[Replicant] How to undo whole-disk-encryption?

Josh Branning lovell.joshyyy at gmail.com
Wed Mar 6 18:37:43 UTC 2019


- It's good you've made a backup of the encrypted /data partition.
- Whatever you do, you will have to rewrite the /data partition in some 
way to do this, regardless of whether it's in-place rewriting or not.
- You have installed a version of android that does not expect 
encryption to be turned on.
- You are not writing to the recovery partition afaik.
- If you wanted to, you could backup the stock unencypted /data 
partition also using adb
- To be safe, you could check using fdisk or file what type of 
filesystem this is
- You could decrypt your filesystem.
- You could then check whether the stock unencrypted filesystem and your 
now-unencrypted filesystem type matches.
- You could then attempt to restore your unencrypted filesystem
- If it messes up, you may be able to restore from the recovery using 
the backup of the stock /data partition
- If it has messed up, or the filesystem isn't supported (differs?), you 
could then try mounting both filesystems, stock and unencrypted on a pc, 
and merging some of the files.
- You could then rinse and repeat using the modified/merged stock until 
it works.

This all assumes you do in-fact have a copy of the encrypted filesystem, 
ie. you took the backup before you flashed, or didn't overwrite the data 
partition when you flashed, and did in-fact get a good backup.

Bare in mind it all contains risk, not sure how big ... nothing in life 
is risk free & you know fosho I'm not liable :)

Josh

On 05/03/19 20:50, A. F. Cano wrote:
> 
> While strictly not a Replicant issue, I can't think of a more
> knowledgeable group of people than this list for this issue.
> 
> Actually, has anyone installed the latest Replicant on a Samsung
> Galaxy S T-959 (Vibrant)?  There! Now it's a little more
> Replicant-related.
> 
> Background:
> 
> Years ago I installed Cyanogenmod 10.1 (Android 4.2.2) on a Samsung
> Galaxy S T-959 Vibrant.
> Then I tried to make it more secure based on the instructions here:
> 
> https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy
> 
> The command to encrypt the whole disk in place is:
> 
> vdc cryptfs enablecrypto inplace NewMoreSecurePassword
> 
> The current issue:
> 
> I have recently encountered compatibility problems between DavDroid (1.9-ose)
> and the radicale server.  The problem is apparently due to some incompatibility
> of old event format ("can't compare offset-naive and offset-aware datetimes")
> so I start investigating and there is a newer version of DAVDroid, now called
> DAVx, but it fails to install.  It requires Android 4.4.  So I go looking and
> find that the latest Cyanogenmod for this device is 11 (Android 4.4.4).
> Bingo! I thought.  Then I try to do a backup from recovery mode
> (CWM-based-recovery v6.0.3.7) and encounter "Can't mount /data!".  Further
> research shows that this is due to the whole disk encryption  I find:
> 
> https://jomo.tv/android/remove-android-device-encryption
> 
> but it's quite involved.  At the end it says:
> 
>    Technically, there would be a more efficient way to achieve this
>    (i.e. without storing and restoring the partition) by doing the
>    reverse of Android’s inplace encryption: It would read each sector
>    of the block device, decrypt it, and write it back, but cryptfs
>    doesn’t implement it.
> 
> I was hoping for just such a command.
> 
> That page uses TWRP, which is not available for the Galaxy S (the oldest
> supported model is the Galaxy S2), so I can't use it as is.
> 
> I have extracted the /data directory/fs (in /dev/block/dm-2 per df)
> 
> $ adb pull /dev/block/dm-2 userdata.img
> 
> After extraction, file says:
> 
> $ file userdata.img
> userdata.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
> 
> So it looks like I managed to extract the unencrypted partition.  I did this
> with the phone running (not in recovery mode) so that might be the reason for
> needing journal recovery: the FS was mounted and was probably modified during
> the operation.
> 
> So far everything I've done has been safe.  Since this is my primary phone I
> can't risk screwing it up or worse: brick it.  Has anyone done a complete
> backup from recovery (with ClockWorkMod)? Is it a complete backup?  Would the
> restore clobber parts of the upgraded OS and cause problems? But I'm getting
> ahead of myself.
> 
> As far as the un-encryption goes.  The above page's approach is to back up the
> /data partition and from recovery re-flash it.  Can this be done from
> ClockWorkMod?
> 
> These are the steps for using TWRP, after the original partition has been
> saved:
> 
>   select Wipe → Format Data
>     This step is required because it lets the OS know the data partition
>     is no longer encrypted
>   Reboot to bootloader: adb reboot bootloader
>   Write the image back to /data: fastboot flash userdata userdata.img
>   Reboot: fastboot reboot
> 
> Has anyone attempted this with ClockWorkMod?
> 
> Is there an alternative safe way to undo the whole-disk encryption?
> 
> I eagerly await any replies or hints.  I would like to backup the state of my
> phone before the upgrade, which means first undoing the encryption, then doing
> a complete backup, then doing the upgrade and then a complete restore.
> Projects always get bigger than originally thought.
> 
> Finally, has anyone installed the latest Replicant on a Galaxy S T-959?  I'd
> much rather go that route if possible, but at least it seems that Cyanogenmod
> 11 supports this old phone.
> 
> Thanks for any info!
> 
> _______________________________________________
> Replicant mailing list
> Replicant at osuosl.org
> https://lists.osuosl.org/mailman/listinfo/replicant
> 



More information about the Replicant mailing list