7

On a first-generation Pixel that is running Pie, in locksettings.db there is a field named sp-handle that contains a 64-bit value. sp is an abbreviation for "synthetic password". Under /data/system_de/0/spblob there are three files:

  • 0000000000000000.handle
  • XXXXXXXXXXXXXXXX.pwd
  • XXXXXXXXXXXXXXXX.secdis
  • XXXXXXXXXXXXXXXX.spblob

XXXXXXXXXXXXXXXX is the lowercase hexadecimal representation of the aforementioned 64-bit value. (I actually have several sets of pwd/secdis/spblob (some missing the spblob or the secdis file—I cannot remember which) presumably due to my attempts to get TWRP to decrypt my Pixel.) There are also files under /data/misc/keystore/user_0 named 1000_USRSKEY_synthetic_password_XXXXXXXXXXXXXXXX and .1000_chr_USRSKEY_synthetic_password_XXXXXXXXXXXXXXXX.

These "synthetic passwords" are mentioned and used in TWRP and SyntheticPasswordManager.java. They are used in decryption, but I can't tell how they are used in it or if they are also used in password authentication. Are they used to decrypt /data/misc/vold/user_keys/ce/0/current/encrypted_key (which I'm told is used in file-based encryption)? What are the purpose of the .pwd, .secdis, and .spblob files? Are the files gatekeeper.*.key used in deriving synthetic passwords?

Update

This paper from Qualcomm goes into greater detail on "synthetic passwords" than the source code, but it doesn't answer the more important questions like:

  • What is the purpose of and what is inside of XXXXXXXXXXXXXXXX.spblob?
  • What is the purpose of and what is inside of XXXXXXXXXXXXXXXX.pwd? What is the purpose of and what is inside of XXXXXXXXXXXXXXXX.secdis?
  • Is the authentication token used in decrypting the CE key?
alecxs
  • 4,034
  • 3
  • 16
  • 34
Melab
  • 785
  • 4
  • 13
  • 23
  • @Robert It is, but it isn't clear enough on whether auth tokens are used in decrypting anything. – Melab Sep 30 '19 at 03:14

1 Answers1

5

First, you need to understand, two gatekeeper enrollment processes are involved in synthetic passwords.

Here is the process:

  1. Generate a synthetic password, it's just a random number
  2. Use a real password to enroll a fake ID and get SID (secure_id)
  3. Use keystore to generate an AES key, bound it to SID, and use it to encrypt a synthetic password
  4. Use a synthetic password to enroll the real user ID.

So you will see, in order to unlock a real user, you need to know a synthetic password. However it's encrypted by the keystore, so you need the real password to unlock the keystore first.

To understand it, you need to first understand how the gatekeeper works (e.g. What is secure_id? How does it work?). That's another topic.

  • 00000000000.handle: return value of gatekeeper first enroll by synthetic password derived password.
  • handle.pwd: second gatekeeper enroll by real password with a fake user ID (e.g. user_id + 10000).
  • handle.secdis: Actually a random number. Used to encrypt the synthetic password.
  • handle.spblob: encrypted synthetic password
  • /data/misc/keystore/user_0/XXX: keystore key. Used for encrypting synthetic passwords.
Andrew T.
  • 15,988
  • 10
  • 74
  • 123
demonguy
  • 161
  • 4
  • 1
    Where can I learn more about this? Android source documentation on FBE lacks lot of technical explanation. – defalt Mar 01 '21 at 15:25
  • 1
    Well, i learned it totally from reading source code and dynamic debug framework process. It did took a long time :) – demonguy Mar 04 '21 at 12:05