[Replicant] How to undo whole-disk-encryption?

A. F. Cano afc at shibaya.lonestar.org
Tue Mar 5 20:50:33 UTC 2019


While strictly not a Replicant issue, I can't think of a more
knowledgeable group of people than this list for this issue.

Actually, has anyone installed the latest Replicant on a Samsung
Galaxy S T-959 (Vibrant)?  There! Now it's a little more
Replicant-related.

Background:

Years ago I installed Cyanogenmod 10.1 (Android 4.2.2) on a Samsung
Galaxy S T-959 Vibrant.
Then I tried to make it more secure based on the instructions here:

https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy

The command to encrypt the whole disk in place is:

vdc cryptfs enablecrypto inplace NewMoreSecurePassword

The current issue:

I have recently encountered compatibility problems between DavDroid (1.9-ose)
and the radicale server.  The problem is apparently due to some incompatibility
of old event format ("can't compare offset-naive and offset-aware datetimes")
so I start investigating and there is a newer version of DAVDroid, now called
DAVx, but it fails to install.  It requires Android 4.4.  So I go looking and
find that the latest Cyanogenmod for this device is 11 (Android 4.4.4).
Bingo! I thought.  Then I try to do a backup from recovery mode
(CWM-based-recovery v6.0.3.7) and encounter "Can't mount /data!".  Further
research shows that this is due to the whole disk encryption  I find:

https://jomo.tv/android/remove-android-device-encryption

but it's quite involved.  At the end it says:

  Technically, there would be a more efficient way to achieve this
  (i.e. without storing and restoring the partition) by doing the
  reverse of Android’s inplace encryption: It would read each sector
  of the block device, decrypt it, and write it back, but cryptfs
  doesn’t implement it.

I was hoping for just such a command.

That page uses TWRP, which is not available for the Galaxy S (the oldest
supported model is the Galaxy S2), so I can't use it as is.

I have extracted the /data directory/fs (in /dev/block/dm-2 per df)

$ adb pull /dev/block/dm-2 userdata.img

After extraction, file says:

$ file userdata.img
userdata.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)

So it looks like I managed to extract the unencrypted partition.  I did this
with the phone running (not in recovery mode) so that might be the reason for
needing journal recovery: the FS was mounted and was probably modified during
the operation.

So far everything I've done has been safe.  Since this is my primary phone I
can't risk screwing it up or worse: brick it.  Has anyone done a complete
backup from recovery (with ClockWorkMod)? Is it a complete backup?  Would the
restore clobber parts of the upgraded OS and cause problems? But I'm getting
ahead of myself.

As far as the un-encryption goes.  The above page's approach is to back up the
/data partition and from recovery re-flash it.  Can this be done from
ClockWorkMod?

These are the steps for using TWRP, after the original partition has been
saved:

 select Wipe → Format Data
   This step is required because it lets the OS know the data partition
   is no longer encrypted
 Reboot to bootloader: adb reboot bootloader
 Write the image back to /data: fastboot flash userdata userdata.img
 Reboot: fastboot reboot

Has anyone attempted this with ClockWorkMod?

Is there an alternative safe way to undo the whole-disk encryption?

I eagerly await any replies or hints.  I would like to backup the state of my
phone before the upgrade, which means first undoing the encryption, then doing
a complete backup, then doing the upgrade and then a complete restore.
Projects always get bigger than originally thought.

Finally, has anyone installed the latest Replicant on a Galaxy S T-959?  I'd
much rather go that route if possible, but at least it seems that Cyanogenmod
11 supports this old phone.

Thanks for any info!



More information about the Replicant mailing list