2

I downgraded an Android 10 custom rom while I had encryption enabled (rom). Basically I dirty flashed a previous minor version of the rom via TWRP (with just a simple "wipe cache/dalvik").

After the reboot my pin was not recognized by Android (and TWRP), so I could not access any data.

After a few tentatives I typed "default_password" as pin, when asked during the boot, and there was an important change:

  1. After the subsequent reboot I typed my original pin, and now Android always shows: "The password you entered is correct, but unfortunately your data is corrupt". This happens every time at the system boot, and it won't let me type any pin.
  2. TWRP accepts the original pin, but it's "unable to mount storage". If I type "default_password", or anything else, it's not valid.
  3. In TWRP the system partition's contents are now visible: before they were not showing at all. But the data partition is not accessible (error decrypting…).

I have done a lot of studying to get the phone working without formatting, but I could not solve the issue. I don't think the data is actually corrupted.

I read that there is a Android security mechanism called "version binding": "Version binding binds keys to operating system and patch level version", … "any reversion of the device to a previous release causes the keys to be unusable". This could explain what happened, but I have many doubts.

Knowing this, I flashed the original version of the rom (the one I had before this issue), but nothing changed.

I took a look at logcats and recovery.log and I noticed the following message: "Error starting keymaster signature transaction: -21". Here is a extracted part from a recovery log, after I enter the pin in TWRP:

I:Is encrypted, do decrypt page first
I:Switching packages (TWRP)
I:Set page: 'decrypt'
I:Set page: 'trydecrypt'
I:operation_start: 'Decrypt'
D:crypt_ftr->fs_size = 52453304
I:starting verify_hw_fde_passwd
I:Using scrypt with keymaster for cryptfs KDF
I:TWRP keymaster max API: 1
I:Signing safely-padded objectkeymaster module name is Keymaster QTI HAL
keymaster version is 256
Found keymaster1 module, using keymaster1 API.
Error starting keymaster signature transaction: -21
E:Keymaster signing failedE:scrypt failedI:Extra parameters for dm_crypt: fde_enabled ice
I:target_type = req-cryptI:real_blk_name = /dev/block/sda14, extra_params = fde_enabled iceE:test mount returned 0
I:Found no matching fstab entry for uevent device '/devices/virtual/block/dm-0' - add
I:Found no matching fstab entry for uevent device '/devices/virtual/block/dm-0' - change
Data successfully decrypted, new block device: '/dev/block/dm-0'
I:Can't probe device /dev/block/dm-0
I:Unable to mount '/data'
I:Actual block device: '/dev/block/dm-0', current file system: 'ext4'
Updating partition details...
I:Can't probe device /dev/block/dm-0
I:Unable to mount '/data'
I:Actual block device: '/dev/block/dm-0', current file system: 'ext4'
I:Unable to mount '/usb_otg'
I:Actual block device: '', current file system: 'vfat'
...done

Could you please point me to the right direction? I am trying to understand what could have gone wrong, and find some possible solution.

How is the pin still accepted as correct, but not able to decrypt the data? I think that there is something that prevents it from working.

I can recompile the rom with my own modifications if needed, and post other logs. Thanks for any help.

Additional logs.

the partition is still encrypted

hexdump -C -n1088 /dev/block/dm-0

00000000  06 27 35 9d 5e 75 e0 ff  e0 53 2d 23 f4 99 d3 9d  |.'5.^u...S-#....|
*
00000400  8c cb fb 69 ad 08 1f 75  03 b1 4c 51 54 84 c6 b2  |...i...u..LQT...|
00000410  f4 f2 c9 75 b8 72 e5 f4  68 76 81 16 a8 cd 33 c8  |...u.r..hv....3.|
00000420  e4 64 c4 70 5f 56 55 72  24 3c 44 dc 5e f0 4d 9b  |.d.p_VUr$<D.^.M.|
00000430  05 ca 91 e3 52 b2 09 2b  b0 0c 8b 32 13 2c c2 3d  |....R..+...2.,.=|

compared to a ext4 image (magic 53 ef at offset 0x438)

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  e0 33 18 00 f3 bb 60 00  00 80 00 00 6c a0 2a 00  |.3....`.....l.*.|
00000410  9c 16 17 00 00 00 00 00  02 00 00 00 02 00 00 00  |................|
00000420  00 80 00 00 00 80 00 00  f0 1f 00 00 bd 76 59 5d  |.............vY]|
00000430  bd 76 59 5d d1 00 0a 00  53 ef 01 00 02 00 00 00  |.vY]....S.......|
alecxs
  • 4,034
  • 3
  • 16
  • 34
JackSlater
  • 21
  • 4
  • just restore the TWRP backup from previous state and encryption is working again – alecxs Nov 07 '20 at 17:07
  • The TWRP log indicates that it is trying to decrypt a Full Disk Encrypted data partition, which would be unusual for an Android 10 device. When you booted (as everything was working) your phone when does the does the password prompt appear, as the very first action before the phone has fully booted up or later when the background and the lock screen are already loaded? If it is the latter the device uses File Based Encryption and therefore the decryption fails. – Robert Nov 07 '20 at 18:22
  • 1
    @Robert I think this rom uses FDE because the phone (Mi5) is not Android 10 native. "adb shell getprop ro.crypto.type" returns "block" – JackSlater Nov 08 '20 at 09:32
  • @alecxs I don't have that backup. Anyway I already flashed the original rom via "Adb sideload" but nothing changed. – JackSlater Nov 08 '20 at 09:36
  • i think it's a duplicate of https://android.stackexchange.com/q/224440 but the message "Data successfully decrypted" is misleading and your issue is different from mine, answer is invalid. after reading your linked google stuff i guess your keys are already marked as invalid and there is for some reason still anything inside qseecom stuff that a) tells twrp the keys are correct b) but on the other hand garbles decryption because of the invalid-flag (all just guesswork) – alecxs Nov 08 '20 at 21:28
  • @alecxs Thanks, I was also thinking that the key was marked as invalid after the downgrade. But by looking at the error codes (keystore error codes), I think it would use a different one instead of -21 (KM_ERROR_INVALID_INPUT_LENGTH). I am adding the hexdump log in the first post. – JackSlater Nov 09 '20 at 10:51
  • inspect the crypto footer with python script you can't decrypt but maybe you will find some flag you can reset to 0 (although i don't believe it's that easy). install python and run this script: 'python.exe bruteforce_stdcrypto.py [header file] [footer file]' – alecxs Nov 15 '20 at 13:44
  • @NikolayElenkov recently we figured out how to reset failed decrypt counter in fde crypto footer. We invite you to join our conversation regarding other flags https://forum.xda-developers.com/showthread.php?t=4168821 – alecxs Dec 22 '20 at 12:28

0 Answers0