[ks01lte] TWRP 3.0.2-0 still doesn't decrypt /data

[Diapolo]

I setup a PIN based encryption on my Samsung Galaxy S4 LTE Advanced i9506 (ks01lte) via CM12/CM13 nightly and I'm unable to decrypt /data via TWRP 2.8.7.0. It just tells me "Password Failed, Please Try Again" after entering the correct PIN.

• encryption IS hardware-based (shown in Android - Security)
• mount | grep "dm-"
• CONFIG_HW_DISK_ENCRYPTION is not present in log
• has_hw_crypto is 0

has_hw_crypto is 0
crypt_ftr->fs_size = 24571839
Using scrypt with keymaster for cryptfs KDF
could not find any keystore module
Failed to init keymaster
Signing failed
kdf failedfailure decrypting master keyFailed to decrypt master key
crypt_ftr->fs_size = 24571839
Using scrypt with keymaster for cryptfs KDF
could not find any keystore module
Failed to init keymaster
Signing failed
kdf failedfailure decrypting master keyFailed to decrypt master key
E:Failed to decrypt data.

[mikhaelkh]

Same problem, CyanogenMod 12.1 and TWRP 2.8.7.0 hammerheadcaf (LG Nexus 5)

[92lleo]

Same Problem On HTC One m8 (running arhd 45 with twrp 2.8.7.0. same error when trying to decrypt /data with my pin

[CaptainThrowback]

The M8 doesn't have this problem. You can't decrypt on the M8 because TWRP doesn't support (and has never supported) HTC's proprietary encryption.

[92lleo]

Thanks for your quick answer, didn't know that

[Diapolo]

I'm likely going to try encrypting my phone which now runs CM13 and really hope TWRP 2.8.7.0 is able to decrypt data ^^.

[Diapolo]

I can confirm it's still impossible to decrypt data, after a fresh PIN-based encryption with CM13.

[nailyk-fr]

@Diapolo Hi, Can you tell if your encryption is hardware-based ? Can you provide the result of mount | grep "dm-"? As you haven't /data with your recovery is it possible you can provide-us a recovery.log and a full dmesg? If not, I would like to know status of theses flags (in recovery.log):

• CONFIG_HW_DISK_ENCRYPTION present
• has_hw_crypto is [...]
• Using scrypt with [...]

for your original recovery and the recovery I provide to you, if you are ok to flash it :smile: Thanks in advance.

recovery_s4_20160117.img.zip (md5 of .img: 77ffc5202d43edefb2b76bb3c484ed3b ) P.S.: this recovery is really experimental and may not boot: I don't own a s4 so can't test it P.S.2: it don't know your recovery partition size: the file size a provide is 13Mb. P.S.3: if you flash this recovery and it failed to decrypt, can you try to mount /system and/or /firmware and try to decrypt again please?

[Diapolo]

@nailyk-fr

• encryption IS hardware-based
• mount | grep "dm-"

Will provide more details from within recovery in a few minutes.

Are you a official TWRP maintainer? How can I move on, if the supplied recovery doesn't boot anymore, just reflash current version via Odin?

Edit:

• Recovery size in TWRP is shown as 20MB

Edit 2:

• CONFIG_HW_DISK_ENCRYPTION is not present in log
• has_hw_crypto is 0

has_hw_crypto is 0
crypt_ftr->fs_size = 24571839
Using scrypt with keymaster for cryptfs KDF
could not find any keystore module
Failed to init keymaster
Signing failed
kdf failedfailure decrypting master keyFailed to decrypt master key
crypt_ftr->fs_size = 24571839
Using scrypt with keymaster for cryptfs KDF
could not find any keystore module
Failed to init keymaster
Signing failed
kdf failedfailure decrypting master keyFailed to decrypt master key
E:Failed to decrypt data.

[nailyk-fr]

@Diapolo

Are you a official TWRP maintainer?

No I'm not. I'm just trying to add encryption on some devices.

How can I move on, if the supplied recovery doesn't boot anymore

Get a copy of your working recovery and reflash it via fastboot as you do it for first time (looking for a link) with something like fastboot flash recovery <recovery.img>

just reflash current version via Odin?

I don't remember how odin work but maybe you can flash recovery with it.

edit: cyanogen link step 1 to 11. Seems your right, it is the download mode.

[Diapolo]

@nailyk-fr I updated the post with wanted infos, do you think your recovery could work or do you need to update, as you have fresh info now?

[nailyk-fr]

I'm pretty sure it will boot but I cannot test so it is not guaranteed. I build from sources and only add some files for hardware-encryption. But your log looks like your recovery is missing the keystore module and it is added in the recovery I provide to you. I think it can work. Which method do you use to flash your recovery?

When flashing recovery, even if it fail, you still have access to your rom and to download mode/fastboot mode, so you can reflash without problem.

[Diapolo]

I'd use Odin to reflash the original recovery as mentioned above (version 3.10 via the AP slot). Can I flash your recovery within TWRP?

[optimumpr]

@nailyk-fr

I build recovery separately from the rom. In the past, I would just open boot.img with archi kitchen (see on XDA) and remove ramdisk-recovery.cpio. Now, I put a flag in build not to compile recovery into a boot.img. That's all.

[nailyk-fr]

It is a image file (you need to extract zip on your computer) so you could not flash it from twrp. Sorry. Next one :smile: So I think you can flash my recovery from odin, and after testing it, you can reflash your old one with the same process. One more think: if this recovery fail to boot, you probably need to remove battery to turn-off your phone. Is your battery removable? Good luck!

[nailyk-fr]

@optimumpr thanks.

[Diapolo]

@nailyk-fr Tried to flash your recovery from within TWRP, as recovery image, which was successful. Next boot shows booting recovery... kernel is not SEANDROID enforcing... setting warranty bit: recovery. But that's it, doesn't boot into recovery. Restored my former recovery, now I can boot fine again. Any ideas?

[nailyk-fr]

@Diapolo

shows booting recovery... kernel is not SEANDROID enforcing... setting warranty bit: recovery

Seems this is a know 'issue' with custom rom on samsung. Sorry.

[Diapolo]

Is there anything you / I / we can do here? @Dees-Troy Can you perhaps try to comment or help us?

[Dees-Troy]

We'd need to know a lot more about the build that's causing the no boot including build tree, device tree, etc? Also need to know if adb works or not (and most testers don't do very well in this area... most testers are using Windows and we can never tell if adb isn't working because of a Windows driver issue or if adb really isn't working). I usually try to stay out of working with remote testers. There's at least 10 million TWRP users in the world and only one of me and I don't even work on TWRP as a full-time job. It's just a hobby that I do for fun.

[Diapolo]

I'm able to setup ADB, I already was using it, but didn't need it recently. Well I flashed the mentioned recovery from @nailyk-fr from within TWRP.

This should be the device tree that was used for adding crypto support AFAIK: https://github.com/nailyk-fr/android_device_samsung_ks01lte/commit/85633573c28e5ee4f54812dfa9ca8789ec2631b5

I'd love to get this working...

Edit: Thanks for sneaking into this discussion :).

[tomchiverton]

Same issue here with a Sony Z3 compact. I pulled the recovery.log via adb

Finished running boot script.
I:Copying file /cache/recovery/log to /cache/recovery/last_log
I:Is encrypted, do decrypt page first
I:Switching packages (TWRP)
I:Set page: 'decrypt'
I:Set page: 'decrypt_pattern'
I:Set page: 'trydecrypt'
I:operation_start: 'Decrypt'
Warning: crypto footer minor version 4, expected <= 3, continuing...
Password not correctly hex encoded.
has_hw_crypto is 0
crypt_ftr->fs_size = 24719295
Using scrypt for cryptfs KDF
Enabling support for allow_discards in dmcrypt.
load_crypto_mapping_table: target_type = crypt
load_crypto_mapping_table: real_blk_name = /dev/block/mmcblk0p25, extra_params = 1 allow_discards
Error temp mounting decrypted block device '/dev/block/dm-0'
crypt_ftr->fs_size = 24719295
Using scrypt for cryptfs KDF
Trying to convert ascii string of odd lengthkdf failedfailure decrypting master keyFailed to decrypt master key
E:Failed to decrypt data.

So it looks like the same issue. Is there anything else I can provide to help ?

[tomchiverton]

I notice the log says "has_hw_crypto is 0" but the device settings says "credential storage, storage type" is "hardward backed". Could this be the issue ?

[Diapolo]

Too bad I'm not able to code or make any progress on this. Seems the current code of TWRP doesn't correctly support our devices. That this IS indeed possible is clear, because CM is able to decrypt just fine :-(.

[nailyk-fr]

@tomchiverton I try to add crypto for twrp on some xperia Z devices. Here is my xda thread. If you want we can try to add crypto for your z3c then, maybe, came back with a gerrit pull-request?

[Diapolo]

I can confirm I still can't access /data with current TWRP 3.0.2-0 :-/.

[tomchiverton]

@Diapolo did you try builds from the xda thread linked above ?

[Diapolo]

@tomchiverton It feels dangerous to flash a recovery for a Sony device on a Samsung one? No I didn't yet look into the thread. I once tried a custom build from one community member, which caused just a bootloop.

[Antebur]

For the Samsung S4 i9505 (jfltexx) the decrypting is working in TWRP 3.0.2 so could it be possible to search the differences to the S4 i9506 (ks01lte)to solve the issue ? It would be very cool if this could be solved.

[Diapolo]

I recently wiped my phone, installed latest CM13 nightly and encrypted again. Still with TWRP 3.0.2-0 it's not possible to decrypt /data 👎.

[kerlerm]

Same issue here on maguro (Samsung Galaxy Nexus) since flashing cm-13.0. TWRP 3.0.2 did work with an encrypted data partition on cm-12.1 but is unable to mount the encrypted cm-13.0 data partition.

Did something change in Android 6 regarding disk encryption?

[BoBeR182]

Sony Z3 D6603 not possible to decrypt data yet. Just tried on fresh ROM.