[Replicant] How to undo whole-disk-encryption?
Josh Branning
lovell.joshyyy at gmail.com
Wed Mar 6 18:37:43 UTC 2019
- It's good you've made a backup of the encrypted /data partition.
- Whatever you do, you will have to rewrite the /data partition in some
way to do this, regardless of whether it's in-place rewriting or not.
- You have installed a version of android that does not expect
encryption to be turned on.
- You are not writing to the recovery partition afaik.
- If you wanted to, you could backup the stock unencypted /data
partition also using adb
- To be safe, you could check using fdisk or file what type of
filesystem this is
- You could decrypt your filesystem.
- You could then check whether the stock unencrypted filesystem and your
now-unencrypted filesystem type matches.
- You could then attempt to restore your unencrypted filesystem
- If it messes up, you may be able to restore from the recovery using
the backup of the stock /data partition
- If it has messed up, or the filesystem isn't supported (differs?), you
could then try mounting both filesystems, stock and unencrypted on a pc,
and merging some of the files.
- You could then rinse and repeat using the modified/merged stock until
it works.
This all assumes you do in-fact have a copy of the encrypted filesystem,
ie. you took the backup before you flashed, or didn't overwrite the data
partition when you flashed, and did in-fact get a good backup.
Bare in mind it all contains risk, not sure how big ... nothing in life
is risk free & you know fosho I'm not liable :)
Josh
On 05/03/19 20:50, A. F. Cano wrote:
>
> While strictly not a Replicant issue, I can't think of a more
> knowledgeable group of people than this list for this issue.
>
> Actually, has anyone installed the latest Replicant on a Samsung
> Galaxy S T-959 (Vibrant)? There! Now it's a little more
> Replicant-related.
>
> Background:
>
> Years ago I installed Cyanogenmod 10.1 (Android 4.2.2) on a Samsung
> Galaxy S T-959 Vibrant.
> Then I tried to make it more secure based on the instructions here:
>
> https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy
>
> The command to encrypt the whole disk in place is:
>
> vdc cryptfs enablecrypto inplace NewMoreSecurePassword
>
> The current issue:
>
> I have recently encountered compatibility problems between DavDroid (1.9-ose)
> and the radicale server. The problem is apparently due to some incompatibility
> of old event format ("can't compare offset-naive and offset-aware datetimes")
> so I start investigating and there is a newer version of DAVDroid, now called
> DAVx, but it fails to install. It requires Android 4.4. So I go looking and
> find that the latest Cyanogenmod for this device is 11 (Android 4.4.4).
> Bingo! I thought. Then I try to do a backup from recovery mode
> (CWM-based-recovery v6.0.3.7) and encounter "Can't mount /data!". Further
> research shows that this is due to the whole disk encryption I find:
>
> https://jomo.tv/android/remove-android-device-encryption
>
> but it's quite involved. At the end it says:
>
> Technically, there would be a more efficient way to achieve this
> (i.e. without storing and restoring the partition) by doing the
> reverse of Android’s inplace encryption: It would read each sector
> of the block device, decrypt it, and write it back, but cryptfs
> doesn’t implement it.
>
> I was hoping for just such a command.
>
> That page uses TWRP, which is not available for the Galaxy S (the oldest
> supported model is the Galaxy S2), so I can't use it as is.
>
> I have extracted the /data directory/fs (in /dev/block/dm-2 per df)
>
> $ adb pull /dev/block/dm-2 userdata.img
>
> After extraction, file says:
>
> $ file userdata.img
> userdata.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
>
> So it looks like I managed to extract the unencrypted partition. I did this
> with the phone running (not in recovery mode) so that might be the reason for
> needing journal recovery: the FS was mounted and was probably modified during
> the operation.
>
> So far everything I've done has been safe. Since this is my primary phone I
> can't risk screwing it up or worse: brick it. Has anyone done a complete
> backup from recovery (with ClockWorkMod)? Is it a complete backup? Would the
> restore clobber parts of the upgraded OS and cause problems? But I'm getting
> ahead of myself.
>
> As far as the un-encryption goes. The above page's approach is to back up the
> /data partition and from recovery re-flash it. Can this be done from
> ClockWorkMod?
>
> These are the steps for using TWRP, after the original partition has been
> saved:
>
> select Wipe → Format Data
> This step is required because it lets the OS know the data partition
> is no longer encrypted
> Reboot to bootloader: adb reboot bootloader
> Write the image back to /data: fastboot flash userdata userdata.img
> Reboot: fastboot reboot
>
> Has anyone attempted this with ClockWorkMod?
>
> Is there an alternative safe way to undo the whole-disk encryption?
>
> I eagerly await any replies or hints. I would like to backup the state of my
> phone before the upgrade, which means first undoing the encryption, then doing
> a complete backup, then doing the upgrade and then a complete restore.
> Projects always get bigger than originally thought.
>
> Finally, has anyone installed the latest Replicant on a Galaxy S T-959? I'd
> much rather go that route if possible, but at least it seems that Cyanogenmod
> 11 supports this old phone.
>
> Thanks for any info!
>
> _______________________________________________
> Replicant mailing list
> Replicant at osuosl.org
> https://lists.osuosl.org/mailman/listinfo/replicant
>
More information about the Replicant
mailing list