Decrypt dumped userdata partition from a Oneplus 5 using device and PIN
So a few years back my old Oneplus 5's touch input started failing. At one point it became completely unusable and after rebooting I was unable to enter my PIN to unlock the phone. I wanted to extract the data and researched the issue for some time. However it didn't work out at the time.
The unit was not rooted and running OxygenOS with Android 9.0.x. Before resetting the phone using "MSMTool" (Qualcomm EDL mode), I made a dump of all detected partitions (74 files in total), including userdata.bin which likely contains my data (photos etc). Back then I came to the conclusion that the it contains and ext4 file system encrypted using Android's File-Based Encryption. After factory reset the unit worked (however the touch issues persist). Recently I became interested in extracting the files once again. I figured I might get lucky and someone here might have a solution.
So the question is: using an entire disk dump, the original device (in a working state, but after factory reset) and knowing the unlock PIN, is there a way to decrypt / extract the files in userdata.bin?
No, it has to be decrypted by the phone itself. You'd have to restore the data back onto the phone, and swap the screen for one with working touch, or fix the phone, so you can enter your passcode. The factory reset could be a problem though, as it could change something in the trustzone and essentially no longer accept your correct passcode after restoring the original userdata partition.
Maybe you could use a mouse and OTG adapter to enter passcode, but as far as i rememeber, most OnePlus devices have OTG blocked by default and you have to enable it in settings only to stay active for a while. Not sure if OnePlus 5 behaved like that as well, but very likely.
Thank you for your reply! As I said, let's assume the phone is in a working state, i.e. touch is usable (from what I recall it becomes usable for some time after resetting via EDL).
Back then I tried simply setting up the same passcode and flashing the backed up userdata.bin but as expected this did not work. I even tried manually flashing all 74 partitions from backup, but I could have easily messed that up 🙂
What I would really like to know is where/how android FBE decryption keys are stored in my case. If it is in some of those partitions I have, or somewhere else in the phones hardware (and in the latter case whether they were lost during factory reset).
Just in case, here are the names of the backed up partitions:
For older FBE devices, apart from the masterkey hidden in the TrustZone, the keyblobs used to decrypt more and more data, are stored on the userdata partition itself. It's decrypted in stages, and there should be 3 keys if you had a passcode set.
Restoring just the userdata should be enough for the phone to boot with previous data.
You mentioned that you set a passcode after a factory reset. I didn't try it on any Qualcomm phone, with MTK devices, this often changes something (within the TrustZone i suppose), that makes the old data not decrypting anymore.
I had a Huawei device that i knew the passcode for. I wiped it, set the same passcode, then restored previous userdata. Phone booted correctly to lockscreen with previous data, but did not accept the correct passcode anymore, hence could not decrypt the userdata correctly anymore.
As @arcaine2 Said if you reflash the userdata partition again after fixing the phone firmware you might get lucky and get your data back ( must be the same mobile because the others keys to decrypt the userdata files are stores in hardware elements), Others ways its not possible yet to decrypt the userdata.bin.