Forgot encryption p...
 
Notifications
Clear all

Forgot encryption password on Android, have limited tries (or data is wiped), can I make a backup to "trick" the phone into giving me more tries?  

androidret3
(@androidret3)
New Member

Hi there!

TL;DR: Forgot my Android encryption password, only have 10 tries left before data wipe, how can I backup my phone to get 10 more tries if I don't manage to find the password within 10 tries?

For context:
*ROM: Lineage 14 official build
*Custom recovery: TWRP
*Bootloader: Unlocked
*The phone is not rooted.
*No SD card port.

*The phone is encrypted with a password (not a PIN)
*I don't remember the exact encryption password, so I can't get past the password prompt after booting. But I am sure I can find it if I keep trying. It might take me more than 10 tries to enter all variations though.
*I can't access or mount /data from TWRP (nor can I get past the password promt after booting) without the password.
*After entering the wrong password multiple times, the password prompt says I only have 10 tries left before the data gets wiped, and I must avoid this at all costs. (Since Android 6 or 7, there is a limited number of tries before the phone gets wiped)

My question is: How can I make a backup of the phone in it's current state, so that even if I don't manage to enter the right password after booting the phone 10 times, I can restore the phone in it's current state and still have 10 more tries (and eventually repeat this if I still don't manage to find the password after 20 tries)?

I have found some tutorials that show how to backup /dev/block/mmcblk0, but they require root (I can't install anything in my phone since it's encrypted...). And I am not even sure if it will work to restore the phone in it's "10 tries left".

I also don't have access to /data partition from TWRP without entering the password (it shows "0MB") so I can't backup the /data partition from TWRP.

 

Thanks

Quote
Topic starter Posted : 06/12/2020 7:38 am
arcaine2
(@arcaine2)
Active Member
Posted by: @androidret3

I have found some tutorials that show how to backup /dev/block/mmcblk0, but they require root (I can't install anything in my phone since it's encrypted...). And I am not even sure if it will work to restore the phone in it's "10 tries left".

I also don't have access to /data partition from TWRP without entering the password (it shows "0MB") so I can't backup the /data partition from TWRP.

You are root when you boot into TWRP. This itself is enough to be able to make a direct backup of whole eMMC by simply using "adb pull /dev/block/mmcblk0 some_output_file.bin". You don't need to enter passcode to be able to do that, and you can restore it same way (adb push) if it wipes, although much better way would be to backup and then restore only required partitions (userdata and metadata) rather than the whole mmcblk0.

ReplyQuote
Posted : 06/12/2020 12:58 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Is this a joke to test people willing to answer ?! 🙂

ReplyQuote
Posted : 14/12/2020 8:57 pm
androidret3
(@androidret3)
New Member
Posted by: @arcaine2
Posted by: @androidret3

I have found some tutorials that show how to backup /dev/block/mmcblk0, but they require root (I can't install anything in my phone since it's encrypted...). And I am not even sure if it will work to restore the phone in it's "10 tries left".

I also don't have access to /data partition from TWRP without entering the password (it shows "0MB") so I can't backup the /data partition from TWRP.

You are root when you boot into TWRP. This itself is enough to be able to make a direct backup of whole eMMC by simply using "adb pull /dev/block/mmcblk0 some_output_file.bin". You don't need to enter passcode to be able to do that, and you can restore it same way (adb push) if it wipes, although much better way would be to backup and then restore only required partitions (userdata and metadata) rather than the whole mmcblk0.

Thank you so much for your answer!

I thought that TWRP only implies that the bootloader is unlocked, but not that the phone is rooted.

In this case, do I get root access only as long as the phone is in Recovery/TWRP mode? (When I still remembered the password and could use the phone normally, I didn't have root access under "normal" mode, even if TWRP is installed on the phone).

"although much better way would be to backup and then restore only required partitions (userdata and metadata) rather than the whole mmcblk0.":

If the "data" partition literally shows as empty when I boot from TWRP then use the file manager (I guess because I didn't enter the decryption password after booting in TWRP), would I still be able to "adb pull" the encrypted data partition (despite "data" showing as "empty" in TWRP)?

@passcodeunlock
It's not a joke. I am sorry if my question seems noobish, but I did some research before asking here and obviously, my knowledge isn't perfect despite spending a lot of time looking for an answer.

I have read that the decryption process on newer devices depends on a unique decryption key that is stored in hardware, but I don't fully understand what it means. Does it mean that even if I somehow manage to do a "perfect" backup (not corrupted), there could be issues with decryption even if I do manage to find the right password later on? For what it's worth, the Lineage OS version on the phone is Lineage 14 (based on Android 7.0).

 

 

ReplyQuote
Topic starter Posted : 20/12/2020 8:55 pm
arcaine2
(@arcaine2)
Active Member
Posted by: @androidret3

I thought that TWRP only implies that the bootloader is unlocked, but not that the phone is rooted.

In this case, do I get root access only as long as the phone is in Recovery/TWRP mode? (When I still remembered the password and could use the phone normally, I didn't have root access under "normal" mode, even if TWRP is installed on the phone).

TWRP doesn't imply that the phone is rooted. You have root access while booted into TWRP. This doesn't mean that you'll also have root access once you boot back into Android. While TWRP will help you install Magisk, some modern phones will require wiping the device anyway because of dm-verify for example.

If the "data" partition literally shows as empty when I boot from TWRP then use the file manager (I guess because I didn't enter the decryption password after booting in TWRP), would I still be able to "adb pull" the encrypted data partition (despite "data" showing as "empty" in TWRP)?

/data is just a directory. Check result of "mount" command to view what's mounted. If TWRP asked you for encryption passcode, and you didn't provide it, /data won't be mounted correctly, hence empty. Even if you provide a valid encryption passcode, this doesn't guarantee that TWRP will be able to decrypt it correctly. You didn't mention what device is it, but most of the time TWRP will be able to decrypt userdata only if you wiped the phone while TWRP was already installed, like with custom firmware. Since now you mentioned that the phone is running LineageOS, this may actually work.

 

Yes, you will be able to do "adb pull" on block device (/dev/block/mmcblk0p_SOMETHING_) and you will get encrypted partition image.

 

I have read that the decryption process on newer devices depends on a unique decryption key that is stored in hardware, but I don't fully understand what it means. Does it mean that even if I somehow manage to do a "perfect" backup (not corrupted), there could be issues with decryption even if I do manage to find the right password later on? For what it's worth, the Lineage OS version on the phone is Lineage 14 (based on Android 7.0).

This means that you can't decrypt this data outside the device since you can't extract part of the encryption key. You can't just dump it, try to mount in Linux installed on PC, provide a correct passcode and hope it'll boot.

 

What you should be able to do is to backup it to PC (along with metadata partition), try those 10 codes and if phone wipes, restore both userdata and metadata back to the phone. TWRP also has a command line interface to provide a decryption passcode. There is at least one script on GitHub that uses this method to bruteforce the passcode. Can't say if your phone won't wipe while doing that, but you can try it, after you make appropriate backups (again, both userdata and metadata, and whole storage chip - mmcblk0 or whatever this phone uses, just in case you missed something).

 

ReplyQuote
Posted : 22/12/2020 10:07 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Are you sure you didn't wipe your data when installing TWRP or unlocking the bootloader ?!

ReplyQuote
Posted : 01/01/2021 8:42 pm
arcaine2
(@arcaine2)
Active Member

@passcodeunlock if i understood him correctly. He already had LineageOS installed, so had to have unlocked bootloader and TWRP flashed before.

ReplyQuote
Posted : 04/01/2021 9:58 pm
Share: