and don't know what else to try. Has anyone got any insight?
Click to expand...
Click to collapse
Hi Ștefan,Sorry I also have no idea for this. Many vdc commands were deprecated since a few Android versions ago. I was tracking the source code of lock screen and end up found vdc, which did work in Andorid 7. But Google seemed to make many changes and I'm not sure how it works now. (please also read the top of this article which I just updated)
If your device got a bootloop because of a magisk module, you can also try the following things:
1. try adb shell during the bootloop and quickly remove the module that causes the issue (usually under /data/adb/*)
2. try a TWRP which supports data decryption through a lock screen passwrod and remove the module. Or you can guess which encrypted folder is for the module/magisk and remove it. (You can remove files even if they are encrypted)
3. unpack and (un)patch the kernel (initrd) so that magisk stops working or not loading modules.
Thanks for taking the effort to write this down! I am trying to open a userdata backup from my bootlooping OnePlus 8 Pro.
Following your steps, I get this error
Code:
255|OnePlus8Pro:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img /data/computer
mount: can't setup loop device: No such file or directory
Though both the file (the image) and the directory (/data/computer) exist. Any idea why this basic task does not work?
By the way, on the phone these settings are used to mount the userdata partition:
Code:
/dev/block/bootdevice/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt latemount,wait,resize,check,formattable,fileencryption=ice,wrappedkey,quota,reservedsize=128M,sysfs_path=/sys/devices/platform/soc/1d84000.ufshc,checkpoint=fs
HaTeNL said:
Thanks for taking the effort to write this down! I am trying to open a userdata backup from my bootlooping OnePlus 8 Pro.
Following your steps, I get this error
255|OnePlus8Pro:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img /data/computer
mount: can't setup loop device: No such file or directory
Though both the file (the image) and the directory (/data/computer) exist. Any idea why this basic task does not work?
By the way, on the phone these settings are used to mount the userdata partition:
/dev/block/bootdevice/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt latemount,wait,resize,check,formattable,fileencryption=ice,wrappedkey,quota,reservedsize=128M,sysfs_path=/sys/devices/platform/soc/1d84000.ufshc,checkpoint=fs
Click to expand...
Click to collapse
Hi,
Looks like the loop device wasn't set up correctly. In order to mount an image file, a loop device has to be set up to simulate a block device for the file. Can you try setting up it manually, for example,
Bash:
losetup -f --show /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img
and see what device is printed out, then try to mount the device.
use another busybox or toybox losetup with -s flag. also for mounting f2fs ro you should add disable_roll_forward to mount flags (noload for ext4) required for mounting dirty file systems.
Thanks both! I see I already have toybox installed, and I also tested toybox-ext (for Magisk), but unfortunately I get errors again.
I tried
Code:
losetup -f --show /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img
with output "/dev/block/loop31"
So now I do the following and get an error again.
Code:
toybox-ext mount -t f2fs -o ro,force_no_inline_enc,disable_roll_forward /dev/block/loop31 /data/testdata
mount: '/dev/block/loop31'->'/data/testdata': Invalid argument
With dmesg I see
Code:
[ 7572.232295] (2)[24714:toybox-ext][20230212_19:42:16.465650]@2 F2FS-fs (loop31): Magic Mismatch, valid(0xf2f52010) - read(0x6970be9f)
[ 7572.232312] (2)[24714:toybox-ext][20230212_19:42:16.465670]@2 F2FS-fs (loop31): Can't find valid F2FS filesystem in 2th superblock
Maybe because the f2fs filesystem is encrypted? Do I need other mount options?
To be clear, what I used to backup the userdata was dd
file system is corrupt. try fsck but get a copy first.
your device uses metadata encryption, this guide is not for you. any further discussion please in new thread, it's off-topic here.