Decrypt dumped user...
 
Notifications
Clear all

Decrypt dumped userdata partition from a Oneplus 5 using device and PIN

amk43
(@amk43)
New Member

So a few years back my old Oneplus 5's touch input started failing. At one point it became completely unusable and after rebooting I was unable to enter my PIN to unlock the phone. I wanted to extract the data and researched the issue for some time. However it didn't work out at the time.

The unit was not rooted and running OxygenOS with Android 9.0.x. Before resetting the phone using "MSMTool" (Qualcomm EDL mode), I made a dump of all detected partitions (74 files in total), including userdata.bin which likely contains my data (photos etc). Back then I came to the conclusion that the it contains and ext4 file system encrypted using Android's File-Based Encryption. After factory reset the unit worked (however the touch issues persist). Recently I became interested in extracting the files once again. I figured I might get lucky and someone here might have a solution.

So the question is: using an entire disk dump, the original device (in a working state, but after factory reset) and knowing the unlock PIN, is there a way to decrypt / extract the files in userdata.bin?

Quote
Topic starter Posted : 24/05/2022 12:13 am
arcaine2
(@arcaine2)
Active Member

No, it has to be decrypted by the phone itself. You'd have to restore the data back onto the phone, and swap the screen for one with working touch, or fix the phone, so you can enter your passcode. The factory reset could be a problem though, as it could change something in the trustzone and essentially no longer accept your correct passcode after restoring the original userdata partition.

 

Maybe you could use a mouse and OTG adapter to enter passcode, but as far as i rememeber, most OnePlus devices have OTG blocked by default and you have to enable it in settings only to stay active for a while. Not sure if OnePlus 5 behaved like that as well, but very likely.

This post was modified 1 month ago by arcaine2
ReplyQuote
Posted : 28/05/2022 1:00 pm
amk43
(@amk43)
New Member

@arcaine2 

Thank you for your reply! As I said, let's assume the phone is in a working state, i.e. touch is usable (from what I recall it becomes usable for some time after resetting via EDL).

Back then I tried simply setting up the same passcode and flashing the backed up userdata.bin but as expected this did not work. I even tried manually flashing all 74 partitions from backup, but I could have easily messed that up 🙂

What I would really like to know is where/how android FBE decryption keys are stored in my case. If it is in some of those partitions I have, or somewhere else in the phones hardware (and in the latter case whether they were lost during factory reset).

Just in case, here are the names of the backed up partitions:

Spoiler

4g9n4.bin
4j1ed.bin
4t0n8.bin
8v1ee.bin
BTFM.bin
NON-HLOS.bin
abl.elf
adspso.bin
apdp.mbn
boot.img
boot_aging.img
cache.img
cdt.bin
cmnlib.mbn
cmnlib64.mbn
config.bin
ddr.bin
devcfg.mbn
devinfo.bin
dip.bin
dpo.bin
dynamic_nvbk.bin
frp.bin
fsc.bin
fsg.bin
gpt_backup0.bin
gpt_backup1.bin
gpt_backup2.bin
gpt_backup3.bin
gpt_backup4.bin
gpt_backup5.bin
gpt_main0.bin
gpt_main1.bin
gpt_main2.bin
gpt_main3.bin
gpt_main4.bin
gpt_main5.bin
hyp.mbn
keymaster.mbn
keystore.bin
limits.bin
logdump.bin
logfs_ufs_8mb.bin
logo.bin
md5.img
mdtp.img
mdtpsecapp.mbn
minidump.bin
misc.bin
modemst1.bin
modemst2.bin
msadp.bin
param.bin
persist.img
pmic.elf
recovery.img
reserve.bin
reserve1.bin
reserve2.bin
reserve3.bin
rpm.mbn
sec.dat
splash.bin
ssd.bin
static_nvbk.bin
sti.bin
storsec.mbn
system.img
toolsfv.bin
tz.mbn
userdata.bin
userdata.bin.raw
vendor.img
xbl.elf

ReplyQuote
Topic starter Posted : 28/05/2022 3:57 pm
arcaine2
(@arcaine2)
Active Member

For older FBE devices, apart from the masterkey hidden in the TrustZone, the keyblobs used to decrypt more and more data, are stored on the userdata partition itself. It's decrypted in stages, and there should be 3 keys if you had a passcode set.

 

Restoring just the userdata should be enough for the phone to boot with previous data.

 

You mentioned that you set a passcode after a factory reset. I didn't try it on any Qualcomm phone, with MTK devices, this often changes something (within the TrustZone i suppose), that makes the old data not decrypting anymore.

 

I had a Huawei device that i knew the passcode for. I wiped it, set the same passcode, then restored previous userdata. Phone booted correctly to lockscreen with previous data, but did not accept the correct passcode anymore, hence could not decrypt the userdata correctly anymore.

ReplyQuote
Posted : 06/06/2022 8:17 pm
Di Do
(@didodzx)
New Member

Hi, 

As @arcaine2 Said if you reflash the userdata partition again after fixing the phone firmware you might get lucky and get your data back ( must be the same mobile because the others keys to decrypt the userdata files are stores in hardware elements), Others ways its not possible yet to decrypt the userdata.bin. 

ReplyQuote
Posted : 15/06/2022 12:25 am
Share:
Share to...