1

The Problem and Mystery

My ZTE Axon 7 [Android 7] inexplicably wiped its emulated storage area /storage/emulated/0 while retaining all installed applications, albeit with settings wiped clean. There was also a 256GB sd-card mounted as a add-on, system space. I think it was configured as F2FS and encrypted. I've stopped using it and bought a new phone. I want to image the phone's internal memory and the sd-card, and recover what I can that wasn't backed up. I don't know the best approach, but know there are some hurdles, which I'm unsure how to approach.

  1. What is the best way to image phone memory? Recovery mode and ADB?

    • The F2FS and internal memory may have been re-partitioned and/or reformatted
    • Getting the image would allow me to scan for text, strings, and file signatures

  2. Where is the encryption key normally kept? Is it backed up anywhere?

    • The original file systems are likely encrypted, and would need a key
    • I know the phone would store this somewhere, but unsure how to retrieve it.
    • Key may have been overwritten or reset, since I didn't immediately realize something happenend, plus don't fully comprehend what did.

  3. Is there any way to view the contents of a GDrive backup? Any chance it contains key?

    • There is some backup data on Google Drive, but haven't viewed yet
    • This backup may also have been overwritten, since I see no versioning info
    • Backup data is not very large. Maybe a few megabytes.

  4. How did this happen? Does my story below add up?

    • I'm hoping there's an alternative cause and fix to this

How it happened

Not sure since I was using Android Auto for navigation and music, and the phone was normal. At some point the phone became "weird" with the wrong launcher, which I ascribed to accidentally pressing a wrong button and activating another launcher (I had several installed), and I switched to my wife's phone. Later I realized every app was "weird" and then checked the FS and realized everything, photos, docs, were missing even at the file system level.

Maybe I pushed a system upgrade prompt, or confirmed some other crazy phone action. I was driving and don't know.

TonyH
  • 113
  • 5
  • 1
    i am afraid you can do nothing to recover phone because you did not unlock the bootloader. it may caused by f2fs itself (it is buggy) https://forum.xda-developers.com/axon-7/development/recovery-official-twrp-zte-axon-7-t3515715 – alecxs Aug 13 '19 at 16:00
  • 1
    https://forum.xda-developers.com/general/rooting-roms/how-to-backup-qualcomm-phone-root-t3570178 – alecxs Aug 13 '19 at 16:06
  • 1
    I'm pretty sure I can unlock the bootloader now, but not sure if it will help – TonyH Aug 13 '19 at 16:18
  • 1
    don't do it now, it is too late. find a exploit for booting twrp without unlocking bootloader. maybe there is some way with Qualcomm HS-USB QDLoader 9008 Driver and QPST – alecxs Aug 13 '19 at 16:18
  • @alexcxs, since my Axon is now an extra phone, after giving up on this data, should I root it anyhow? Root and sell, or just sell? Thanks – TonyH Aug 13 '19 at 16:19
  • Yes, but I thought you just said "you can do nothing to recover phone because you did not unlock the bootloader. it may caused by f2fs itself". Is there a chance to image the data and try to recover something? - Sorry, just saw your updated comment. Will try the Qualcomm driver – TonyH Aug 13 '19 at 16:23
  • try the second link to get a dump of your phone with HDDRawCopy. then we will see if the key is recoverable from /data/misc/vold this would help to decrypt sdcard. there is a exploit to get the Keymasters Key blob (which may help to recover data from phone dump) but this requires highly expert skills https://www.theregister.co.uk/2016/07/01/turns_out_breaking_android_fulldisk_encryption_is_easy_with_the_right_code – alecxs Aug 13 '19 at 16:34
  • 1
    Possible duplicate of How to recover a deleted file from /data partition? – alecxs Aug 13 '19 at 16:54

0 Answers0