TWRP backup doesn't work with Google "work profiles"

[angadsingh]

Device: OP6 Google "Work profile" created for work account (https://support.google.com/work/android/answer/6191949?hl=en) TWRP/Nandroid backup from recovery throws the following error:

I:Error adding file '/data/system_ce/10' to '/data/media/0/TWRP/BACKUPS/c73c84e3/2018-06-14--06-19-03/data.ext4.win'
Error creating backup.
I:ERROR tarList for thread ID 0
Error creating backup.
createTarFork() process ended with ERROR: 255
Backup Failed. Cleaning Backup Folder.

It seems that (similar to multi-user account or parallel apps), work profiles create a new user on the device, and /data/system_ce/10 might be an artifact of my work profile (not sure). The other folder is /data/system_ce/0.

Going by XDA, TWRP doesn't support multi-user profiles. Does it not support work profiles either?

[T-vK]

Just follow the function calls in reverse. Where is the function retrieveKey called? Where is the function that calls retrieveKey called? Where is the function that calls the function that calls retrieveKey called? Etc... If you know what a function definition and a function call looks like and how to use the search bar on Github, this should be pretty trivial even if you're not a C++ expert.

retrieveKey is used in the function read_and_fixate_user_ce_key. read_and_fixate_user_ce_key is used in the function read_and_install_user_ce_key. read_and_install_user_ce_key is used in the function e4crypt_unlock_user_key. e4crypt_unlock_user_key is used in the function e4crypt_init_user0. e4crypt_init_user0 is used in the function Decrypt_DE. .....

Finally you end up with this, which should give you a decent overview:

[vukisz]

Hi having quite similar error, but for system user:

error looking up proper e4crypt policy for '//data/system_de/0/' - 1DE0
tar_extract_file(): failed to extract //data/system_de/0/ !!!
I:Unable to extract tar archive '/data/media/TWRP/BACKUPS/OldData/data.ext4.win012'

More context on this xda post.

[noahajac]

Is this after a wipe/format of data? Do all users on the backup already exist on the device?

[vukisz]

Tried wipe at first. Then did a full data format. Still same issue. I am not quite sure how to check users from backup and create them in destination.

[noahajac]

Do you not know the user profiles you had on the original device? If you did a format you will need to boot again and recreate the users. If you only had one user (0) then just booting should be sufficient.

On Thu, Apr 1, 2021 at 12:08 PM vukisz @.***> wrote:

Tried wipe at first. Then did a full data format. Still same issue. I am not quite sure how to check users from backup and create them in destination.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812011823, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSXEETPMHF6NFAI62GLTGSK7ZANCNFSM4FFOF36Q .

[vukisz]

I am still using old device. I have not created any additional user profiles explicitly. Maybe created guest account, buy then deleted it. How I can check user existing profiles on the original device? And how those could be recreated in twrp? Using advanced -> terminal?

[noahajac]

Post a recovery.log of both the restore on the new device and of just booting TWRP and mounting /data on the old device.

On Thu, Apr 1, 2021, 12:19 PM vukisz @.***> wrote:

I am still using old device. I have not created any additional user profiles explicitly. Maybe created guest account, buy then deleted it. How I can check user existing profiles on the original device? And how those could be recreated in twrp? Using advanced -> terminal?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812018792, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSTA26SEAV6HKSPDMHDTGSMKVANCNFSM4FFOF36Q .

[vukisz]

Sure. https://drive.google.com/file/d/1CZTV5sFlTBN8-dZ3AMb6Amw8jytfpQHl/view?usp=drivesdk Can you access it?

[noahajac]

Did you boot system at all on the new device before attempting to restore?

On Thu, Apr 1, 2021 at 12:34 PM vukisz @.***> wrote:

Sure. https://drive.google.com/file/d/1CZTV5sFlTBN8-dZ3AMb6Amw8jytfpQHl/view?usp=drivesdk Can you access it?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812027574, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSXLPPRZXHO3QFYPZ6LTGSOBRANCNFSM4FFOF36Q .

[vukisz]

Nope, just did format, restart twrp, copied backup using twrp file manager and hit restore. I have try booting after data format? :-)

[noahajac]

Boot first to create user 0.

On Thu, Apr 1, 2021, 12:40 PM vukisz @.***> wrote:

Nope, just did format, restart twrp, copied backup using twrp file manager and hit restore. I have try booting after data format? :-)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812031201, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSUW6PE5ZMLVVD6A5PLTGSOX3ANCNFSM4FFOF36Q .

[vukisz]

Data format + restart ends in a bootloop. Is it as expected?

[noahajac]

Actual format (the button literally says "Format Data") or a factory reset?

On Thu, Apr 1, 2021, 12:43 PM vukisz @.***> wrote:

Data format + restart ends in a bootloop. Is it as expected?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812033071, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSWGKMZ2NOBMM7RUGFTTGSPD3ANCNFSM4FFOF36Q .

[vukisz]

TWRP->Wipe-Format data-> Then full screen text:

Wipe
Format Data
Format Data will wipe all of your apps, backups, pictures, videos, media, and removes encryption on internal storage.
This cannot be undone.
Type yes to continue. Press back to cancel.

Typing yes and confirming

And this ends in:

Updating partition details...
done
Full SELinux support is present.
MTP Enabled
Formatting Data using mke2fs...
Done.
You may need to reboot recovery to be able to use / Formatting metadata using mke2fs...
data again.
Done.
Updating partition details...
...done

[noahajac]

Then no that is not expected. Is it actually bootlooping or just taking time to boot?

On Thu, Apr 1, 2021, 12:48 PM vukisz @.***> wrote:

TWRP->Wipe-Format data-> Then full screen text:

Wipe Format Data Format Data will wipe all of your apps, backups, pictures, videos, media, and removes encryption on internal storage. This cannot be undone. Type yes to continue. Press back to cancel.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-812035628, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PUSV3J2GPULSHBGCLFMLTGSPUFANCNFSM4FFOF36Q .

[vukisz]

Bootlooping:

1. Warning, that bootloader is unlocked window
2. Oneplus icon window
3. Vibrate restart and go back to 1.

Maybe I'll try flashing boot, vendor and system again

[vukisz]

Finally resolved. Flashed all the factory images from OTA archive provided by manufacturer. Then restoring System/Vendor/Boot and formating data was not ending in bootloop. After that restoring data went well. And finally after a cache wipe new phone was successfully running old phones backup. Thanks for helping @noahajac ;-)

[nordurljosahvida]

Hi all, just to be sure I'm good, backing up now with "warning: not all users decrypted" after "failed to decrypt user 10" [using work profile with a few apps in it, generated with app "Shelter" from f-droid. Backup is now proceeding after skipping the warning.

A. Is there a way to also decrypt user 10? B. If not [and really it doesn't matter], will restore succeed without user 10 after a complete wipe / formatting of the device?

Thanks!

[EmanuelLoos]

Is there a way to also decrypt user 10?

Only after you (or someone else) read through the AOSP (Android Open Source Project) source code and implement a way to decrypt user 10 into TWRP. The AOSP source code is publicly available so theoretically it would be possible if you know Java and C++ enough and have the time. If you decide to do that please make your source code available and make a pull request so it works for others as well.

[nordurljosahvida]

Not a dev here so unfortunately I won't be able to contribute here.

About question B has anyone tried with latest TWRP?

Thanks

[Iey4iej3]

Hi all, just to be sure I'm good, backing up now with "warning: not all users decrypted" after "failed to decrypt user 10" [using work profile with a few apps in it, generated with app "Shelter" from f-droid. Backup is now proceeding after skipping the warning.

A. Is there a way to also decrypt user 10? B. If not [and really it doesn't matter], will restore succeed without user 10 after a complete wipe / formatting of the device?

Thanks!

There is a solution: look back at https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-684834828

[EmanuelLoos]

There is a solution: look back at #1256 (comment)

Oh, right, I forgot about this since when I had the issue I couldn't enable "Use one lock" as my phone always got stuck at the boot animation.

[nordurljosahvida]

I found this ticket after having this problem myself. The question below triggered something I wanted to try:

Do you have a separate password for user 10? If so, did you attempt to decrypt using Advanced -> Decrypt Users?

That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin. Somehow 'use one lock' and setting it once (main) is in Android 10 different from setting the same code twice.

With the 'use one lock' I guess Android 10 thinks of a lock for the work profile and sets (and unlocks) it via internal code instead of setting the same code. Advanced -> Decrypt Users doesn't work with 'use one lock' but it is even not needed when you manually set the same code on both main and work profile. (is probably needed when you set 2 different codes)

Device: Samsung Tab S5e TWRP: 3.4.0-0 from https://build.twrp.me/twrp-3.4.0-0-gts4lvwifi.img (@luk1337 built) Image: Lineage 17.1 Firmware: T720XXU1BTF7_CL18864194_QB32199498_REV00.zip

Very useful info and discovery, however it's the exact opposite for me. I had one lock enabled already, disabled it, set the exact same password for user 10, and TWRP automatically decrypts both successfully in sequence.

OnePlus 7 Pro on Resurrection Remix 10, work profile managed by shelter

[Iey4iej3]

Very useful info and discovery, however it's the exact opposite for me. I had one lock enabled already, disabled it, set the exact same password for user 10, and TWRP automatically decrypts both successfully in sequence.

The real point is that, if you enable "use one lock", the low-level encryption keys for two users are different. That is to say, we suspect that Android use one key to compute that of the other, so in this case, you could not simply input the same key to decrypt both. That is why we need to read the code of Android to understand what is really happening.

[yshui]

Having the same problem and unfortunately I wiped data and forgot to backup my work profile beforehand.

I did some digging:

https://github.com/aosp-mirror/platform_frameworks_base/blob/c5d02da0f6553a00da6b0d833b67d3bbe87341e0/services/core/java/com/android/server/locksettings/LockSettingsService.java#L392-L397

Looks like the managed profile is using a randomly generated key, which is presumably stored somewhere?

Edit: https://github.com/aosp-mirror/platform_frameworks_base/blob/c5d02da0f6553a00da6b0d833b67d3bbe87341e0/services/core/java/com/android/server/locksettings/LockSettingsStorage.java#L449-L450

Seems to be in /data/system/.... Guess since I wiped it my data is definitely gone then. RIP.

[yonderbread]

So what exactly would be my decryption password for users 10 and 11 if my main user 0 uses a pattern to unlock?

[biboon]

Hello! Was there any progression on this? I just had a bad update and I'm desperately trying to backup/access my Work profile (Shelter).

Seems to be in /data/system/.... Guess since I wiped it my data is definitely gone then. RIP.

I dug down to a file gatekeeper.profile.key which may be helpful but it's a binary file. Is there a way to manually mount the partition through ADB using this key file? Like TWRP would do?

Edit: formatting

[Atemu]

IME, if your work pattern is the same as your user pattern, it decrypts both.

[biboon]

Well unfortunately it seems like it does not in my case. I can decrypt user 0 with my pin code, but decrypting user 11 fails. I have a somewhat "particular" work profile though as it was actually set up by the app Shelter.

[Atemu]

@biboon mine was also set up by shelter.

What I missed is that I ticked the "Use one lock" setting under security.

[Craftplacer]

I'll share the knowledge I've gained here:

@yshui's answer is correct, Android does generate a password when "unifying" the work profile with the main user. It also generates a secret key which it uses to encrypt the password. The encrypted password is being saved to /data/system/users/{work profile user id}/gatekeeper.profile.key afaik. Android dumps the secret key into the KeyStore with alias profile_key_name_decrypt_{work profile user id}.

While I was successful finding the blob associated to the key inside /data/misc/keystore/persistent.sqlite, I have also noticed that it had a pKMblob header with a trailing zero, indicating that it was hardware generated.

So I'm not sure how to proceed from here, if I happen to get custom code to interface with my device, I might be able to extract key.