I am searching for a way to change roms without removing encryption. It looks like files under /data/system/vold and /data/unencrypted provide keys to decrypt internal media according to this thread.
So far I tried wiping everything in data partition except /data/media, /data/system/vold and /data/unencrypted but it ended in failure and the new rom can't decrypt it.
Is there any files should I preserve while clearing data partition to preserve encryption? The device is running android 11 btw.
Related
Hello everyone,
so I accidentally wiped my /data/media on my OnePlus One where all my backups where in because I wanted to try out F2FS . I didn't have in mind, that for doing that TWRP would have to format the whole userdata partition instead of just using rm for everything except /data/media like in normal wiping :silly:.
Now I wondered if there was any way to recover at least the last deleted backup, because I guess it's still lying around somewhere in the flash cells. I know that there are plenty of programs for PCs to accomplish that, but does anyone perhaps have an idea about how to do it on a phone, preferably without having to boot into Android, as it might overwrite the data when setting up? I thought about pulling an image of the partition via adb in recovery and try to recover the files from that on the PC, but I have no idea on how to get the image to my pc without storing it on the phone first, which would obviously definitely overwrite all the data. And also I don't know if that image would actually contain all the data because I couldn't find out if the flash uses wear leveling.
If anyone has got any idea I would really appreciate to hear it, even if it only says that it's impossible.
Many thanks in advance .
I wanted to do a factory reset (i.e. remove everything from /data except /data/media/0), but ended up formatting the partition, partly because the Materialised Theme rearranges the buttons, partly because I am a bit dumb seemingly...
After I realized what I just did, I immediately piped the whole partition onto my PC using dd and netcat. I hoped to be able to recover my photos and the /data TWRP backup I did before using photorec, but it couldn't find a single file :crying:
So does TWRP reset every bit of the partition to zero when formatting it?
Or could there be another explanation on why photorec doesn't find anything? Could there be any chance that I'll see my data again?
It's flash memory, tricks that would work on a physical hard disk WILL NOT recover any data. I am sorry but it is not possible, by ANY means, to recover your data.
It sucks I know but please take this as a learning experience on the value of off-device backups. You can upload twrp backups to Google drive directly from the phone for easy secure storage and recovery.
Also Google will sync and backup your photos if you enable it, for the future.
I've always used Samsung devices (last device was GS5) so I'm trying to understand the internal partitions on newer versions of android. I don't mean the dual slot stuff either.. just the normal partitions like /system
So with my GS5 of I went into TWRP and factory reset. That wiped all user data from the phone. Apps, settings, downloads, pics, etc..
It seems that's not how it works anymore. Just looking for a basic layout of the folder structure and what is stored on each partition
Where is my user data stored? Are my downloaded apps, settings, pics, downloads (everything I put on the phone) stored in one partition? If so where
When I factory reset in recovery what partitions is that wiping
At this point the only thing I know is /system which is where the actual OS itself is stored.
Any explanation would be appreciated!!
aholeinthewor1d said:
I've always used Samsung devices (last device was GS5) so I'm trying to understand the internal partitions on newer versions of android. I don't mean the dual slot stuff either.. just the normal partitions like /system
So with my GS5 of I went into TWRP and factory reset. That wiped all user data from the phone. Apps, settings, downloads, pics, etc..
It seems that's not how it works anymore. Just looking for a basic layout of the folder structure and what is stored on each partition
Where is my user data stored? Are my downloaded apps, settings, pics, downloads (everything I put on the phone) stored in one partition? If so where
When I factory reset in recovery what partitions is that wiping
At this point the only thing I know is /system which is where the actual OS itself is stored.
Any explanation would be appreciated!!
Click to expand...
Click to collapse
/data
/data/app
/data/user
/data/media...
You can see all these folders and what they contain via something like Root Explorer. Then install an app or modify its settings, you'll easily see its date/time properties get changed.
Or you can use ES Explorer, every time a new folder gets created, ES notifies you. After a while, it gets annoying but it's good to be able to observe in the beginning.
Hi
Is it possible to recover deleted images & video from an android phone: OP 5T, LineageOS, rooted, TWRP, encrypted. (I can boot into recovery where TWRP asks for a password which works).
I've looked at various methods and tried adb pull /data partition to save as file.img, but it's encrypted. Photorec can't work on that.
When I asked on a reddit thread, it was indicated that when a file is deleted, its encryption key is deleted too, so impossible to retrieve.
Any ideas, or is this a lost cause due to the phone's encryption?
Thanks
Forget it, don't waste more time with this ...
Your only option is to hope that you have not re-written over the old data and a data recovery specialist can attempt to recover lost or deleted files. But it is expensive and time-consuming.
Hello everyone!
For my bachelor's thesis, I am currently trying to correctly back up the data of a Samsung Galaxy A52 forensically. I created a first backup with adb backup. However, I would also like to create a physical one. To do this, I applied twrp-3.5.2_10-0-a52q.img.tar to the device using Odin. Afterwards I was able to extract the entire memory (~124GB) using "dd if=/dev/sda ..." and ncat. Is there a possibility to analyse this image further on? I tried it with Autopsy, but the result was not satisfactory.
Or would it be possible to create the image in another way? Rooting is no longer possible in this case, as I do not want to delete the memory.
Thank you very much for your help.
Did you dd the full sda device?
If so, you should just dd the data partition instead. Also, if your data partition is still encrypted (Stock ROM does that automatically) you won't be able to access your data.
If the data partition is mountable in TWRP and you can access files in it then you're not encrypted.
So if you then successfully dd the data partition to a .img file you should easily be able to mount it if you're running Linux on your Computer. I'm not sure whether it would be extract-able with e.g. 7zip on Windows, guess you'll have to figure that out on your own.
i did dd the full sda.
The data partition is still encrypted in the twrp. The only thing I can do for my further work is to back up everything else.
Is there a way to extract the encryption keys and decrypt the files manually? e.g. with Lime, if the keys are stored in the ram.
If your data partition is still encrypted then there's no chance of accessing your data through TWRP or even decrypting it. Only stock ROM can read your data if it's encrypted. That's why you usually format your data partition and patch the fstab after unlocking the bootloader.
thank you very much. This is enough information for my further work.