search

TeamWin / android_device_oneplus_bacon

For building TWRP for the OnePlus One only
Other
52 stars 13 forks source link

Decryption doesn't work if booted via `fastboot boot`, but works if twrp is flashed to device #13

Open akorn opened 6 years ago

akorn commented 6 years ago

Hi,

I can decrypt my phone with TWRP 3.0.2-0, but no later version, including twrp-3.2.1-K2-bacon.img.

I'm reasonably sure the phone was encrypted with KitKat. The password is a pin.

Successful decryption with 3.0.2-0 looks like this in dmesg:

<4>[  106.025534] audit_printk_skb: 36 callbacks suppressed
<5>[  106.025896] type=1400 audit(120513675.509:32): avc:  denied  { write } for  pid=207 comm="recovery" name="orsout" dev="rootfs" ino=7575 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<5>[  106.036899] type=1400 audit(120513675.519:33): avc:  denied  { getattr } for  pid=226 comm="recovery" path="/sbin/orsout" dev="rootfs" ino=7575 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<7>[  106.178351] SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts
<5>[  107.615724] type=1400 audit(120513677.089:34): avc:  denied  { read } for  pid=226 comm="recovery" name="keymaste.mdt" dev="mmcblk0p1" ino=3 scontext=u:r:init:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<5>[  107.615839] type=1400 audit(120513677.089:35): avc:  denied  { open } for  pid=226 comm="recovery" name="keymaste.mdt" dev="mmcblk0p1" ino=3 scontext=u:r:init:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<5>[  107.616003] type=1400 audit(120513677.099:36): avc:  denied  { getattr } for  pid=226 comm="recovery" path="/firmware/image/keymaste.mdt" dev="mmcblk0p1" ino=3 scontext=u:r:init:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<5>[  107.618497] type=1400 audit(120513677.099:37): avc:  denied  { read } for  pid=227 comm="ueventd" name="cmnlib.mdt" dev="mmcblk0p1" ino=8 scontext=u:r:ueventd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<5>[  107.618609] type=1400 audit(120513677.099:38): avc:  denied  { open } for  pid=227 comm="ueventd" name="cmnlib.mdt" dev="mmcblk0p1" ino=8 scontext=u:r:ueventd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<4>[  107.676987] QSEECOM: qseecom_load_app: App (keymaste) does'nt exist, loading apps for first time
<4>[  107.678218] QSEECOM: qseecom_load_app: App with id 2 (keymaste) now loaded
<3>[  109.544774] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
<6>[  111.971053] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
<7>[  111.971133] SELinux: initialized (dev dm-0, type ext4), uses xattr
<6>[  113.019100] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: 
<7>[  113.019150] SELinux: initialized (dev dm-0, type ext4), uses xattr
<7>[  113.054121] SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts
<6>[  113.065447] EXT4-fs (mmcblk0p14): mounted filesystem with ordered data mode. Opts: 
<7>[  113.065565] SELinux: initialized (dev mmcblk0p14, type ext4), uses xattr
<6>[  113.090792] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: 
<7>[  113.090985] SELinux: initialized (dev dm-0, type ext4), uses xattr
<5>[  113.139886] type=1400 audit(120513682.619:39): avc:  denied  { read } for  pid=226 comm="recovery" name="com.google.android.music" dev="dm-0" ino=640508 scontext=u:r:init:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=1
<5>[  113.140433] type=1400 audit(120513682.619:40): avc:  denied  { open } for  pid=226 comm="recovery" name="com.google.android.music" dev="dm-0" ino=640508 scontext=u:r:init:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=1
<6>[  113.169393] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: 
<7>[  113.169574] SELinux: initialized (dev dm-0, type ext4), uses xattr
<5>[  113.194709] type=1400 audit(120513682.669:41): avc:  denied  { unlink } for  pid=226 comm="recovery" name="orsin" dev="rootfs" ino=7574 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<6>[  113.447452] mdss_livedisplay_worker cabc=0 sre=0 aco=0 cmd=0
<6>[  113.505752] mdss_livedisplay_update_pcc: r=32768 g=32768 b=32768
<3>[  114.157696] lm3630_bank_a_update_status set brightness :  255 
<5>[  114.976663] type=1400 audit(120513683.810:42): avc:  denied  { write } for  pid=259 comm="recovery" name="mtp_usb" dev="tmpfs" ino=8311 scontext=u:r:init:s0 tcontext=u:object_r:mtp_device:s0 tclass=chr_file permissive=1
<6>[  114.977203] mtp_open

An unsuccessful attempt with e.g. 3.2.3-0 looks like this:

<11>[    9.403771] init: Warning!  Service qseecomd needs a SELinux domain defined; please fix!
<13>[    9.403848] init: Starting service 'qseecomd'...
<4>[    9.404991] audit_printk_skb: 27 callbacks suppressed
<5>[    9.405350] type=1400 audit(120513903.340:20): avc:  denied  { execute_no_trans } for  pid=221 comm="init" path="/sbin/qseecomd" dev="rootfs" ino=6227 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
<5>[    9.424030] type=1400 audit(120513903.356:21): avc:  denied  { write } for  pid=221 comm="qseecomd" name="mmcblk0rpmb" dev="tmpfs" ino=8547 scontext=u:r:init:s0 tcontext=u:object_r:rpmb_device:s0 tclass=blk_file permissive=1
<5>[    9.424772] type=1400 audit(120513903.360:22): avc:  denied  { write } for  pid=221 comm="qseecomd" name="mmcblk0p20" dev="tmpfs" ino=8589 scontext=u:r:init:s0 tcontext=u:object_r:ssd_device:s0 tclass=blk_file permissive=1
<6>[    9.425142] warning: `qseecomd' uses 32-bit capabilities (legacy support in use)
<5>[    9.426096] type=1400 audit(120513903.360:23): avc:  denied  { write } for  pid=222 comm="qseecomd" name="qseecom" dev="tmpfs" ino=8424 scontext=u:r:init:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
<5>[    9.426221] type=1400 audit(120513903.360:24): avc:  denied  { ioctl } for  pid=222 comm="qseecomd" path="/dev/qseecom" dev="tmpfs" ino=8424 ioctlcmd=970a scontext=u:r:init:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
<5>[    9.428343] type=1400 audit(120513903.363:25): avc:  denied  { write } for  pid=222 comm="qseecomd" name="property_service" dev="tmpfs" ino=9229 scontext=u:r:init:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
<5>[   16.108432] type=1400 audit(120513910.043:26): avc:  denied  { write } for  pid=193 comm="recovery" name="orsout" dev="rootfs" ino=8686 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<5>[   16.123723] type=1400 audit(120513910.056:27): avc:  denied  { getattr } for  pid=229 comm="recovery" path="/sbin/orsout" dev="rootfs" ino=8686 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<4>[   16.124837] mmc0: Starting deferred resume
<4>[   16.254094] mmc0: Deferred resume completed
<7>[   16.260210] SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts
<11>[   16.260601] init: avc:  denied  { set } for property=crypto.state scontext=u:r:recovery:s0 tcontext=u:object_r:vold_prop:s0 tclass=property_service
<5>[   18.127945] type=1400 audit(120513912.063:28): avc:  denied  { read } for  pid=231 comm="ueventd" name="cmnlib.mdt" dev="mmcblk0p1" ino=8 scontext=u:r:ueventd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<5>[   18.128062] type=1400 audit(120513912.063:29): avc:  denied  { open } for  pid=231 comm="ueventd" name="cmnlib.mdt" dev="mmcblk0p1" ino=8 scontext=u:r:ueventd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
<4>[   18.188217] QSEECOM: qseecom_load_app: App (keymaste) does'nt exist, loading apps for first time
<4>[   18.189454] QSEECOM: qseecom_load_app: App with id 2 (keymaste) now loaded
<3>[   19.172919] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -68,app_id = 0,lstr = 12288
<3>[   19.172994] QSEECOM: __qseecom_generate_and_save_key: process_incomplete_cmd FAILED, resp.result -68
<3>[   19.173032] QSEECOM: qseecom_create_key: Failed to generate key on storage: -22
<3>[   19.173099] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
<3>[   20.998019] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -68,app_id = 0,lstr = 12288
<3>[   20.998062] QSEECOM: __qseecom_generate_and_save_key: process_incomplete_cmd FAILED, resp.result -68
<3>[   20.998127] QSEECOM: qseecom_create_key: Failed to generate key on storage: -22
<3>[   20.998190] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
<5>[   21.271096] type=1400 audit(120513915.206:30): avc:  denied  { unlink } for  pid=229 comm="recovery" name="orsin" dev="rootfs" ino=8685 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=fifo_file permissive=1
<5>[   21.302291] type=1400 audit(120513915.236:31): avc:  denied  { sys_time } for  pid=193 comm="recovery" capability=25  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=1

I tried to copy the twrp binary from the working version to a broken version to see what would happen, but it still couldn't decrypt the filesystem.

The problem looks similar to #10, but I don't know if it's the same.

akorn commented 6 years ago

Well, it turns out that if I flash twrp-3.2.3-0-bacon.img to the device, it decrypts the storage successfully. Booting it via fastboot boot twrp-3.2.3-0-bacon.img, it doesn't.

Actually, come to think of it, I saw the same behaviour with 3.0.2-0 as well.

akorn commented 5 years ago

Also see #12 .