[Replicant] How to undo whole-disk-encryption?
A. F. Cano
afc at shibaya.lonestar.org
Tue Mar 5 20:50:33 UTC 2019
While strictly not a Replicant issue, I can't think of a more
knowledgeable group of people than this list for this issue.
Actually, has anyone installed the latest Replicant on a Samsung
Galaxy S T-959 (Vibrant)? There! Now it's a little more
Replicant-related.
Background:
Years ago I installed Cyanogenmod 10.1 (Android 4.2.2) on a Samsung
Galaxy S T-959 Vibrant.
Then I tried to make it more secure based on the instructions here:
https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy
The command to encrypt the whole disk in place is:
vdc cryptfs enablecrypto inplace NewMoreSecurePassword
The current issue:
I have recently encountered compatibility problems between DavDroid (1.9-ose)
and the radicale server. The problem is apparently due to some incompatibility
of old event format ("can't compare offset-naive and offset-aware datetimes")
so I start investigating and there is a newer version of DAVDroid, now called
DAVx, but it fails to install. It requires Android 4.4. So I go looking and
find that the latest Cyanogenmod for this device is 11 (Android 4.4.4).
Bingo! I thought. Then I try to do a backup from recovery mode
(CWM-based-recovery v6.0.3.7) and encounter "Can't mount /data!". Further
research shows that this is due to the whole disk encryption I find:
https://jomo.tv/android/remove-android-device-encryption
but it's quite involved. At the end it says:
Technically, there would be a more efficient way to achieve this
(i.e. without storing and restoring the partition) by doing the
reverse of Android’s inplace encryption: It would read each sector
of the block device, decrypt it, and write it back, but cryptfs
doesn’t implement it.
I was hoping for just such a command.
That page uses TWRP, which is not available for the Galaxy S (the oldest
supported model is the Galaxy S2), so I can't use it as is.
I have extracted the /data directory/fs (in /dev/block/dm-2 per df)
$ adb pull /dev/block/dm-2 userdata.img
After extraction, file says:
$ file userdata.img
userdata.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
So it looks like I managed to extract the unencrypted partition. I did this
with the phone running (not in recovery mode) so that might be the reason for
needing journal recovery: the FS was mounted and was probably modified during
the operation.
So far everything I've done has been safe. Since this is my primary phone I
can't risk screwing it up or worse: brick it. Has anyone done a complete
backup from recovery (with ClockWorkMod)? Is it a complete backup? Would the
restore clobber parts of the upgraded OS and cause problems? But I'm getting
ahead of myself.
As far as the un-encryption goes. The above page's approach is to back up the
/data partition and from recovery re-flash it. Can this be done from
ClockWorkMod?
These are the steps for using TWRP, after the original partition has been
saved:
select Wipe → Format Data
This step is required because it lets the OS know the data partition
is no longer encrypted
Reboot to bootloader: adb reboot bootloader
Write the image back to /data: fastboot flash userdata userdata.img
Reboot: fastboot reboot
Has anyone attempted this with ClockWorkMod?
Is there an alternative safe way to undo the whole-disk encryption?
I eagerly await any replies or hints. I would like to backup the state of my
phone before the upgrade, which means first undoing the encryption, then doing
a complete backup, then doing the upgrade and then a complete restore.
Projects always get bigger than originally thought.
Finally, has anyone installed the latest Replicant on a Galaxy S T-959? I'd
much rather go that route if possible, but at least it seems that Cyanogenmod
11 supports this old phone.
Thanks for any info!
More information about the Replicant
mailing list