By twrpuser


2018-09-10 19:55:57 8 Comments

I am trying to recover the data from a default/factory encrypted Samsung Galaxy S7 Edge stuck in a bootloop (i.e.: restarting endlessly when booting the system). It is using the stock rom. Only the recovery (twrp) and download mode are working. I need to either fix the bootloop or decrypt at least the data partition in twrp (I know the lock pattern). Note: I know that the bootloop might be fixed by a factory reset, but that would result in data loss.

General info:

Model: SM-G935F
Codename: hero2lte
Android version: Stock 7.1.x (almost sure)
TWRP: 3.2.3-0

Install

I followed the adb guide and the install guide (only up to and including the twrp install; LineageOS was not installed).

After installing adb and heimdall on the pc, this is what was done on the phone:

  • Enter download mode
  • heimdall flash --RECOVERY twrp-3.2.3-0-hero2lte.img
  • Reboot into recovery

It kept saying it could not mount /system nor /data, but it never asked (and still doesn't) for the encryption password or anything. When trying to do a nandroid backup, Internal storage showed as 0 MB and it errored out.

Booting into the system worked without any issues.

Then, I tried installing (LineageOS') su, to be able to backup things properly using something like oandbackup or TitaniumBackup:

  • Boot into recovery
  • adb push addonsu-15.1-arm64-signed.zip
  • Install -> addonsu-15.1-arm64-signed.zip

I thought one of the following was going to happen:

  1. The write would work, and su would be available
  2. The write would work, and the stock rom would ignore it
  3. The write would fail, nothing would happen

It showed some errors about the partitions again (up to this point, I thought only the data partition was encrypted, not the system one).

I tried Reboot -> System, and what happened was:

  1. The device was (and still is) stuck in a bootloop

So I tried using LineageOS' su-removal:

  • Boot into recovery
  • adb push addonsu-remove-15.1-arm64-signed.zip
  • Install -> addonsu-remove-15.1-arm64-signed.zip

Yet, nothing seems to have changed. TWRP onscreen log:

Could not mount /data and unable to find crypto footer.
Failed to mount '/data' (Invalid argument)
Updating partition details...
Failed to mount /data (Invaild argument)
...done
Unable to mount storage
Failed to mount /data (Invaild argument)
Full SELinux support is present.
Unable to mount /data/media/TWRP/.twrps
MTP Enabled

Looking at /cache/recovery/log, it does not show /system as empty:

/system | /dev/block/sda14 | Size: 4132MB Used: 3987MB Free: 145MB Backup Size: 3987MB
   Flags: Can_Be_Mounted Can_Be_Wiped Can_Be_Backed_Up Wipe_Available_in_GUI IsPresent Mount_Read_Only
   Primary_Block_Device: /dev/block/sda14
   Display_Name: System
   Storage_Name: System
   Backup_Path: /system
   Backup_Name: system
   Backup_Display_Name: System
   Storage_Path: /system
   Current_File_System: ext4
   Fstab_File_System: ext4
   Backup_Method: files

/data | /dev/block/sda18 | Size: 0MB Used: 0MB Free: 0MB Backup Size: 0MB
   Flags: Can_Be_Mounted Can_Be_Wiped Can_Be_Backed_Up Wipe_During_Factory_Reset Wipe_Available_in_GUI IsPresent Can_Be_Encrypted Has_Data_Media Can_Encrypt_Backup Use_Userdata_Encryption Is_Storage Is_Settings_Storage
   Symlink_Path: /data/media
   Symlink_Mount_Point: /sdcard
   Primary_Block_Device: /dev/block/sda18
   Length: -20480
   Display_Name: Data
   Storage_Name: Internal Storage
   Backup_Path: /data
   Backup_Name: data
   Backup_Display_Name: Data
   Storage_Path: /data/media
   Current_File_System: ext4
   Fstab_File_System: ext4
   Backup_Method: files
   MTP_Storage_ID: 65537

But it shows nothing when trying to access it:

~ # ls -lah /system
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
drwxr-xr-x    2 root     root          40 Jan  1  1970 .
drwxrwxrwt   24 root     root         840 Sep 10 02:15 ..

Also in /cache/recovery/log:

I:Done processing fstab files
I:Setting up '/data' as data/media emulated storage.
I:Created '/sdcard' folder.
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
I:Actual block device: '/dev/block/sda18', current file system: 'ext4'
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
I:Actual block device: '/dev/block/sda18', current file system: 'ext4'
get_crypt_ftr_info crypto key location: 'footer'
Bad magic for real block device /dev/block/sda18
Could not mount /data and unable to find crypto footer.
I:Setting up '/data' as data/media emulated storage.
I:Can't probe device /dev/block/sda18
I:Unable to mount '/data'
# ...

Questions:

  • If it could not even mount the parition, how did it become soft bricked?

  • Does "Install" write anything anywhere else (excluding log entries, etc)?

  • Can it actually overwrite/damage the partition (or the block device directly) even when it cannot mount it?

  • Is there a way to debug the bootloop

  • How could the bootloop be fixed?

Decrypt

So I tried decrypting the data partitions to see if I at least could access it from twrp, using these steps.

This is the pattern:

[_   1   6]
[2   7   5]
[3   4   _]

Which means the code twrp uses (from 1 to 9) should be this: 2478635. So I tried:

~ # twrp decrypt 2478635
Attempting to decrypt data partition via command line.
Failed to decrypt data.

I also tried using the "native" code (from 0 to 8), to no avail:

~ # twrp decrypt 1367524
Attempting to decrypt data partition via command line.
Failed to decrypt data.

Looking at the partitions:

~ # ls -l /dev/block/platform/155a0000.ufs/by-name/
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 BOOT -> /dev/block/sda5
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 BOTA0 -> /dev/block/sda1
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 BOTA1 -> /dev/block/sda2
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 CACHE -> /dev/block/sda15
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 CPEFS -> /dev/block/sdd1
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 CP_DEBUG -> /dev/block/sda17
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 DNT -> /dev/block/sda10
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 EFS -> /dev/block/sda3
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 HIDDEN -> /dev/block/sda16
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 OTA -> /dev/block/sda7
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 PARAM -> /dev/block/sda4
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 PERSDATA -> /dev/block/sda13
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 PERSISTENT -> /dev/block/sda11
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 RADIO -> /dev/block/sda8
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 RECOVERY -> /dev/block/sda6
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 STEADY -> /dev/block/sda12
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 SYSTEM -> /dev/block/sda14
lrwxrwxrwx    1 root     root            15 Sep 10 02:15 TOMBSTONES -> /dev/block/sda9
lrwxrwxrwx    1 root     root            16 Sep 10 02:15 USERDATA -> /dev/block/sda18

Shows that sda14 is the system partition and that sda18 is the data partition. So I managed to pull /dev/block/sda14 and /dev/block/sda18:

adb pull /dev/block/sda14 sda14.img
# ...

adb pull /dev/block/sda18 sda18.img
/dev/block/sda18: 1 file pulled. 3.7 MB/s (26843545600 bytes in 6961.803s)

I verified that the SHA-1 hashes of the block device and the .img match, but I'm at a loss about how to decrypt them on the pc.

Question:

How could I decrypt them on Android/Linux/Windows?


Note: If this is too specific for this site, please comment where the appropriate forum would be. I know of the phone-specific xda, but that seems to be too generic. Any help is appreciated.

0 comments

Related Questions

Sponsored Content

2 Answered Questions

[SOLVED] TWRP decrypt password

1 Answered Questions

[SOLVED] decrypt data-partition in twrp

1 Answered Questions

1 Answered Questions

1 Answered Questions

Bootloop and inaccessible to fastboot /adb

1 Answered Questions

[SOLVED] Does TWRP recovery support encrypted /data/ partition?

4 Answered Questions

[SOLVED] Changed device DPI now stuck in a bootloop

  • 2015-01-17 21:27:35
  • j.m.g.r
  • 10479 View
  • 2 Score
  • 4 Answer
  • Tags:   boot-loop twrp

Sponsored Content