I am trying to recover the data from a default/factory encrypted Samsung Galaxy S7 Edge stuck in a bootloop (i.e.: restarting endlessly when booting the system). It is using the stock rom. Only the recovery (twrp) and download mode are working. I need to either fix the bootloop or decrypt at least the data partition in twrp (I know the lock pattern). Note: I know that the bootloop might be fixed by a factory reset, but that would result in data loss.
General info:
Model: SM-G935F
Codename: hero2lte
Android version: Stock 7.1.x (almost sure)
TWRP: 3.2.3-0
Install
I followed the adb guide and the install guide (only up to and including the twrp install; LineageOS was not installed).
After installing adb and heimdall on the pc, this is what was done on the phone:
- Enter download mode
heimdall flash --RECOVERY twrp-3.2.3-0-hero2lte.img- Reboot into recovery
It kept saying it could not mount /system nor /data, but it never asked (and still doesn't) for the encryption password or anything. When trying to do a nandroid backup, Internal storage showed as 0 MB and it errored out.
Booting into the system worked without any issues.
Then, I tried installing (LineageOS') su, to be able to backup things properly using something like oandbackup or TitaniumBackup:
- Boot into recovery
adb push addonsu-15.1-arm64-signed.zip- Install -> addonsu-15.1-arm64-signed.zip
I thought one of the following was going to happen:
- The write would work, and su would be available
- The write would work, and the stock rom would ignore it
- The write would fail, nothing would happen
It showed some errors about the partitions again (up to this point, I thought only the data partition was encrypted, not the system one).
I tried Reboot -> System, and what happened was:
- The device was (and still is) stuck in a bootloop
So I tried using LineageOS' su-removal:
- Boot into recovery
adb push addonsu-remove-15.1-arm64-signed.zip- Install -> addonsu-remove-15.1-arm64-signed.zip
Yet, nothing seems to have changed. TWRP onscreen log:
Could not mount /data and unable to find crypto footer.
Failed to mount '/data' (Invalid argument)
Updating partition details...
Failed to mount /data (Invaild argument)
...done
Unable to mount storage
Failed to mount /data (Invaild argument)
Full SELinux support is present.
Unable to mount /data/media/TWRP/.twrps
MTP Enabled
Looking at /cache/recovery/log, it does not show /system as empty:
/system | /dev/block/sda14 | Size: 4132MB Used: 3987MB Free: 145MB Backup Size: 3987MB
Flags: Can_Be_Mounted Can_Be_Wiped Can_Be_Backed_Up Wipe_Available_in_GUI IsPresent Mount_Read_Only
Primary_Block_Device: /dev/block/sda14
Display_Name: System
Storage_Name: System
Backup_Path: /system
Backup_Name: system
Backup_Display_Name: System
Storage_Path: /system
Current_File_System: ext4
Fstab_File_System: ext4
Backup_Method: files
/data | /dev/block/sda18 | Size: 0MB Used: 0MB Free: 0MB Backup Size: 0MB
Flags: Can_Be_Mounted Can_Be_Wiped Can_Be_Backed_Up Wipe_During_Factory_Reset Wipe_Available_in_GUI IsPresent Can_Be_Encrypted Has_Data_Media Can_Encrypt_Backup Use_Userdata_Encryption Is_Storage Is_Settings_Storage
Symlink_Path: /data/media
Symlink_Mount_Point: /sdcard
Primary_Block_Device: /dev/block/sda18
Length: -20480
Display_Name: Data
Storage_Name: Internal Storage
Backup_Path: /data
Backup_Name: data
Backup_Display_Name: Data
Storage_Path: /data/media
Current_File_System: ext4
Fstab_File_System: ext4
Backup_Method: files
MTP_Storage_ID: 65537
But it shows nothing when trying to access it:
~ # ls -lah /system
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
drwxr-xr-x 2 root root 40 Jan 1 1970 .
drwxrwxrwt 24 root root 840 Sep 10 02:15 ..
Also in /cache/recovery/log:
I:Done processing fstab files
I:Setting up '/data' as data/media emulated storage.
I:Created '/sdcard' folder.
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
I:Actual block device: '/dev/block/sda18', current file system: 'ext4'
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
I:Actual block device: '/dev/block/sda18', current file system: 'ext4'
get_crypt_ftr_info crypto key location: 'footer'
Bad magic for real block device /dev/block/sda18
Could not mount /data and unable to find crypto footer.
I:Setting up '/data' as data/media emulated storage.
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
# ...
Questions:
If it could not even mount the parition, how did it become soft bricked?
Does "Install" write anything anywhere else (excluding log entries, etc)?
Can it actually overwrite/damage the partition (or the block device directly) even when it cannot mount it?
Is there a way to debug the bootloop
How could the bootloop be fixed?
Decrypt
So I tried decrypting the data partitions to see if I at least could access it from twrp, using these steps.
This is the pattern:
[_ 1 6]
[2 7 5]
[3 4 _]
Which means the code twrp uses (from 1 to 9) should be this: 2478635. So I tried:
~ # twrp decrypt 2478635
Attempting to decrypt data partition via command line.
Failed to decrypt data.
I also tried using the "native" code (from 0 to 8), to no avail:
~ # twrp decrypt 1367524
Attempting to decrypt data partition via command line.
Failed to decrypt data.
Looking at the partitions:
~ # ls -l /dev/block/platform/155a0000.ufs/by-name/
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
lrwxrwxrwx 1 root root 15 Sep 10 02:15 BOOT -> /dev/block/sda5
lrwxrwxrwx 1 root root 15 Sep 10 02:15 BOTA0 -> /dev/block/sda1
lrwxrwxrwx 1 root root 15 Sep 10 02:15 BOTA1 -> /dev/block/sda2
lrwxrwxrwx 1 root root 16 Sep 10 02:15 CACHE -> /dev/block/sda15
lrwxrwxrwx 1 root root 15 Sep 10 02:15 CPEFS -> /dev/block/sdd1
lrwxrwxrwx 1 root root 16 Sep 10 02:15 CP_DEBUG -> /dev/block/sda17
lrwxrwxrwx 1 root root 16 Sep 10 02:15 DNT -> /dev/block/sda10
lrwxrwxrwx 1 root root 15 Sep 10 02:15 EFS -> /dev/block/sda3
lrwxrwxrwx 1 root root 16 Sep 10 02:15 HIDDEN -> /dev/block/sda16
lrwxrwxrwx 1 root root 15 Sep 10 02:15 OTA -> /dev/block/sda7
lrwxrwxrwx 1 root root 15 Sep 10 02:15 PARAM -> /dev/block/sda4
lrwxrwxrwx 1 root root 16 Sep 10 02:15 PERSDATA -> /dev/block/sda13
lrwxrwxrwx 1 root root 16 Sep 10 02:15 PERSISTENT -> /dev/block/sda11
lrwxrwxrwx 1 root root 15 Sep 10 02:15 RADIO -> /dev/block/sda8
lrwxrwxrwx 1 root root 15 Sep 10 02:15 RECOVERY -> /dev/block/sda6
lrwxrwxrwx 1 root root 16 Sep 10 02:15 STEADY -> /dev/block/sda12
lrwxrwxrwx 1 root root 16 Sep 10 02:15 SYSTEM -> /dev/block/sda14
lrwxrwxrwx 1 root root 15 Sep 10 02:15 TOMBSTONES -> /dev/block/sda9
lrwxrwxrwx 1 root root 16 Sep 10 02:15 USERDATA -> /dev/block/sda18
Shows that sda14 is the system partition and that sda18 is the data partition. So I managed to pull /dev/block/sda14 and /dev/block/sda18:
adb pull /dev/block/sda14 sda14.img
# ...
adb pull /dev/block/sda18 sda18.img
/dev/block/sda18: 1 file pulled. 3.7 MB/s (26843545600 bytes in 6961.803s)
I verified that the SHA-1 hashes of the block device and the .img match, but I'm at a loss about how to decrypt them on the pc.
Question:
How could I decrypt them on Android/Linux/Windows?
Note: If this is too specific for this site, please comment where the appropriate forum would be. I know of the phone-specific xda, but that seems to be too generic. Any help is appreciated.
No comments:
Post a Comment