Forums
Main Category
General (Technical,...
Where is the encyrp...
 
Notifications
Clear all

Where is the encyrption key?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by arcaine2 5 years ago
4 Posts
4 Users
0 Reactions
1,819 Views
RSS
 nsumer
(@nsumer)
Eminent Member
Joined: 6 years ago
Posts: 20
Topic starter 20/07/2020 2:43 pm  

I have a mobile phone image, it is physical forensics image.

User data partition is encryted but UFED PA is able to decrypt and decode as ExtX as this partition. I wonder where UFED PA gets the encyrption key from the image. I am asking because of my curiosity.

Regards


   
Quote
AmNe5iA
 AmNe5iA
(@amne5ia)
Estimable Member
Joined: 9 years ago
Posts: 175
24/07/2020 9:12 am  

https://source.android.com/security/encryption/full-disk

of note in the above link:

You can find the default password defined in the Android Open Source Project cryptfs.cpp file.

(Hint: look at line 276.)

Starting an encrypted device with default encryption
This is what happens when you boot up an encrypted device with no password. Because Android 5.0 devices are encrypted on first boot, there should be no set password and therefore this is the default encryption state.

Detect encrypted /data with no password
Detect that the Android device is encrypted because /data cannot be mounted and one of the flags encryptable or forceencrypt is set.

vold sets vold.decrypt to trigger_default_encryption, which starts the defaultcrypto service. trigger_default_encryption checks the encryption type to see if /data is encrypted with or without a password.

Decrypt /data
Creates the dm-crypt device over the block device so the device is ready for use.

Mount /data
vold then mounts the decrypted real /data partition and then prepares the new partition. It sets the property vold.post_fs_data_done to 0 and then sets vold.decrypt to trigger_post_fs_data. This causes init.rc to run its post-fs-data commands. They will create any necessary directories or links and then set vold.post_fs_data_done to 1.

Once vold sees the 1 in that property, it sets the property vold.decrypt to: trigger_restart_framework. This causes init.rc to start services in class main again and also start services in class late_start for the first time since boot.

Start framework
Now the framework boots all its services using the decrypted /data, and the system is ready for use.


   
ReplyQuote
 diskveri
(@diskveri)
New Member
Joined: 5 years ago
Posts: 1
12/08/2020 10:46 am  

@amne5ia

hi,, friend samsung j730f android 9 I have read the encrypted chip user area section, how can I decrypt it

 
 
 
This post was modified 5 years ago by Dolores

   
ReplyQuote
 arcaine2
(@arcaine2)
Estimable Member
Joined: 9 years ago
Posts: 239
14/08/2020 8:49 pm  

@diskveri you can't. Since this is device with FDE, unless secure startup is enabled it decrypts itself during bootup. The way it works in UFED and others, is that they use some exploits that allow them get unrestricted (let's say root) access ignoring FRP/OEM Lock, and use this "flaw" (or feature) of FDE to create decrypted image. It's important that the phone is working and able to fully boot into Android. Otherwise, this method won't work.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: