Question regarding solder resistance of android - Security Discussion

Hi,
when i have a Android 6 initial produced phone (moto z) running on 7.1.1 with full disc encryption enabled where the pin is unknown... can you extract the internal memory chip and read out the decrypted data?
or am i correct in my understanding the the tee stores a part of the key which is of course missing when someone extract the memory chip?
what is the tee is also extracted? is this possible?
thanks!

Thesnable said:
Hi,
when i have a Android 6 initial produced phone (moto z) running on 7.1.1 with full disc encryption enabled where the pin is unknown... can you extract the internal memory chip and read out the decrypted data?
or am i correct in my understanding the the tee stores a part of the key which is of course missing when someone extract the memory chip?
what is the tee is also extracted? is this possible?
thanks!
Click to expand...
Click to collapse
Im quite sure that as you have encryption, you dont have root
and nope,you cannot extract the data
try to get a "reset " pin (in some phones) it will ask u 2 sign in your google account and thats it.
or maybe (idk this is untested) lock your phone remotely with android device manager (google) and then insert the new lock key

thanks!

Related

[Q] Can you please explain what is the ROM?

Hey, I have really basic information about computers and OSs so I really need some explanations for the case of android smartphone (qualcomm mainly). So let me tell you first what I know (I hope that this is true): For a computer they use EEPROM and it's a type of ROM which is erasable. The bios is stored there and it's the first thing loaded when starting the computer. (It's is easily updatable as I have already updated my bios). For the case of android smartphones I think that they use NVRAM, but I don't know what is NVRAM physically? is it a build-in memory separated from storage devices like on computers?! or is just a partition of internal storage? (internal storage I mean /dev/block/mmcblk0). I found that NVRAM can only be erased using JTAG on some websites but I found that device cloning is done copying mmcblk0 from one phone to another, so that means that NVRAM is located in mmcblk0. And if NVRAM is just a part of mmcblk0 so why is it a read only memory? we can easily write to other partitions, so why not NVRAM?! I'm really confused...
Please share your knowledge, I really need years of studying electronics and computer science to know all this by myself... Thank you all!!
AmineBY said:
Hey, I have really basic information about computers and OSs so I really need some explanations for the case of android smartphone (qualcomm mainly). So let me tell you first what I know (I hope that this is true): For a computer they use EEPROM and it's a type of ROM which is erasable. The bios is stored there and it's the first thing loaded when starting the computer. (It's is easily updatable as I have already updated my bios). For the case of android smartphones I think that they use NVRAM, but I don't know what is NVRAM physically? is it a build-in memory separated from storage devices like on computers?! or is just a partition of internal storage? (internal storage I mean /dev/block/mmcblk0). I found that NVRAM can only be erased using JTAG on some websites but I found that device cloning is done copying mmcblk0 from one phone to another, so that means that NVRAM is located in mmcblk0. And if NVRAM is just a part of mmcblk0 so why is it a read only memory? we can easily write to other partitions, so why not NVRAM?! I'm really confused...
Please share your knowledge, I really need years of studying electronics and computer science to know all this by myself... Thank you all!!
Click to expand...
Click to collapse
Well, I didn't understand a damn thing you just just said, but I can tell you this:
ROM, in the Android world, means the OS or firmware the device runs on. Like Windows or Linux. You can have the stock ROM, which is what the device ships with. Or, if the device allows it, you can install a custom ROM, such as Cyanogenmod.
"ROM" can mean other things in different contexts. You can find these out for yourself by using this thing called "google". But in the Android world, it simply means the operating system.
Planterz said:
Well, I didn't understand a damn thing you just just said, but I can tell you this:
ROM, in the Android world, means the OS or firmware the device runs on. Like Windows or Linux. You can have the stock ROM, which is what the device ships with. Or, if the device allows it, you can install a custom ROM, such as Cyanogenmod.
"ROM" can mean other things in different contexts. You can find these out for yourself by using this thing called "google". But in the Android world, it simply means the operating system.
Click to expand...
Click to collapse
Thanks for the quick reply! but I'm not talking about ROM files. I'm asking about this http://en.wikipedia.org/wiki/Read-only_memory
Of course I already tried googling it but it's just general information, I'm searching for information about android hardware (qualcomm mainly).
Any idea about android devices ROM (Read Only Memory) please?!
I'm not sure about low-level stuff (like the actual bootloader, which probably is isolated on different ROM chips on various devices), but most of what we normally consider the "ROM" -- i.e. the Android system software discussed above -- and even a sort of miniature OS for performing updates called the recovery -- is stored on a flash memory chip (sometimes eMMC) within the phone. Definitely not NVRAM/EEPROM, though the bootloader could be on one of those.
maclynb said:
I'm not sure about low-level stuff (like the actual bootloader, which probably is isolated on different ROM chips on various devices), but most of what we normally consider the "ROM" -- i.e. the Android system software discussed above -- and even a sort of miniature OS for performing updates called the recovery -- is stored on a flash memory chip (sometimes eMMC) within the phone. Definitely not NVRAM/EEPROM, though the bootloader could be on one of those.
Click to expand...
Click to collapse
Thanks! I think some information should be on NVRAM, if not why do people use JTAG to unlock devices?! Flash memory can be edited easily using usb cable only...
AmineBY said:
Thanks! I think some information should be on NVRAM, if not why do people use JTAG to unlock devices?! Flash memory can be edited easily using usb cable only...
Click to expand...
Click to collapse
I don't think it's possible to edit flash memory with USB cables alone on most devices; that's actually rather tough and requires a phone that's had its bootloader unlocked (even then, official bootloader unlocks -- like HTC's -- don't always let you write over certain bits of it). Not quite sure about the JTAG stuff -- that reaches the limits of my knowledge.

[TWRP] Regarding the decryption pin/pwd request

Guys, apologies if the question is silly / already asked somewhere i wasn't able to locate.
As per thread title, what is that all about? 1. It's an expected behaviour / feature of TWRP, or is it kind of a bug? 2. Is there any way to avoid / disable it?
It's quite annoying during these days of frequent flashing as development is speeding up fast for this little beast.
If you have a pin or pattern set up it will always ask you for it.
sting5566 said:
If you have a pin or pattern set up it will always ask you for it.
Click to expand...
Click to collapse
Well, thanks for pointing that out.
I've been outside of the flashing world for a while with my old phone (OP2), but i'm pretty sure to recall that i was using TWRP 3.X and the pin was setup (due to fingerprint usage for unlocking) and the recovery was not asking for any decryption pwd.
Maybe the OP2 was not encrypted and that's the point. So wondering if future development will change this (are custom ROMs usually decrypted?)
It's something completely outside of my knowledge, so i could just be trashtalking here.
ca110475 said:
Well, thanks for pointing that out.
I've been outside of the flashing world for a while with my old phone (OP2), but i'm pretty sure to recall that i was using TWRP 3.X and the pin was setup (due to fingerprint usage for unlocking) and the recovery was not asking for any decryption pwd.
Maybe the OP2 was not encrypted and that's the point. So wondering if future development will change this (are custom ROMs usually decrypted?)
It's something completely outside of my knowledge, so i could just be trashtalking here.
Click to expand...
Click to collapse
If you don't want to enter anything when twrp starts under security , screen lock change that to none and you shouldn't have to put anything in when twrp starts.
ca110475 said:
Guys, apologies if the question is silly / already asked somewhere i wasn't able to locate.
As per thread title, what is that all about? 1. It's an expected behaviour / feature of TWRP, or is it kind of a bug? 2. Is there any way to avoid / disable it?
It's quite annoying during these days of frequent flashing as development is speeding up fast for this little beast.
Click to expand...
Click to collapse
It is a security issue. If you need pass/pin/pattern to keep your phone secure then logically you should have it required in twrp to prevent unauthorized access to your phone through twrp. You can disable pass/pin/pattern from the twrp file manager
Sent from my OnePlus6 using XDA Labs
Just decrypt your phones storage. You want be asked for a pattern / pin anymore in twrp
matze19999 said:
Just decrypt your phones storage. You want be asked for a pattern / pin anymore in twrp
Click to expand...
Click to collapse
How?
mikex8593 said:
How?
Click to expand...
Click to collapse
I'm not so sure you can actually decrypt the phone's storage and the reason I believe this to be so is the day I received my phone I was going through all of the settings. If you go into security and lock screen and scroll to the bottom you will see that your phone is encrypted. My phone was like this from day one without entering any fingerprint or PIN code. I may be wrong about decrypting the storage however the OnePlus 6 does have an EFS (encrypted file system) which stores meid, imei, serial number, config, diag settings and radio settings, etc in an encrypted format at the file system level.
If you do manage to decrypt your storage your phone will most certainly be vulnerable
dgunn said:
I'm not so sure you can actually decrypt the phone's storage and the reason I believe this to be so is the day I received my phone I was going through all of the settings. If you go into security and lock screen and scroll to the bottom you will see that your phone is encrypted. My phone was like this from day one without entering any fingerprint or PIN code. I may be wrong about decrypting the storage however the OnePlus 6 does have an EFS (encrypted file system) which stores meid, imei, serial number, config, diag settings and radio settings, etc in an encrypted format at the file system level.
If you do manage to decrypt your storage your phone will most certainly be vulnerable
Click to expand...
Click to collapse
I've always been decrypt with previous phones. There is no decryption method with the 6 yet because of the a/b partitioning. You need to flash a modified boot img.
mikex8593 said:
I've always been decrypt with previous phones. There is no decryption method with the 6 yet because of the a/b partitioning. You need to flash a modified boot img.
Click to expand...
Click to collapse
If you were to decrypt your data (and you can through either adb or fastboot - but I,m not going into that here), you would wipe it at the same time.
There's no way around this.
carlos67 said:
If you were to decrypt your data (and you can through either adb or fastboot - but I,m not going into that here), you would wipe it at the same time.
There's no way around this.
Click to expand...
Click to collapse
With that, I am aware of the wipe, but it would be a prepared and willing wipe, but you are right, this is not the place for the discussion.

A question about android partitioning

Hello and sorry for bad english,
I just wanted to ask : is android does partitioning in any similar way to linux? Because they have similar kernels, can I dump emmc contents to something like a virtual hard drive then view partitions and edit them normally?
Because my family has several cheap chinese phones (mostly mtk) and they share in common this annoying system storage issue where apps could only be stored on 2gb (separated from the other 6gb of media storage(sdcard1))where there is only 0.5 gb free for you to install your applications. Custom rom flashing doesnt work, while app2sd works after some trouble, it still not stable and often problematic for the average users these phones belong to, flashing custom layouts brick phone no matter what i tried, while i tried to stay away from rooting i tried it and exposed plugins (or something) dosent even work, i gave up on this already but i would really prefer to expand my knowledge in android.
If phone's Android is rooted you always can dump contents of Android partitions.
See also here:
[GUIDE] Making Dump Files Out of Android Device Partitions - GSM-Forum
Use: The main purpose is to make a file that contains all data in android specific partition. This is really handy in case of dumping leak firmwares.
forum.gsmhosting.com
jwoegerbauer said:
If phone's Android is rooted you always can dump contents of Android partitions.
See also here:
[GUIDE] Making Dump Files Out of Android Device Partitions - GSM-Forum
Use: The main purpose is to make a file that contains all data in android specific partition. This is really handy in case of dumping leak firmwares.
forum.gsmhosting.com
Click to expand...
Click to collapse
Thank you, but can sp flash tool do the above?(does using the combo of wwr_mtk and sp flash tool achieve dumps that can be read in the same way?)
IDK
jwoegerbauer said:
IDK
Click to expand...
Click to collapse
I am away from home for some time so i cant try it, but my suggested method generates img files for everything
Also, can i in any way resize the partitions on the phone(maybe go your way then edit partitions on the pc then flash them back OR modify the sp flash tool scatter file(very unlikely to work, file size and partition size are different))or merge the internal and media partitions, or modify the rom so it stores apps in the media storage then flash it back. Any help would be appreciated.
IDK
jwoegerbauer said:
IDK
Click to expand...
Click to collapse
Ok, thanks anyway

Asking for help Blu G90

Forgive if I put this in the wrong section.
Q: my father recently passed away and I'm trying to recover some data that is on his phone. I physically have his phone. Blu G90. Is there a way to bypass or disable the native pin lock?
Usb debug not enabled. Default set to charge only for pc.
Pretty sure wipe at 15 is set so can't brute force.
I have a couple of forensics applications that can see it when it goes to bootloader but then they crash as soon as I try to grab an image or mount /system.
I'm literally begging for any assistance I can get.
Thanks in advance
AntiMatter2112 said:
Forgive if I put this in the wrong section.
Q: my father recently passed away and I'm trying to recover some data that is on his phone. I physically have his phone. Blu G90. Is there a way to bypass or disable the native pin lock?
Usb debug not enabled. Default set to charge only for pc.
Pretty sure wipe at 15 is set so can't brute force.
I have a couple of forensics applications that can see it when it goes to bootloader but then they crash as soon as I try to grab an image or mount /system.
I'm literally begging for any assistance I can get.
Thanks in advance
Click to expand...
Click to collapse
Since the device is locked (bootloader locked) so the permissions to change/modifiy/copy something into phone cannot obtain the internal storage files.
Only unlocking bootloader and for it is need format phone as internal storage so the device erasing all files. The pin lock can remove with adb-fastboot commands or TWRP.
But again, with locked bootloader, without chance to have internal files.
DragonPitbull said:
Since the device is locked (bootloader locked) so the permissions to change/modifiy/copy something into phone cannot obtain the internal storage files.
Only unlocking bootloader and for it is need format phone as internal storage so the device erasing all files. The pin lock can remove with adb-fastboot commands or TWRP.
But again, with locked bootloader, without chance to have internal files.
Click to expand...
Click to collapse
thanks for the reply. i was afraid of that. even after factory reset, if i root, theres a chance at partial data recovery? or is it completely gone?
AntiMatter2112 said:
thanks for the reply. i was afraid of that. even after factory reset, if i root, theres a chance at partial data recovery? or is it completely gone?
Click to expand...
Click to collapse
You can try an official unlock. Maybe it can have some result or maybe not. Trying is the attitude.
Write Google support and try to legally show some death certificate and supporting documents over your father's phone number. Write down the situation and wait for some response from them.
The only practical way would be to try a backup of the internal partition. But it depends on your knowledge with Smart Phone Flash Tool. Also you must know how to "cut" the file in the right parts.
There would be a very small possibility of restoring the internal files with a backup of userdata or in its entirety (called ROM_1).
The next step would be to unlock the phone, install TWRP and restore the file made from userdata.
Perhaps at that point you have a 1% chance of removing the PIN and booting the device without a password.
But this should only be done if Google gives you a negative answer.
Another way is with carrier company. But I think help in nothing.
Understand that despite having a userdata file with PIN, there is encryption involved and that is what makes the whole process difficult.
I know the TWRP made for BLU G90 has active decryption. But I don't know how it will behave with a userdata file made with stock ROM.
Unfortunately there is no guarantee that files like photos, docs, etc can be in userdata as this refers to internal storage. Already userdata is in ROOT storage.
So even if there is an application or software capable of restoring files, there is also the possibility that it will not be successful or have corrupted files. This will depend on your choice and risk carrying out the process.
DragonPitbull said:
You can try an official unlock. Maybe it can have some result or maybe not. Trying is the attitude.
Write Google support and try to legally show some death certificate and supporting documents over your father's phone number. Write down the situation and wait for some response from them.
The only practical way would be to try a backup of the internal partition. But it depends on your knowledge with Smart Phone Flash Tool. Also you must know how to "cut" the file in the right parts.
There would be a very small possibility of restoring the internal files with a backup of userdata or in its entirety (called ROM_1).
The next step would be to unlock the phone, install TWRP and restore the file made from userdata.
Perhaps at that point you have a 1% chance of removing the PIN and booting the device without a password.
But this should only be done if Google gives you a negative answer.
Another way is with carrier company. But I think help in nothing.
Understand that despite having a userdata file with PIN, there is encryption involved and that is what makes the whole process difficult.
I know the TWRP made for BLU G90 has active decryption. But I don't know how it will behave with a userdata file made with stock ROM.
Unfortunately there is no guarantee that files like photos, docs, etc can be in userdata as this refers to internal storage. Already userdata is in ROOT storage.
So even if there is an application or software capable of restoring files, there is also the possibility that it will not be successful or have corrupted files. This will depend on your choice and risk carrying out the process.
Click to expand...
Click to collapse
Thanks for the reply. Google was pretty useless. They told me to contact Blu and Blu said to contact Google. I successfully hard reset and root. Went through setup to try a restore from his drive backup and it wanted the unlock pin in order to restore. Google was again quite useless. Since this is a matter if his estate i served Google with a notice of preservation on the backup, since it expires pretty soon. I'm going to try next to roll back to an older version, before the unlock pin requirement to restore Google backup. Grabbed a cellebrite image earlier so I can mess around with it later tonight. I'm hoping that because of the unlock requirement that the pin file is still there after reset.

Reading directly from onboard flash

I was not sure where else to put this thread so I apologize if this forum is not appropriate. I am planning to desolder the flash chip from my old Samsung S6 and use either the ZX3 Easy-JTAG or the NuProg-E2 to read the contents of the chip. I just realized that the contents of the chips is probably encrypted, probably using the PIN to do so. Does anyone know if this is true? If so, what mechanism is used to encrypt it? I have no issue writing some software to decrypt it given the PIN if I knew how it was encrypted to begin with.
you don't need the pin it's just encrypted with default_password. But it's impossible to decrypt offline. either get mainboard back to life and boot into android, or just smash it with hammer and throw it into garbage.
aIecxs said:
you don't need the pin it's just encrypted with default_password. But it's impossible to decrypt offline. either get mainboard back to life and boot into android, or just smash it with hammer and throw it into garbage.
Click to expand...
Click to collapse
Thank you for your response, I do have a follow up question though. I read somewhere that since Android 10 the storage is encrypted. Doesnt that mean that it is encrypted via software, presumably from the Android software itself? Since Android is open source, wouldnt it be possible to decrypt it in the same manner as Android does when it loads it? I am hoping my reasoning is correct but I admit that there could always be something unbeknownst to me that makes this impossible, some as some firmware or onboard circuit in between the cpu and the storage. If it is possible, I am more open to buying those expensive flash chip readers I mentioned to recover the data.
android offers encryption since Android 5.0 Lollipop. you would have noticed that if you followed the link.
aIecxs said:
android offers encryption since Android 5.0 Lollipop. you would have noticed that if you followed the link.
Click to expand...
Click to collapse
Yea thats true but its not mandatory since Android 10.0, from what I read.
aIecxs said:
android offers encryption since Android 5.0 Lollipop. you would have noticed that if you followed the link.
Click to expand...
Click to collapse
Also, the link made it seem possible? Or am I missing something?
I also found this: https://source.android.com/docs/security/features/encryption/full-disk
```
Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The default password is: "default_password" However, the resultant hash is also signed through a TEE (such as TrustZone), which uses a hash of the signature to encrypt the master key.
```
I dont know what a TEE actually is, but I am guessing this is what makes it impossible? Unless the master key is stored somewhere other than the internal flash it seems that everything you need to decrypt is available to you, assuming you know the PIN.
(FDE) full-disk encryption is mandatory since Android 6.0.1 Marshmallow.
(FBE) file-based encryption is mandatory for devices shipped with Android 10.0 Quince Tart.
encryption keys are hardware-backed in TrustZone TEE yet another proprietary operating system not accessable from eMMC storage.
if the mainboard doesn't show any sign of life on lsusb just forget about it.
aIecxs said:
(FDE) full-disk encryption is mandatory since Android 6.0.1 Marshmallow.
(FBE) file-based encryption is mandatory for devices shipped with Android 10.0 Quince Tart.
encryption keys are hardware-backed in TrustZone TEE yet another proprietary operating system not accessable from eMMC storage.
if the mainboard doesn't show any sign of life on lsusb just forget about it.
Click to expand...
Click to collapse
Ok, thanks for clarifying. I originally based this project on this video:
Since I have an S6 myself I was hoping it would work for me but I have no idea if the storage was encrypted. I am hesitant to gamble a thousand dollars on a solution that may not work for me.
Also, theoretically, couldnt you get the encryption keys from the processor itself if you could somehow power it on in debug mode? Sorry if debug mode is not the correct term.
Thank you again for all your help.
theoretically... but SM-G920F is Exynos SoC
http://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html

Categories

Resources