Related
Hi everyone,
I need to Format a SD Card (programatically ), and I havn't got the foggiest on where to start, I mean, do I need to build the whole structure on the card myself, or is there some API level I can go to to do the job.
Can anyone help me out here?
I just completed that from my linux box
I did this from my linux box to get set up for linux on the HTC apache and was listing all the gory details.
Code:
fdisk /dev/sdb //after verifiing itis correct device
p //print out partition table
d //delete existing partition if not 32M fat 16
n //new partition
p //primary
1 //number
<cr> //Accept default of first cylinder
+32M //make it 32M in size
t 6 //change it to fat16 type
n //create another partition
p //chose primary, even though it is callet ext3
2 //number it 2
<cr> //accept default
<cr> //to use rest of stick
t //set it's type
2 //select second partition
83 //type is linux (ext2 or ext3)
w // write table or you get to do it again
Unplug it and count to 5, plug it back in and cd /dev and "ls -al |grep sd"
it will probably be in a differnt location.
mkdosfs /dev/sdc1 //format the FAT16 partition In gentoo, this was in dosfstools'
mkfs.ext3 /dev/sdc2 //format the linux partition
//create a pair of mount points and mount them
cd /mnt
mkdir MiniSDDos
mkdir MiniSDLinux
mount /dev/sdc1 /mnt/MiniSDDos
mount /dev/sdc2 /mnt/MiniSDLinux
transfer rd,zimiage,default.txt and gnuharet-200603042123.exe to dos partition
Hello HTC Shift users,
I found how to visible recovery partition.
Warning;
I will no response for your data lost with this method.
Requirement;
1. ICC (IDE HDD Capacity Changer)
http://homepage3.nifty.com/k-takata/mysoft/icc.html
It's writen only Japanese.
Download icc007a.lzh and unpack ICC.EXE from archive.
2. TestDisk for DOS (Undelete partition)
http://www.cgsecurity.org/wiki/TestDisk_Download
Download testdisk-6.9.dos.zip and unpack TESTDISK.EXE and CWSDPMI.EXE from archive.
3. USB-FDD and One blank FD
How to;
1. Make MS-DOS startup disk
Connect USB-FDD to SHIFT and insert blank FD.
Format FD with checked "Create an MS-DOS startup disk" option.
Copy ICC.EXE, TESTDISK and CWSDPMI.EXE to startup disk.
2. Boot from startup disk
Restart SHIFT.
Press Fn+F10 on boot screen.
Select Boot from USB-FDD.
Wait command prompt "A:\>".
3. Change HDD size
Enter command as "ICC -i" for show HDD size ( keep this value for restore ).
> ModelNumber: "TOSHIBA MK4009GAL "
> Maximum Capacity (28bit LBA): 78126048 (38147MB)
> Current Capacity (28bit LBA): 71826615 (35071MB)
> Current Capacity (48bit LBA): 71826615 (35071MB)
Enter command as "ICC" and input new capacity as "max".
Restart SHIFT and boot from startup disk again.
4. Mount hidden partition
Enter command as "TESTDISK" for search and mount hidden partition.
> Results
> * HPFS - NTFS 0 1 1 4470 254 63 71826552 [HTCShift]
> NTFS, 36 GB / 34 GiB
> P FAT32 LBA 4471 0 1 4863 254 63 6313545 [NO NAME]
> FAT32, 3232 MB / 3082 MiB
Restart SHIFT.
After this procedure, you can show hidden partition as Local Disk(D.
Attention;
Recovery boot (Fn+F3) will be disable after visible hidden partition !
If you want to enable recovery boot, use "ICC" and enter "71826615LBA".
riki0081 from Japan.
riki0081 said:
...
3. Change HDD size
Enter command as "ICC -i" for show HDD size ( keep this value for restore ).
> ModelNumber: "TOSHIBA MK4009GAL "
> Maximum Capacity (28bit LBA): 78126048 (38147MB)
> Current Capacity (28bit LBA): 71826615 (35071MB)
> Current Capacity (48bit LBA): 71826615 (35071MB)
Enter command as "ICC" and input new capacity as "max".
Restart SHIFT and boot from startup disk again.
...
Click to expand...
Click to collapse
Hello Riki0081,
I've exactly the same numbers as yours but I'm getting a "Can't set max address" when I'm validating the 78126048 input.
Any suggestions?
(booting on Bootable USB dongle, with Win98 DOS system files, no config.sys/autoexec.bat)
Yann
YannR said:
Hello Riki0081,
I've exactly the same numbers as yours but I'm getting a "Can't set max address" when I'm validating the 78126048 input.
Any suggestions?
(booting on Bootable USB dongle, with Win98 DOS system files, no config.sys/autoexec.bat)
Yann
Click to expand...
Click to collapse
Hello Yann,
I show two answer for clear problems.
1) Enter "max". It's not number.
2) Enter "78126048LBA". The "LBA" is very important.
And if you enter number with ICC.EXE, you have to reboot.
You can change this number only one time without reboot.
best regards,
riki0081
riki0081 said:
Hello Yann,
I show two answer for clear problems.
1) Enter "max". It's not number.
2) Enter "78126048LBA". The "LBA" is very important.
And if you enter number with ICC.EXE, you have to reboot.
You can change this number only one time without reboot.
best regards,
riki0081
Click to expand...
Click to collapse
Hello Riki,
While you were kindly replying to me, I kept trying hard... I didn't saw your reply until I reach my goal.
By the way, I tried "78126048LBA" without success. I didn't try to input "max" but I guess entering equivalent number was ok. But still failing and getting the above error message...
So, I tried to launch ICC.EXE with the "-b" option (BigDisk mode) and I've got the change effective!
Switching Off and On the Shift and booting installed Vista. Going to "Disk Management" tool, "Extend Volume" up to the max... I've now +3GB space available to Vista! (to readers : make sure you have a Disk image to be used as Recovery tool)
Thank you for the tip and your help!
Yann
I maybe thick...
I have followed the directions to make the hidden partition. I can change the size of the HDD using ICC.exe but I get stuck on how to use TESTDISK to mount the hidden partition so that when Vista boots is see's the hidden partition as another drive. please help this novice.
CowboyJoe said:
I have followed the directions to make the hidden partition. I can change the size of the HDD using ICC.exe but I get stuck on how to use TESTDISK to mount the hidden partition so that when Vista boots is see's the hidden partition as another drive. please help this novice.
Click to expand...
Click to collapse
Hello CowboyJoe,
I feel sorry for delay response because I'm travelling without USB-FDD.
I try TESTDISK again and I found no problems. When you will get stuck ?
Run TESTDISK
[ Create ][ Append ][ No Log ] <- select No Log
Disk 80 - 40 GB / 37 GiB
[Proceed ][ Quit ] -< select Proceed
[Intel ] select here
[EFI GPT]
[Mac ]
[None ]
[Sun ]
[XBox ]
[Return ]
[ Analyse ] select here
[ Advanced ]
[ Geometry ]
[ Options ]
[ MBR Code ]
[ Delete ]
[ Quit ]
1 * HPFS - NTFS 0 1 1 4470 254 63 71826552 [HTCX9500]
[Quick Search] [ Backup ] <- select Quick Search
Should TestDisk search for partition created under vista ? [Y/N] <- Press N
Disk 80 - 40 GB / 37 GiB - CHS 4863 255 63
Partition Start End Size in sectors
* HPFS - NTFS 0 1 1 4470 254 63 71826552 [HTCX9500]
P FAT32 LBA 4471 0 1 4863 254 63 6313545 [NO NAME]
Enter: to continue
[ Quit ] [Deeper Search] [ Write ] <- select Write
riki0081
What to do with all the files off the hidden Partition
Thanks. I did the deeper search and found the 3gig partition. I selected it and did a "P" to list files. I then copied all the files and directories to the USB stick. The biggie is XVISTA.WIM which is approx. 2gig in size. Now how would I execute or launch the file to do an install on to a fresh HDD. I know that with the fresh HD I will not be able to do this like before using FN+F3. But thats ok. But at least I have a copy of the Initial Install of Vista Business for the Shift as it comes from the OEM.
CowboyJoe said:
Thanks. I did the deeper search and found the 3gig partition. I selected it and did a "P" to list files. I then copied all the files and directories to the USB stick. The biggie is XVISTA.WIM which is approx. 2gig in size. Now how would I execute or launch the file to do an install on to a fresh HDD. I know that with the fresh HD I will not be able to do this like before using FN+F3. But thats ok. But at least I have a copy of the Initial Install of Vista Business for the Shift as it comes from the OEM.
Click to expand...
Click to collapse
Hello CowboyJoe,
Do you want to copy files from hidden recovery partition to USB stick ?
Show this thread.
http://forum.xda-developers.com/showthread.php?t=393070
riki0081
Yes. That is what I am doing. After I backup and restore the hidden partition to a USB, how do I do the second part which is to restore MBR to track 0?
CowboyJoe said:
Yes. That is what I am doing. After I backup and restore the hidden partition to a USB, how do I do the second part which is to restore MBR to track 0?
Click to expand...
Click to collapse
Hello CowboyJoe,
I'm using Acronis True Image Home. When you restore from backup to USB drive,
you can select one option from two.
1) FAT32
2) MBR and Track 0
I attach screen capture of Acronis.
I feel sorry that I'm using Japanese version ( not English ).
You can not select both options at same time.
I recommend, restore FAT32 at 1st, restore MBR and track 0at 2nd.
riki0081
Thanks, I got it to work. I was able to reimage the HDD and get rid of the 3gig in hidden partition to provide more space.
Hi Riki0081...
I've problem..
With testdisk i've paste the two partition at the same, but my primary partition are ok..
Because now when i quick search the partition with testdisk i've one partition HPFS - NTFS with 71826552 and second partition HPFS - NTFS with 78126048...
In testdisk there's a tool i can restore mbr with backup... You have backup, or how i can solve this problem??? thanks!!!
killer_t said:
In testdisk there's a tool i can restore mbr with backup... You have backup, or how i can solve this problem??? thanks!!!
Click to expand...
Click to collapse
Hello killer_t,
I attach archived two files.
One is BACKUP.LOG for restore, another one is TESTDISK.LOG for information.
Would you restore yourself ?
best regards,
riki0081 from Japan
riki0081 said:
Hello killer_t,
I attach archived two files.
One is BACKUP.LOG for restore, another one is TESTDISK.LOG for information.
Would you restore yourself ?
best regards,
riki0081 from Japan
Click to expand...
Click to collapse
Thank you, yes i whant to restore my-self..
hi all
I need your help. I think that I have done all the procedure and I have stack to step 3. Change HDD size, when I must put the max capacity.
I have try all this :
"78126048LBA" (is the same as I sow with ICC -i)
"78126048 LBA"
"78126048"
"MAX"
every time whith reboot but nothing.....?
curent Capacity is 69304410 (33840MB) and my shift is the 9501 model
I can not change the maximum capasity and ofcource I can't see the RP.
(Sory for my bad english)
Please HELP
Hellllp deleted my Windows Vista & Recovery on HTC Shift
Help CowieBoy, can you do me a favor? I accidentally write on the Modified HD, now I lost the Windows Vista & Recovery File, can you please Upload all the Recovery File on Megaupload I now its a bit inconvenient but hope you can give it a try? Pls pls I really need your help & I would really appreciate it.
The biggie is XVISTA.WIM which is approx. 2gig in size. Now how would I execute or launch the file to do an install on to a fresh HDD. I know that with the fresh HD I will not be able to do this like before using FN+F3. But thats ok. But at least I have a copy of the Initial Install of Vista Business for the Shift as it comes from the OEM.
Hello,
Can you help me to solve my problem with my shift (I can't restore my Vista with Fn+F3, because il doesn't find anything...).
So I tried (hard) to make visible my recovery partition (I did it from a usb key bootable).
What I did is following the previous steps, and when I hit "write", there was a problem (no more Vista at bootup). But I recover from it and now, this is what I found doing the same steps :
ICC -i
>same things than before, same characteristics
ICC -b
>78126048LBA
and it says "Capacity is changed. Reboot".
TestDisk
I did everything 'till :
> * HPFS-NTFS 0 1 1 4861 254 63 78107967
This is different from what I'm supposed to have, because there is one missing...
After a "Deeper search" : I have 5 lines instead of 2 in your example...
> HPFS-NTFS 0 1 1 4861 254 63 78107967
> HPFS-NTFS 0 32 33 4470 254 63 71824567 [Systeme]
> HPFS-NTFS 0 32 33 4470 254 63 71824567 [Systeme]
> FAT32 LBA 4471 0 1 4863 30 62 6299432 [no name]
> FAT32 LBA 4471 0 1 4863 30 62 6299432 [no name]
What is my problem, because, of course, I can't see the hidden partition...
Thank you.
Soween said:
Hello,
Can you help me to solve my problem with my shift (I can't restore my Vista with Fn+F3, because il doesn't find anything...).
So I tried (hard) to make visible my recovery partition (I did it from a usb key bootable).
What I did is following the previous steps, and when I hit "write", there was a problem (no more Vista at bootup). But I recover from it and now, this is what I found doing the same steps :
ICC -i
>same things than before, same characteristics
ICC -b
>78126048LBA
and it says "Capacity is changed. Reboot".
TestDisk
I did everything 'till :
> * HPFS-NTFS 0 1 1 4861 254 63 78107967
This is different from what I'm supposed to have, because there is one missing...
After a "Deeper search" :
> HPFS-NTFS 0 1 1 4861 254 63 78107967
> HPFS-NTFS 0 32 33 4470 254 63 71824567 [Systeme]
What is my problem, because, of course, I can't see the hidden partition...
Thank you.
Click to expand...
Click to collapse
You have wrong to digit ICC -b
Your recovery partition now are destroyed...
If you want put all file in hidden partition and recompile it with bartpe do this:
Run TESTDISK
[ Create ][ Append ][ No Log ] <- select No Log
Disk 80 - 40 GB / 37 GiB
[Proceed ][ Quit ] -< select Proceed
[Intel ] select here
[EFI GPT]
[Mac ]
[None ]
[Sun ]
[XBox ]
[Return ]
[ Analyse ] select here
[ Advanced ]
[ Geometry ]
[ Options ]
[ MBR Code ]
[ Delete ]
[ Quit ]
1 * HPFS - NTFS 0 1 1 4470 254 63 71826552 [HTCX9500]
[Quick Search] [ Backup ] <- select Quick Search
Should TestDisk search for partition created under vista ? [Y/N] <- Press N
Disk 80 - 40 GB / 37 GiB - CHS 4863 255 63
Partition Start End Size in sectors
* HPFS - NTFS 0 1 1 4470 254 63 71826552 [HTCX9500]
P FAT32 LBA 4471 0 1 4863 254 63 6313545 [NO NAME]
[ Quit ] [Deeper Search] [ Write ] <- select Deeper Search
run totally deepersearch, and you have to find the fat32 [NO NAME] partition, and if you don't find the hpfs [HTCX9500] partition you have to create one..
Select [HTCX9500] primary bootable, and [NO NAME] primary
Write partition table and reboot.
Now you can see the HPA partition, but you can't use that in future with FN+F3!!
Sorry, I was typing the final "deepersearch" thing when you answered, it changes a little what you are saying, sorry...
Soween said:
Sorry, I was typing the final "deepersearch" thing when you answered, it changes a little what you are saying, sorry...
Click to expand...
Click to collapse
Typing deeper search, but you have to wait ALL searching time (100%)
hy cracks
I have a car radio with windows ce - manufacturer lg.
I would like to customize the firmware upgrade (change images....).
somebody has an idea how I can unpack the upgrade.LGU file and pack again later?
can´t find tools for this
thank you for your help
voila !
nordic09 said:
hy cracks
I have a car radio with windows ce - manufacturer lg.
I would like to customize the firmware upgrade (change images....).
somebody has an idea how I can unpack the upgrade.LGU file and pack again later?
can´t find tools for this
thank you for your help
Click to expand...
Click to collapse
here you go - download attachment
it's a tool to convert lgu files to directory and vice versa
to be used in command line this way:
lgu2dir <path to lgu file> <path to folder where where the contents will be unpacked>
ex: lgu2dir upgrade.lgu root
lost_things said:
here you go - download attachment
it's a tool to convert lgu files to directory and vice versa
to be used in command line this way:
lgu2dir <path to lgu file> <path to folder where where the contents will be unpacked>
ex: lgu2dir upgrade.lgu root
Click to expand...
Click to collapse
thank you - you are my hero
the tool works great
you know a way to convert the files back to a lgu-file too?
nordic09 said:
thank you - you are my hero
the tool works great
you know a way to convert the files back to a lgu-file too?
Click to expand...
Click to collapse
yes, see the attachment
Usage: dir2lgu <content name> <in folder> <out lgu file>
thank you again lost_things
lost_things said:
yes, see the attachment
Usage: dir2lgu <content name> <in folder> <out lgu file>
Click to expand...
Click to collapse
Unfortunately dir2lgu does not work on windows xp.
Can you make a version that also works on my old operating system.
Thank you.
need working windows version this one is not win32 valid application or i miss something
thanks
changing only one file within the LGU without extracting anything is possible?
Hello guys, first thanks for the help with the file compression and decompression of the LGU, but I have a problem when compressing the file again made a change in one of the firmware files and recompile the file is not accepted as update my device I believe it has something to do dir2lgu different from the original build program which makes it invalid on the device, so I wonder if there is any header possibilidede the only LGU that change a file without extract, because I need to unlock a device and only need need to change an exe within the LGU, is this possible? who developed these programs that kind of compression they use? I'm 3 months in search of a solution and nothing would be grateful for an answer that will help many people.
need a new lgu2dir for a newer version of .lgu files
Hello guys,
seems like lg made a new version of the car radio with windows ce, and the new .lgu files can not be opened by the old tools.
Thanks.
Same here, new version of lgu, cannot be opened, file signature (or magic number if u prefer) is now ULC2.
And the archive in the lgu container is no more RAR but a Zip tipe, as usual seen inside the file with the hex editor, i tried to cut out the archive but archive won't work i suspect that's somenthing like a byte shift or other kind of "protection".
I have spotted that at address from block 18 to 1B is stored that crc in reverse way.
But i'm not found the way to recover the internal archive.
@lost_things Did you have a new version? (If u are still around here, seems that these posts are the only 2 that you are ever made )
Thank you in advice.
@viberfm
Are you working with new medianav evolution firmware too?
New lgu tools available
Warm thanks ! You made a really great job djeman !!
Works perfectly both for 'old' and 'new' files. Be careful to position appropriate 'content-name' and 'label' when recompressing, your car application may need it to work appropriately.
Hi,
@djeman the new dir2lgu.exe, don't get any options, if you try to pass -l o -u, don't care it create always an lgu0 type, and -n and -p don't work at all, i hope u can fix it.
Thank you for you work anyway
sala_test said:
Hi,
@djeman the new dir2lgu.exe, don't get any options, if you try to pass -l o -u, don't care it create always an lgu0 type, and -n and -p don't work at all, i hope u can fix it.
Thank you for you work anyway
Click to expand...
Click to collapse
+1 same here.
Sorry but all works fine
I'm trying right now in win 7 and win 10, with -u option it crate a lgu0 file, with -n something, it show me the help like I have put something wrong, lgu2dir instead works fine.
@djeman
Tested now:
-u ulc2 format not work as you can see here
Code:
E:\testxda>dir2lgu.exe -u test test.lgu
creating C:\Temp\TFRC451.tmp
file test.txt crc 0
file C:\Temp\TFRC451.tmp crc 8bb6d8f8
E:\testxda>dir
Il volume nell'unità E è Volume
Numero di serie del volume: 7807-6F2B
Directory di E:\testxda
19/05/2016 16:37 <DIR> .
19/05/2016 16:37 <DIR> ..
19/05/2016 16:36 123.392 dir2lgu.exe
19/05/2016 16:36 96.256 lgu2dir.exe
19/05/2016 16:36 <DIR> test
19/05/2016 16:37 1.152 test.lgu
E:\testxda>type test.lgu
LGU0 Ç °ÏÂï 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■- u ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ d▀4DÐ%■ñ╠$‗<í×êÑÆRFyµ+UÊÜØrj½‗┬_8█wÌPG5c%\▄os0╦Ë·ZÉeÍ░:Llü└ │¤=W Rar!»è╝Ý╝ìyRíù┴2NáÑ[¹z`L"µ█"NzDO┐ª┤ï\÷iå^¹Ï2e
and with -n don't do nothing like you can see here:
Code:
E:\testxda>dir2lgu.exe -n comment test test.lgu
Usage: dir2lgu [options] <content name> <in folder> <out lgu file>
-n <name> name label (" " by default)
-l lgu0 format (default)
-u ulc2 format
-p <m1|m2> preset medianav 1 or 2
Arf ... I forget to protect the execution when one argument is missing ^^
Usage: dir2lgu [options] <content name> <in folder> <out lgu file>
-n <name> name label (" " by default)
-l lgu0 format (default)
-u ulc2 format
-p <m1|m2> preset medianav 1 or 2
Click to expand...
Click to collapse
In "dir2lgu.exe -u test test.lgu":
[options] = -u
<content name> = test
<in folder> = test.lgu
<out lgu file> =
And for "dir2lgu.exe -n comment test test.lgu" you have make the same mistake, one argument is missing
djeman said:
Arf ... I forget to protect the execution when one argument is missing ^^
In "dir2lgu.exe -u test test.lgu":
[options] = -u
<content name> = test
<in folder> = test.lgu
<out lgu file> =
And for "dir2lgu.exe -n comment test test.lgu" you have make the same mistake, one argument is missing
Click to expand...
Click to collapse
Oh crap, I have confused the -n option with the <content name>, so to put the content name name i use -n :silly: Ok i made a big mistake, but i'm happy that i'm not the only one, seems that @sala_test had done the same mistake
Ok, so, to avoid other mistakes, what is the -n option "label"? And what is the difference to use -l and -u instead of -p m1 or m2?
Anyway i'm a dumbass , thank you for your work
'dir2lgu -p m1 <content name> <in folder> <out lgu file>' is equal to 'dir2lgu -l -n "*MEDIA-NAV*" <content name> <in folder> <out lgu file>'.
'dir2lgu -p m2 <content name> <in folder> <out lgu file>' is equal to 'dir2lgu -u -n "*MEDIA-NAV2*" <content name> <in folder> <out lgu file>'.
Do not use -p option with an another, it's just for rapid preset.
"content name" is the name of the content of your update, the name shows on the device in the update dialog.
"name label" ... it's a device label, this label is used by the update software, it's a protection to not flash a bad update. All devices do not use it.
Ok @djeman thanks for explaination, thank you
Inviato dal mio Asus Zenfone 2
The Clarity Ensemble phone is an Android-based captioning land-line phone. The newest model has an 8" touchscreen. Older model has 7" touchscreen. It comes with an app that runs at startup and keeps you from gaining access to the Android home screen or any other Android apps or settings. While booting up you momentarily see the time and can pull down to touch on Settings and bring up the regular Android settings but very soon as the boot process continues the splash screen and later the ThorB app will take over the screen.
In order to telnet to the device, you first need to start telnetd running on the Ensemble. This can be done by configuring your computer to appear to the Ensemble to be the update server. I directly connected the phone to a laptop Ethernet port. On the laptop, I installed a DHCP server, a DNS server, and a web server. I am running Windows and I used "DHCP Server for Windows" version 2.5.1, ApateDNS, and WWebserver with PHP 5.4.45. I set the laptop to a static IP of 8.8.4.4 since Wireshark revealed that the Ensemble was using that as the DNS server. I set ApateDNS server to return 8.8.4.4 as the IP address for all queries.
In my htdocs folder, I created a directory called thorbfota and inside that a directory called purple_prod. Inside purple_prod I created three files, download_file.php, query_site.php, and query_versions.php.
Code:
<?php
//download_file.php
ignore_user_abort(true);
set_time_limit(0);
//Replace with actual path to your files
$path = "C:/Users/User/Documents/ClarityEnsembleFiles/";
$dl_file = preg_replace("([^\w\s\d\-_~,;:\[\]\(\).]|[\.]{2,})", '', $_GET['filename']);
$dl_file = filter_var($dl_file, FILTER_SANITIZE_URL);
$fullPath = $path.$dl_file;
if ($fd = fopen ($fullPath, "r")) {
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);
switch ($ext) {
case "pdf":
header("Content-type: application/pdf");
header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
break;
case "bin":
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
break;
case "zip":
header("Content-type: application/zip");
header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
break;
case "apk":
header("Content-type: application/vnd.android.package-archive");
header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
break;
//Add more headers for other content types here
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".$path_parts["basename"]."\"");
break;
}
header("Content-length: $fsize");
header("Cache-control: private");
while(!feof($fd)) {
$buffer = fread($fd, 2048);
echo $buffer;
}
}
fclose ($fd);
exit;
Code:
<?php
//query_site.php
//This forum would not allow me to post links since this is my first post.
//Feel free to move the "h" below right up against the "ttp..."
echo "h" . "ttp://clarityengineering.us/thorbfota/purple_prod/";
?>
Code:
<?php
//query_versions.php
//Replace with actual path to your files
$path = "C:/Users/User/Documents/ClarityEnsembleFiles/";
//Replace file versions with your current version numbers
//To cause phone to update a file, use a number larger that the current version
$file = "ThorB.apk";
$file_ver = "2.63";
$fullPath = $path.$file;
echo $file . "=" . $file_ver . "," . strtoupper(md5_file($fullPath)) . "|\r";
$file = "thorb-ota.zip";
$file_ver = "20150305.182516";
$fullPath = $path.$file;
echo $file . "=" . $file_ver . "," . strtoupper(md5_file($fullPath)) . "|\r";
$file = "dcx.bin";
$file_ver = "b033";
$fullPath = $path.$file;
echo $file . "=" . $file_ver . "," . strtoupper(md5_file($fullPath)) . "|\r";
$file = "eep.bin";
$file_ver = "be25";
$fullPath = $path.$file;
echo $file . "=" . $file_ver . "," . strtoupper(md5_file($fullPath)) . "|\n";
echo "survey=0,0|";
?>
I found that eep.bin was actually just a shell script that is downloaded to the device and run as root. I put my update files in "C:\Users\User\Documents\ClarityEnsembleFiles" but you can put them anywhere you like, just make sure to update the php files above to reflect their location. So far I have only used eep.bin but to keep my php script happy I also created placeholder files, dcx.bin, thorb-ota.zip, and ThorB.apk and placed them with eep.bin in my ClarityEnsembleFiles folder. Below is my eep.bin that starts telnet and simulates pressing the Home button. Just touch "Home Sample" when the "Complete action using" window pops up on the Ensemble. The semicolon at the end of the line avoids having the carriage return kill the command. Alternatively, you could run dos2unix on the eep.bin file and not need the semicolon at the line end.
Code:
#eep.bin
telnetd -l /system/bin/sh;am start -a android.intent.action.MAIN -c android.intent.category.HOME;
Every time you change the eep.bin file and want to run it on the phone make sure to close the Software upgrade screen and touch "Check now" button and then "Upgrade" button.
To install apps on the phone, first download the apk file to the phone with wget and then run "pm install -r YourApp.apk".
I have not found a physical Home, Back or Menu button on the phone so one of the first things you may want to install is a software solution for those. I installed "To Home" and it didn't work when configured with the root option for "Floating Buttons". It works fine when configured with the non-root option for "Floating Buttons". I have not tried any of the several other soft button apps available.
There is a 14 pin connector on the underside of the phone that presumably is used in the factory to connect to a dock for programming. I have not investigated the function of any of the pins but I suspect USB is there as well as possibly serial port(s) and maybe JTAG.
Before connecting the phone to the internet, you probably will want to either disable/uninstall the ThorB.apk app or create a firewall on the phone or on your router to keep it from being able to automatically update and from being able to report back to it's maker.
Besides being available for purchase, the phone is also available from ClearCaptions at no charge if you provide them with a 3rd party certification of being hard of hearing.
As far as using the phone, "Federal law prohibits anyone but registered users with hearing loss from using this device with the captions on." So if your hearing it fine, make sure to turn captions off or don't turn them on.
Telnet is great but I wanted a more secure connection to the phone so I set up an Android cross-compiler and compiled the latest version of dropbear (dropbear-2016.73). I don't have a 64-bit computer so in order to use the latest version of the Android toolchain, I had to boot into Windows and install Cygwin.
Thanks to serasihay for patches to an earlier version of dropbear. I adapted them to work with the latest version of dropbear. The patch can be found by searching dropbear-2016.73-android-20160427.patch on pastebin. Most of the warnings generated during compile were from pre-patched dropbear code and can be viewed on pastebin by searching for "Compile warnings for compiling dropbear-2016.73.android"
After setting up the toolchain, dropbear can be compiled with the following commands:
Code:
tar jxf dropbear-2016.73.tar.bz2
cd dropbear-2016.73
patch -p1 < /path/to/patch/dropbear-2016.73-android-20160426.patch
./configure --build=x86-windows --host=arm-linux-androideabi --disable-zlib --disable-largefile --disable-loginfunc --disable-shadow --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx --disable-pututline --disable-pututxline --disable-lastlog
make MULTI=1 SCPPROGRESS=1 PROGRAMS="dropbear dropbearkey scp dbclient"
arm-linux-androideabi-strip.exe dropbearmulti
This generates a single binary file, dropbearmulti which you will want to copy to the phone to /system/xbin/dropbearmulti. Next, you will want to create symbolic links like this:
Code:
cd /system/xbin
ln -s dropbearmulti dbclient
ln -s dropbearmulti dropbear
ln -s dropbearmulti dropbearkey
ln -s dropbearmulti scp
I should probably redo the patch to enable the -R option to create the host keys but for now you can do it with:
Code:
mkdir /etc/dropbear
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
To start dropbear every time the phone boots, I put my startup command in /system/etc/install-recovery.sh since it is called by init.rc. I would have put it straight in init.rc but init.rc is recreated from boot.img every boot and I didn't feel like getting into changing boot.img yet. Just make sure to make install-recovery.sh executable. The following line is what I use to start dropbear:
Code:
dropbear -A -N root -R /data/.ssh/authorized_keys -U 0 -G 0
Next you will need to copy your public key(s) into /data/.ssh/authorized_keys. You should now be able to ssh to your Clarity Ensemble phone. You can also use scp to copy files to and from the phone. If you use Putty pscp to transfer files, make sure to use the -scp option to force SCP protocol. If not, you will get the error "/usr/libexec/sftp-server: not found" since pscp tries to use sftp which is not installed on the phone.
So can you post a video or pics of what the device screen looks like now? can you actually use the device as a tablet?
It's surprising that a bunch of people are interested in this article. But I have to say that some processes I mentioned in this article just happened to work. I don't necessarily understand why they work, which also means they probably cannot be generalized to any devices. Google is making security patches to every Android releases, which break some procedures in this article, including the vdc command. For anyone who wants to recover data from an encrypted device, I'm afraid you might have to do your own research such as reading the AOSP source code, because I havn't been following the changes in AOSP since this article was written, and sorry I cannot provide useful information. Finally I hope this article is helpful in some way and good luck.
-----------------------------------------------------------------------------------------------------------
About a year ago I encountered such a problem: https://forum.xda-developers.com/mate-9/help/mate-9-how-to-decrypt-fbe-encrypted-t3735545
To summarize, I flashed a newer ROM with the file encryption enabled, while I already had my phone decrypted (userdata was not encrypted). I forced rebooted my phone when it was booting and encrypting my files. As a consequence, I couldn't unlock my phone or access the encrypted files.
This guide is about how to retrieve these encrypted files.
Requirements:
Device: Huawei Mate 9 MHA-AL00
ROM: EMUI 5.0.1 B233
(This guide might also work on other Huawei devices or other EMUI 5.)
Please make sure that your device is "decrypted" (i.e. boot without "fileencryptioninline" option), rooted, has busybox installed and avaliable for using.
A complete userdata partition image that you need to decrypt. Usually you can make this image in TWRP using dd command.
(In this guide, you are supposed to dump the encrypted userdata partition and flash another usable system)
A terminal APP (like juicessh) to execute commands. Alternatively, you can use adb shell.
Backup your current data, just in case.
A linux system (I'm using ubuntu 1804 as example).
(hopefully) you are familiar with some linux commands.
Notes:
If you encounter such situation (I described at the beginning), you can probably try to fix the system first (for example, make a backup and delete /data/system/gatekeeper.password.key and /data/system/gatekeeper.pattern.key to disable lock screen password).
Encryption option:
There is a mount option called "fileencryptioninline" in fstab.hi3660 in rootfs of origin kernel, which could be recognized by init so that it can control whether to perform a file based encryption (FBE). Removing this option (or changing to "encryptable"?) can disable FBE (before userdata partition is encrypted).
How does FBE encrypt files:
Google has developed fscrypt in linux kernel to implement FBE. To use fscrypt, a key with description "fscrypt:xxxxx" should be added to kernel, where "xxxxx" is a 8 byte value in HEX format. This value is unique and used to identify encryption policy. f2fs can retrieve this key. If we want to encrypt some files, we use ioctl to set an encryption policy (which is the 8 byte value) to an empty directory. The files copied to it will be encrypted by the cooresponding key. If we access an encrypted file, f2fs will get its encryption policy and find the key that matches this policy. This key will be used to decrypt the file. Multiple keys and policies are allowed.
In order to protect the fscrypt keys (I described above), FBE uses keymaster to encrypt and store them to userdata partition. A set of encrypted keys usually consists these files: "encrypted_key" "keymaster_key_blob" "secdiscardable" "stretching" "version". Keymaster is able to use them and communicate with a hardware based Trusty TEE to obtain the real key for fscrypt. The decryption is related to hardware so only the device which creates these keys are able to decrypt them.
FBE has at least 3 sets of keys. (assumed that you are user 0):
global device key (global DE): stores in /data/unencrypted/key.
Policy: all directories in /data other than "lost+found", "system_ce", "system_de", "misc_ce", "misc_de", "media", "data", "user", "user_de".
device key (DE): stores in /data/misc/vold/user_keys/de/0.
Policy: usually the directories ended with "_de".
candidate key (CE): stores in /data/misc/vold/user_keys/cd/0/current.
Policy: usually the directories ended with "_ce" and /data/data, /data/media/0.
Please note that CE and DE keys should have already been encrypted by Global DE key
vold (looks like volume daemon)
vold is the volume manager of android (and it runs as a daemon). It can be controlled by vdc (volume daemon control?). In the source code of vold there is a command listener which defines the avaliable commands of vdc. vold controls the key management of FBE.
Steps:
Create a keyring called "e4crypt".
Unfortunately, android does not have a tool to manipulate linux key-management facility. To add this keyring, I'm using "add_key" system call.
A sample program and sample operations:
Code:
#include <stdio.h>
#include <unistd.h>
#include <linux/keyctl.h>
#include <sys/syscall.h>
int main() {
int ret = syscall(__NR_add_key, "keyring", "e4crypt", NULL, 0, KEY_SPEC_USER_SESSION_KEYRING);
if (ret != -1) {
printf("Successfully created keyring \"e4crypt\"\n");
}
else {
perror("add_key");
}
return 0;
}
Compile this code and run it on your phone. You can use android NDK to compile it. (Actually I think any arm/arm64 toolchain for linux will work). I don't want to download a very large NDK so I'm using gcc-aarch64-linux-gnu.
On ubuntu 1804:
(Use "sudo apt install gcc-aarch64-linux-gnu" to install this toolchain)
Code:
[email protected]:~/add_keyring$ cat add_keyring.c
#include <stdio.h>
#include <linux/keyctl.h>
#include <sys/syscall.h>
int main() {
int ret = syscall(__NR_add_key, "keyring", "e4crypt", NULL, 0, KEY_SPEC_USER_SESSION_KEYRING);
if (ret != -1) {
printf("Successfully created keyring \"e4crypt\"\n");
}
else {
perror("add_key");
}
return 0;
}
[email protected]:~/add_keyring$ aarch64-linux-gnu-gcc -static add_keyring.c -o add_keyring
[email protected]:~/add_keyring$ ls
add_keyring add_keyring.c
On your phone (adb shell):
Assume that we've already placed the "add_keyring" executable binary in /data/add_keyring
Code:
HWMHA:/ $ su
HWMHA:/ # cd /data
HWMHA:/data # ls -l add_keyring
-rw-r--r-- 1 root root 546888 2018-12-29 23:31 add_keyring
HWMHA:/data # chmod +x add_keyring
HWMHA:/ # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
HWMHA:/data # ./add_keyring
Successfully created keyring "e4crypt"
HWMHA:/data # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: empty
HWMHA:/data #
This step is completed if you see a keyring called "e4crypt".
Mount the partition image to your device.
You can copy the image file to a USB storage device and use otg so that you can access the partition image on your phone (but it seems to be unstable). In this guide I'll mount a samba share which contains that image on my phone.
My operation logs:
On ubuntu:
I've created a samba share called "image" which points to the directory containing that partition. The partition image file is called "sdd46". The IP address of this computer is 192.168.1.120
On your phone:
Prepare the partition image (sdd46):
Code:
HWMHA:/ $
HWMHA:/ $ su
HWMHA:/ # mkdir /computer
mkdir: '/computer': Read-only file system
HWMHA:/ # busybox mount -o remount,rw /
HWMHA:/ # mkdir /computer
HWMHA:/ # busybox mount -t cifs -o nolock,username=nobody '\\192.168.1.120\image' /computer
HWMHA:/ # ls /computer
sdd46
Mount this image (the "force_no_inline_enc" option is required):
Code:
HWMHA:/ # mkdir /decrypt_data
HWMHA:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /computer/sdd46 /decrypt_data
Check if your image is successfully mounted:
Code:
HWMHA:/ # ls /decrypt_data/
adb camera fusion_daemon_rpipe inv_ipld_wpipe mediadrm ramdump system update
anr cota fusion_daemon_wpipe ioloader misc resource-cache system_ce user
apkpush cust gps ivp misc_ce samba system_de user_de
app cust_ver.bin hcs keyie misc_de sec_storage_data t vsftpd
app-asec custom.bin hisi_logs libnfc-nxp.conf nfc security takess vsftpd.conf
app-ephemeral dalvik-cache hw_init light nvram share takess.sh
app-lib daniuc.dex hwzd_logs local offlinelogs skin themes
app-private data img log ota ss timetest
app_acc drm inotify lost+found pppd_via su.img tmp
backup encrypted_flag inputie lp product.bin suhide.img tombstones
bootchart fpie inv_ipld_rpipe media property supersu unencrypted
HWMHA:/ # cd /decrypt_data/
HWMHA:/decrypt_data # cd misc
misc/ misc_ce/ misc_de/
HWMHA:/decrypt_data # cd misc
HWMHA:/decrypt_data/misc # ls vold
yVsKT2+BrPIOKcQdVYyetC
You can see an encrypted directory in /decrypt_data/misc/vold, which stores the CE and DE keys. If you can't find this directory, it might not be encrypted and should located in /decrypt_data/unencrypted/data/misc/vold.
Install Global DE key:
You need to copy global DE key to /data/unencrypted and execute:
Code:
vdc --wait cryptfs enablefilecrypto
My operation logs:
Copy Global DE key to /data/unencrypted:
Code:
HWMHA:/ $ su
HWMHA:/ # cd /data
HWMHA:/data # mkdir unencrypted
HWMHA:/data # cd unencrypted
HWMHA:/data/unencrypted # ls
HWMHA:/data/unencrypted # cp -nr /decrypt_data/unencrypted/key ./
HWMHA:/data/unencrypted # ls
key
HWMHA:/data/unencrypted # ls key
encrypted_key keymaster_key_blob secdiscardable stretching version
encrypted_key.backup keymaster_key_blob.backup secdiscardable.backup stretching.backup version.backup
then, install this key:
Code:
HWMHA:/data/unencrypted # cat /proc/keys
032c30ec I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: empty
HWMHA:/data/unencrypted # vdc --wait cryptfs enablefilecrypto
200 3966 1
HWMHA:/data/unencrypted #
HWMHA:/data/unencrypted # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 1
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
You can see a new key "fscrypt:773e9f60adca3172" is added to kernel.
Check if you can access CE and DE keys and copy them to /data/misc/vold
My operation logs:
Check if you can access CE and DE keys:
Code:
HWMHA:/data/unencrypted # cd /decrypt_data/misc
HWMHA:/decrypt_data/misc # ls vold
user_keys
Copy CE and DE keys to the right location:
Code:
HWMHA:/decrypt_data/misc # cd /data/misc/vold
HWMHA:/data/misc/vold # ls
bench
HWMHA:/data/misc/vold # cp -nr /decrypt_data/misc/vold/user_keys .
HWMHA:/data/misc/vold # ls
bench user_keys
HWMHA:/data/misc/vold # cd user_keys
HWMHA:/data/misc/vold/user_keys # ls
ce de
HWMHA:/data/misc/vold/user_keys # cd de/0/
HWMHA:/data/misc/vold/user_keys/de/0 # cat version
1HWMHA:/data/misc/vold/user_keys/de/0 #
HWMHA:/data/misc/vold/user_keys/de/0 #
Install DE key
Just set ro.crypto.type to "file" and execute this command:
Code:
vdc --wait cryptfs init_user0
My operation logs:
Before installing DE key you will see some ecrypted files protected by it.
Code:
HWMHA:/decrypt_data/user_de/0 # ls
++gBT,VFvFeD,vgVoSVpUqeDNoC Wno64AdMq3Wde+F8LqWYvWiAFaFIiU810wX84B
+ExRFZKrTrX5PAZWjgzJKV26in24FxSt Ws+aoxf5sborLpV0EZLhvA
+Lyki0vu0dbWrX5PvAq3g932ONE WyHV8MQblZaCmdNpO6WPQSN1TgQoGxzw3mn4vB
+T95aXkKGnakajMwgSxcblTh0+8Vp3RI X0WDXQ5BsVDV6u45CJ9etzjba9JkWeQG
..............
Check the keys in kernel:
Code:
HWMHA:/decrypt_data # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 1
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
You'll need to set a property before installing the key.
Code:
HWMHA:/decrypt_data # getprop ro.crypto.type
HWMHA:/decrypt_data # setprop ro.crypto.type file
HWMHA:/decrypt_data # getprop ro.crypto.type
file
HWMHA:/decrypt_data # vdc --wait cryptfs init_user0
200 10711 Command succeeded
HWMHA:/decrypt_data # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 2
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
3c670371 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:521acd13c187513c: 72
HWMHA:/decrypt_data #
Check whether you can access the files protected by DE key.
Code:
HWMHA:/decrypt_data #
HWMHA:/decrypt_data # cd user_de/0
HWMHA:/decrypt_data/user_de/0 # ls
abcmeasurecorp.com.measureit com.huawei.bluetooth
androdns.android.leetdreams.ch.androdns com.huawei.ca
android com.huawei.camera
androidhwext com.huawei.compass
..............
Install CE key.
Just execute this command:
Code:
vdc --wait cryptfs unlock_user_key 0 0 "" ""
The last two arguments are empty strings.
My operation logs:
Before installing CE key you'll find some encrypted files protected by it.
Code:
HWMHA:/decrypt_data # cd media/0
HWMHA:/decrypt_data/media/0 # ls
0M8msgkIuhwegkVYqu2zvC OK0B0zzWFSQ5pDHwSlAIvA aNrURou98klfwIaGnFAdPA rHzJIvFcgtIcIz,WOjZrRD w59yxPZvec,eu9HMMdDpuB
7VDq++zOwS5xaV35TuZbmB WSWzdKdAYAC2Vc1jOs6tqA jz,xyRZMpSLq2ghtL158yA rokqUTbYC7eMhGrghh0CSB
8rMqWow5AXxsZqHqbZyN9C XyLh+kAVQ5ZWXlWrc7wc5D pjgHBo3uPcxDi13euKN4PB tZkWYvxkrEufTMZ47f89cD
Install the key:
Code:
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 # vdc --wait cryptfs unlock_user_key 0 0 "" ""
200 11848 Command succeeded
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 #
HWMHA:/decrypt_data/user_de/0 # cat /proc/keys
032c30ec I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid_ses.0: 2
0d64f2db I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty
1db74fa6 I--Q--- 1 perm 3f010000 0 0 keyring e4crypt: 3
258344d4 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:773e9f60adca3172: 72
30baee27 I--Q--- 1 perm 3d010000 0 0 logon fscrypt:e1294ea7636feee7: 72
3c670371 I--Q--- 407 perm 3d010000 0 0 logon fscrypt:521acd13c187513c: 72
You can see a new key "fscrypt:521acd13c187513c" is added to kernel.
Check whether you can access the files protected by CE key.
Code:
HWMHA:/decrypt_data # cd media/0
HWMHA:/decrypt_data/media/0 # ls
Alarms Android DCIM Download Movies Music Notifications Pictures Podcasts Ringtones backups baidu huawei
Nou you should be able to access the encrypted files.
Clean up:
After you have backuped up the files you wish to retrieve, please delete the keys you copied to /data and reboot your phone. Don't change any security settings (like lock screen password) before rebooting.
Unmount partitions:
Code:
busybox umount /decrypt_data
busybox umount /computer
References and useful links:
Offical FBE doc:
https://source.android.com/security/encryption/file-based
Some FBE source code analysis:
https://blog.csdn.net/myfriend0/article/details/77094890 (Chinese)
https://github.com/novelinux/android/wiki/Android-FBE (Chinese)
http://hooltech.com/android-p-fbe.html (Chinese)
Hardware-backed Keystore:
https://source.android.com/security/keystore/index.html
Trusty TEE:
https://source.android.com/security/trusty/index.html
Something about Huawei's Trustzone:
https://github.com/OpenKirin/Documentation/blob/master/04-Trustzone.md
fscrypt:
https://www.kernel.org/doc/html/v4.15/filesystems/fscrypt.html
Make sure you always backup your data before performing any flashing/upgrading, especially when you are using a non-official ROM. I have spent a lot of time reading posts and analyzing source code. Luckily I succeeded. This was a lesson telling me the importance of backup.
Hi!
First of all, this is a truly amazing guide. The work done is incredible.
I am in a similar situation, although the details are different: my phone is a Oneplus 5, and it got bricked on Android Pie (stock OOS 9). I have an image of the userdata partition (all other partitions as well actually), it is FBE encoded, I used a PIN which I know. Some questions that you might be able to help with:
1) My userdata was encrypted on a stock ROM, bootloader locked (no root). Your guide obviously requires rooting. Can that even work? Would the phone have access to the necessary TEE functionality?
2) The first significant difference I run into is that vold is missing in the locations you suggested. All the directory names in /misc are encrypted. Any ideas?
3) Also, I do not see support for the "force_no_inline_enc" in busybox (or on Ubuntu). Could not find any documentation either. Could you explain what it does? Or provide some reference? The image mounts successfully without it in my case.
Thanks for this incredible guide. However my case is somehow different, I'm wondering whether you could give me some suggestion, thanks!
My phone got bricked after flashing a new ROM, thus I erased the /system and /data, expect my internal storage. After that, I can't decrypt my internal storage any more. The command 'twrp decrypt XXXXX' does not work, too.
So here I know my pin but can't decrypt, follow your guide, I can see /data/unencrypted folder, but /data/misc is not there, what can I do? Thanks.
Besides, running vdc always gives 'Segmentation fault', which I have no idea.
amk43 said:
Hi!
First of all, this is a truly amazing guide. The work done is incredible.
I am in a similar situation, although the details are different: my phone is a Oneplus 5, and it got bricked on Android Pie (stock OOS 9). I have an image of the userdata partition (all other partitions as well actually), it is FBE encoded, I used a PIN which I know. Some questions that you might be able to help with:
1) My userdata was encrypted on a stock ROM, bootloader locked (no root). Your guide obviously requires rooting. Can that even work? Would the phone have access to the necessary TEE functionality?
2) The first significant difference I run into is that vold is missing in the locations you suggested. All the directory names in /misc are encrypted. Any ideas?
3) Also, I do not see support for the "force_no_inline_enc" in busybox (or on Ubuntu). Could not find any documentation either. Could you explain what it does? Or provide some reference? The image mounts successfully without it in my case.
Click to expand...
Click to collapse
Hi @amk43,
1. I'm not sure whether this method will work, because the implementations of TEE are different. But I've known that some version of TWRP for Snapdragon 835 devices supports decrypting data partition (i.e. it allows users to enter password/pattern inside TWRP and then users can access the encrypted files). Based on this, I think the decryption is possible. I would suggest you to have a try using my steps or try to work with such kind of TWRP (https://forum.xda-developers.com/oneplus-5/development/recovery-twrp-3-2-3-pie-encryption-t3837342)
2. Have you installed "global device key" before seeing the encrypted directory names in /misc ? The encryption policy might be applied to the entire /misc so it looks different to my example. Another possible reason is, Android 9.0 has introduced Metadata encryption, which makes things more complicated. (https://source.android.com/security/encryption/metadata) I'm afraid the mechanism might have changed, since it would store the encryption key in another partition called "metadata". Check whether this partition exists first. If your device has enabled Metadata encryption, additional steps will be required.
3. I double checked the AOSP source code and didn't find this option. I think this option is introduced by HUAWEI and not available in other OS. Actually this option is inside this file: (https://github.com/Ante0/MHA-NG_EMUI5.0_opensource/blob/master/kernel/fs/f2fs/super.c) line 126.
So you probably don't need to use "force_no_inline_enc".
Finally, good luck with your files.
lkytal said:
Thanks for this incredible guide. However my case is somehow different, I'm wondering whether you could give me some suggestion, thanks!
My phone got bricked after flashing a new ROM, thus I erased the /system and /data, expect my internal storage. After that, I can't decrypt my internal storage any more. The command 'twrp decrypt XXXXX' does not work, too.
So here I know my pin but can't decrypt, follow your guide, I can see /data/unencrypted folder, but /data/misc is not there, what can I do? Thanks.
Besides, running vdc always gives 'Segmentation fault', which I have no idea.
Click to expand...
Click to collapse
Hi, @lkytal,
If you can't find /data/misc , it means you've lost your "CE key", which is used to decrypt internal storage (/data/media/0). Unfortunately, I think there is no way to get it back, unless you can recover deleted files, which is difficult and almost impossible.
I also have no idea why vdc crashed with 'Segmentation fault'.
hi,my system hadn't vdc,can i used compiled vdc ?
cofface said:
hi,my system hadn't vdc,can i used compiled vdc ?
Click to expand...
Click to collapse
Hi, I think it's a bit weird that your system does not have vdc, since vdc is a basic component of android. Basically vdc only communicates with a running vold process through a socket (some vdc commands will be directly sent to vold). The way of communication might vary in different versions/implementations (refer to its source code). I'm not sure whether it is going to work if you compile vdc from source code. You might have to deal with strange issues when compiling or running it.
Amazing Guide.mine same as your question,i have full root access now.but it is android 9,i cant find Global DE key /data/unencrypted/key ,any idea?
bl4ckluna said:
Amazing Guide.mine same as your question,i have full root access now.but it is android 9,i cant find Global DE key /data/unencrypted/key ,any idea?
Click to expand...
Click to collapse
Hi, bl4ckluna
I suspect the location of keys has changed. I have a quick check of the vold source code of Android 9.0, it seems to change a lot. I can no longer find "unencrypted keys". Instead, a "systemwide_volume_key" (which locates in /data/msic/vold/volume_keys) presents. Besides, Android 9 has introduced metadata encryption, which makes it much more complex. I have no idea how the encryption works before reading all the vold source code. You can probably check the source code here:
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45/Ext4Crypt.cpp
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45/KeyStorage.cpp
https://android.googlesource.com/platform/system/vold/+/refs/tags/android-9.0.0_r45
Wow. Nice. Excellent information. I was searching in google and didn't find any useful info.
amazing!Where can I contact you? I want to share some interesting things with you! Please contact me as soon as possible! Best wishes!
Have you considered making an automated tool for this? It would help many people.
Does somebody update this script also for Android 10 ?
Hi, and thank you for the effort put into this. Despite software having changed since then I'm wondering if you could provide any kind of insight with my problem.
I'm on a Galaxy s10e (exynos) with LineageOS+MicroG (Android 12), which I broke while trying to install a magisk module. The device is in a bootloop ever since. I've tried many things which didn't work, o now I'm just trying to recover the data which is encrypted. That's how I landed here. I can access the device via adb while it's booting, and that's how I've been interacting with it. Following your guide I dumped the /data partition on an external SDCard, mounted it in the device and looked around. The thing is, everything is decrypted besided /data/media/0. So I'm stuck at stage 3 of the process.
When I try to run `vdc --wait cryptfs unlock_user_key 0 0 "" ""`, it fails with
Code:
ProcessState D 12-27 12:31:36 32158 32158 Binder ioctl to enable oneway spam detection failed: Invalid argument
vdc V 12-27 12:31:36 32158 32158 vdc.cpp:66] Waited 0ms for vold
vdc E 12-27 12:31:36 32158 32158 vdc.cpp:216] Raw commands are no longer supported
From my understanding, manually decrypting doesn't work anymore. The data is all there, and from my understanding so are all the keys. It should be able to be recovered, right?
I'm stuck and don't know what else to try. Has anyone got any insight?
Ștefan Radu said:
Hi, and thank you for the effort put into this. Despite software having changed since then I'm wondering if you could provide any kind of insight with my problem.
I'm on a Galaxy s10e (exynos) with LineageOS+MicroG (Android 12), which I broke while trying to install a magisk module. The device is in a bootloop ever since. I've tried many things which didn't work, o now I'm just trying to recover the data which is encrypted. That's how I landed here. I can access the device via adb while it's booting, and that's how I've been interacting with it. Following your guide I dumped the /data partition on an external SDCard, mounted it in the device and looked around. The thing is, everything is decrypted besided /data/media/0. So I'm stuck at stage 3 of the process.
When I try to run `vdc --wait cryptfs unlock_user_key 0 0 "" ""`, it fails with
Code:
ProcessState D 12-27 12:31:36 32158 32158 Binder ioctl to enable oneway spam detection failed: Invalid argument
vdc V 12-27 12:31:36 32158 32158 vdc.cpp:66] Waited 0ms for vold
vdc E 12-27 12:31:36 32158 32158 vdc.cpp:216] Raw commands are no longer supported
From my understanding, manually decrypting doesn't work anymore. The data is all there, and from my understanding so are all the keys. It should be able to be recovered, right?
I'm stuck and don't know what else to try. Has anyone got any insight?
Click to expand...
Click to collapse
Hi Ștefan,Sorry I also have no idea for this. Many vdc commands were deprecated since a few Android versions ago. I was tracking the source code of lock screen and end up found vdc, which did work in Andorid 7. But Google seemed to make many changes and I'm not sure how it works now. (please also read the top of this article which I just updated)
If your device got a bootloop because of a magisk module, you can also try the following things:
1. try adb shell during the bootloop and quickly remove the module that causes the issue (usually under /data/adb/*)
2. try a TWRP which supports data decryption through a lock screen passwrod and remove the module. Or you can guess which encrypted folder is for the module/magisk and remove it. (You can remove files even if they are encrypted)
3. unpack and (un)patch the kernel (initrd) so that magisk stops working or not loading modules.
Thanks for taking the effort to write this down! I am trying to open a userdata backup from my bootlooping OnePlus 8 Pro.
Following your steps, I get this error
Code:
255|OnePlus8Pro:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img /data/computer
mount: can't setup loop device: No such file or directory
Though both the file (the image) and the directory (/data/computer) exist. Any idea why this basic task does not work?
By the way, on the phone these settings are used to mount the userdata partition:
Code:
/dev/block/bootdevice/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt latemount,wait,resize,check,formattable,fileencryption=ice,wrappedkey,quota,reservedsize=128M,sysfs_path=/sys/devices/platform/soc/1d84000.ufshc,checkpoint=fs
HaTeNL said:
Thanks for taking the effort to write this down! I am trying to open a userdata backup from my bootlooping OnePlus 8 Pro.
Following your steps, I get this error
255|OnePlus8Pro:/ # busybox mount -t f2fs -o ro,force_no_inline_enc /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img /data/computer
mount: can't setup loop device: No such file or directory
Though both the file (the image) and the directory (/data/computer) exist. Any idea why this basic task does not work?
By the way, on the phone these settings are used to mount the userdata partition:
/dev/block/bootdevice/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt latemount,wait,resize,check,formattable,fileencryption=ice,wrappedkey,quota,reservedsize=128M,sysfs_path=/sys/devices/platform/soc/1d84000.ufshc,checkpoint=fs
Click to expand...
Click to collapse
Hi,
Looks like the loop device wasn't set up correctly. In order to mount an image file, a loop device has to be set up to simulate a block device for the file. Can you try setting up it manually, for example,
Bash:
losetup -f --show /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img
and see what device is printed out, then try to mount the device.
use another busybox or toybox losetup with -s flag. also for mounting f2fs ro you should add disable_roll_forward to mount flags (noload for ext4) required for mounting dirty file systems.
Thanks both! I see I already have toybox installed, and I also tested toybox-ext (for Magisk), but unfortunately I get errors again.
I tried
Code:
losetup -f --show /storage/406E82FF6E82ED4A/userdata_after_crash_for_testing.img
with output "/dev/block/loop31"
So now I do the following and get an error again.
Code:
toybox-ext mount -t f2fs -o ro,force_no_inline_enc,disable_roll_forward /dev/block/loop31 /data/testdata
mount: '/dev/block/loop31'->'/data/testdata': Invalid argument
With dmesg I see
Code:
[ 7572.232295] (2)[24714:toybox-ext][20230212_19:42:16.465650]@2 F2FS-fs (loop31): Magic Mismatch, valid(0xf2f52010) - read(0x6970be9f)
[ 7572.232312] (2)[24714:toybox-ext][20230212_19:42:16.465670]@2 F2FS-fs (loop31): Can't find valid F2FS filesystem in 2th superblock
Maybe because the f2fs filesystem is encrypted? Do I need other mount options?
To be clear, what I used to backup the userdata was dd
file system is corrupt. try fsck but get a copy first.
your device uses metadata encryption, this guide is not for you. any further discussion please in new thread, it's off-topic here.