Stock ROM user data recover fails, encryption failure - Android Q&A, Help & Troubleshooting

Blackview BV5000 Android 6.0 phone, software borked by malware removal tool. Phone marginally operable, but a backup wasn't possible. Data was encrypted.
Using the stock android recovery <3e>: "backup user data". Backed up to empty SD card, the SD card previously in the phone was removed because it was too small, and is still available.
Flashed the stock rom on the phone, using the exact same ROM version number, build date and time as was previously on the phone.
Phone boots, data gone. Everything set to defaults -- and there is no password set.
Using the stock android recovery <3e>: "restore user data".
User data restores, sucessfully so it says.
On boot I get this error message:
The password you entered is correct, but unfortunately your data is corrupt
Click to expand...
Click to collapse
and I'm offered the option of a factory reset.
I did not enter a password. Resetting, booting, and entering the password previously used gives the same result.
Any ideas?

Accidentally, I ran into the same problem on the Accent Speed-X2 with Android 6.0. But I'm just experimenting with the stock recovery function. Therefore, in my case no confidential data can be lost. But I always get this error. Did this option work for you before you changed the SD card? Do you know how to set a password for backup? Is this the password that is in the developer section?
---------- Post added at 05:57 PM ---------- Previous post was at 05:05 PM ----------
I just successfully completed the backup / restore operation after setting up the PIN code and the backup password. When the phone booted, I was asked for the backup password, and after the loading I entered the pin code. All settings have been saved. So I suppose these steps are important.

voromax said:
But I always get this error. Did this option work for you before you changed the SD card? Do you know how to set a password for backup? Is this the password that is in the developer section?
Click to expand...
Click to collapse
I think I understand the mechanism now...
The error message is misleading. The user data isn't corrupt, it's unusable because the phone password doesn't match the password used to encrypt the data. Not entering a password doesn't mean there's no password, just that "default_password" is the password used.
So, if the password used to encrypt the data on the SD card is either "default_password", or the PIN entered by me, why can't I decrypt the SD card? Since a four-digit PIN isn't much of an encryption (there's only 10.000 possibilities, and one could check those, maybe starting with date formats), all password are further jumbled using a 128 bit random number. The resulting jumble is stored in internal memory as a key, and used to decrypt the SD card.
The moment you reset the phone, the key is lost. Knowing the password ("default_password", for instance) doesn't do you any good because the random number part is missing. So, you should be able to backup and restore your user data on the same phone, as long as the key file is intact. The moment you lose that file (that is, do a factory reset, or ROM reinstall, or wipe the data partition where the files lives, or just delete the file), your data is toast. It's that way by design, so if you lose the SD card your data is safe (as long as it isn't in an unlocked phone).
This explains why I could enter the old PIN and the SD card still wasn't readable.
Backup and reinstall should work on the same phone if you don't do anything to reset this key. I didn't test this, because I got the phone borked.
I did find instructions on how to read the SD card: AIUI, it requires a rooted phone, downloading the key file, extracting the key. Then either mounting the SD card as an encrypted volume under Linux using the key, or replacing the key file in the phone.
It's likely that it would be easier to use a better backup function that a rooted phone might offer. Also, reading the SD card while in the phone, with the phone in mass storage mode, will allow acces to the data, as then the phone does the decryption transparently.

I did factory restore between backup and recovery, but I think the encryption salt can use some kind of device UID. Also I doubt that reinstalling the ROM can affect it too. So I will try to restore the backup on another device to confirm your assumptions. And if recovery does not succeed, you are right, and the backup is only suitable for the phone from which it is made. I'll post the details later. My condolences on your phone.

Related

[Q] SD card Data lost after wrong password

Folks,
I have a weird one, my HD 2 ran out of battery and in my attempt to get message out i had tried entering my password multiple times and it kept switching off in the process.
when i got back home hooked it up to the power and tried the first key letter and it got reset. I mean big time it kind of erased all the data and went back to factory settings.
No big deal, did a resync back got my contacts and all the stuff. Tried to access the information on SD card it erased everything on the card.
Had 14 GB worth of data on it with lots of pictures , meeting notes and copy of all my data including the phones backup.
Took the card out and tried to read it via card reader and it had 14 Gb free space and one file named encfiltlog.menc. tried to run a data recovery software it doesnt pick up anything.
So Please Help and that too big time, Is there any way to recover data out of my SDhc card. is there any way to get teh tiny tweaks i made on the phone before it did a reset or undo the reset.
Regards
Shaminn

[Q] Phone storage read only

I noticed that under settings > SD card & storage that my Phone storage shows being read only.
I was wondering what may be causing this and if there is a fix for it, because several of my apps no longer work (BeyondPod being the main one I miss) because they need an SD card to work with.
I'm running the out of the box firmware, rooted using amon ra recovery.
I do have an exchange activesync account that requires encryption and pin, not sure if that could be causing any issues.
I did try to search the problem but couldn't find any relevant threads.
do you have SD encryption turned on in settings?
Is that the culprit?
Looks like I need to download that modified Mail.apk
After I re-locked my phone to apply the last GB OTA with new radios, I noticed that when I booted my phone the entire /data partition was in read-only mode somehow and it was causing all sorts of weird problems as you could imagine. Simply rebooting to bootloader and hitting "factory reset" option on the bootloader menu fixed the problem. I was then able to write to /data again and everything was fine. Obviously this will clear it everything. I was then able to apply my nandroid backup though and restore my system to how it was before the OTA.
zourn said:
Is that the culprit?
Looks like I need to download that modified Mail.apk
Click to expand...
Click to collapse
thats just my guess... turn it off and see if it helps
Started getting weird read errors when trying to read/write to the card while it was mounted in the phone with the password for the encryption already put in.
I think the card was going bad, or just got all FUBAR'd during the encryption process.
Deleted exchange acct, removed SD card encryption, put in new SD card, re-added exchange acct/re-added encryption, everything works!

[Q] Restore internal sd data after unlocking bootloader

Hi 2 all,
Forgot to make nandroid and unlocked bootloader on my wife's m8. And 27GB of photos gone. I think she'll kill me after she wake up in the morning. Is there any way to get data back?
Unlocking the bootloader is not supposed to do that. It will wipe user data (/data partition) but I believe the internal storage ("virtual SD") should have been untouched. So you shouldn't blame yourself too much. And a nandroid would not have helped you as not only is that partition not backed up with a nandroid, but the default location for a nandroid is the internal SD, so it would have been lost, anyway.
That said, I try to backup any important personal data (even on partitions that are not supposed to be impacted) to my computer whenever doing something major like flashing a ROM or unlocking the bootloader. Only reason I've started doing that is a similar bug on the One X (EVITA) where actions that are not supposed to wipe the internal memory, occasionally did so (which is what I suspect happened to you).
I think your only hope is to use data recovery programs (Recova is a free one). But I've had mixed results doing so (and have seen similar reports here) when trying to recovery photos and other data that were "accidentally" deleted or recovered. Its certainly worth a try, and also keep in mind that you should do so ASAP as the more you use your phone, the higher the chance that those memory sectors where the photos were saved will be overwritten by other data.
Also, is there anything left on the internal memory at all when you browse with a file manager? Sometimes, corrupted data will be saved to a folder named LOST.DIR and there have times where folks have often found many of their photos simply moved there.
Found very helpful post
http://forum.xda-developers.com/galaxy-nexus/general/guide-internal-memory-data-recovery-yes-t1994705.
For M8 it works pretty much the same. I was able to get userdata partition from the phone, but because of I converted to GPE I lost everything. So I'm 99% sure that it will work right after unlock bootloader and factory reset.
exbarboss said:
Found very helpful post
http://forum.xda-developers.com/galaxy-nexus/general/guide-internal-memory-data-recovery-yes-t1994705.
Click to expand...
Click to collapse
Ah, that's true. I hadn't thought about the fact that the memory mounts as MTP now. The times I did the data recovery was on the old bulk storage mode on my One X (before it was switched to MTP). All I had to do was connect my phone to my PC and run Recuva.
Mind you, even mounted properly, data recovery programs will not always be able to recover all data. It was pretty hit or miss for me (and from other reports I've seen). But the linked method is also clever in that it makes a copy of the corrupted partition to your computer, so you sidestep the issue that those sectors may be overwritten as the phone is being used. Give you more times to try various data recovery apps, etc.
redpoint73 said:
Ah, that's true. I hadn't thought about the fact that the memory mounts as MTP now. The times I did the data recovery was on the old bulk storage mode on my One X (before it was switched to MTP). All I had to do was connect my phone to my PC and run Recuva.
Mind you, even mounted properly, data recovery programs will not always be able to recover all data. It was pretty hit or miss for me (and from other reports I've seen). But the linked method is also clever in that it makes a copy of the corrupted partition to your computer, so you sidestep the issue that those sectors may be overwritten as the phone is being used. Give you more times to try various data recovery apps, etc.
Click to expand...
Click to collapse
Yeah I tried Recuva, WinHex, R-Studio - nothing helped. I looked at low level data with WinHex and most sectors were zeroed...
Tennor1 said:
Just try for a sd card data recovery
Click to expand...
Click to collapse
Maybe I'm missing something, but I don't understand what is being referred to here. Can you clarify or give more detail?
Hello Guys, i have been attempting to flash the phone , but it doesnt go in flashmode ( i know it's volume down when plugging to usb ), but nothing happen with flashtool, any idea ?
Maybe driver, but it looks like the phone still in fastboot, and it s reconized by flashtool with the build number and kernel . i don t know how to go to this flashboot mode.
thank you

PIN doesn't work after restoring TWRP backup I can't access encrypted sd card

I recently did a backup with TWRP and then played a new firmware on it with LG UP. After that, I had to unlock the bootloader and flash TWRP on it again. In this process, all my data were deleted, so I restored them from my backup.
This worked well, but after I booted it again, it doesn't accept my PIN. My fingerprint is recognized, but I have to type in the PIN once after booting, and my old one doesn't work. It just states "Try again".
As far as I can see it from the lock screen, all my apps and setting are the same as before.
I don't have an internet connection with it and I can't activate it as this would require typing in the right PIN code. Same for ADB and MTP mode, but I can access the file system through TWRP. I don't want to remove the PIN by deleting the key files in /data/system, because my sd card is encrypted and I don't want to lose the data on it.
Is there a way to either to bypass the PIN without deleting the keystore files or decrypt the sd card manually with my PIN? I don't know if this matters, but there is a folder called .ecryptfs on my sd card, and the first two bytes of the file in there are identical with the first two bytes of a Linux wrapped-passphrase file. Is is possible that Android uses eCryptFS as well? If yes, shouldn't it be possible to extract the passphrase and decrypt the data with it? At least this works on Linux with eCryptFS ...
I hope this was clear enough If not, I will provide any missing details.
Thank you in advance for any idea :fingers-crossed:.
Can you access adb I'm twrp? If so, try these:
Make sure to mount/data first...
adb shell mount -o rw,remount /data
And I don't think you have to but if you get an error about read only filesystem or something, mount system too...
adb shell mount -o rw,remount /system
anonymus1994.1 said:
I recently did a backup with TWRP and then played a new firmware on it with LG UP. After that, I had to unlock the bootloader and flash TWRP on it again. In this process, all my data were deleted, so I restored them from my backup.
This worked well, but after I booted it again, it doesn't accept my PIN. My fingerprint is recognized, but I have to type in the PIN once after booting, and my old one doesn't work. It just states "Try again".
As far as I can see it from the lock screen, all my apps and setting are the same as before.
I don't have an internet connection with it and I can't activate it as this would require typing in the right PIN code. Same for ADB and MTP mode, but I can access the file system through TWRP. I don't want to remove the PIN by deleting the key files in /data/system, because my sd card is encrypted and I don't want to lose the data on it.
Is there a way to either to bypass the PIN without deleting the keystore files or decrypt the sd card manually with my PIN? I don't know if this matters, but there is a folder called .ecryptfs on my sd card, and the first two bytes of the file in there are identical with the first two bytes of a Linux wrapped-passphrase file. Is is possible that Android uses eCryptFS as well? If yes, shouldn't it be possible to extract the passphrase and decrypt the data with it? At least this works on Linux with eCryptFS ...
I hope this was clear enough If not, I will provide any missing details.
Thank you in advance for any idea :fingers-crossed:.
Click to expand...
Click to collapse
^^^^^
anonymus1994.1 said:
This worked well, but after I booted it again, it doesn't accept my PIN. My fingerprint is recognized, but I have to type in the PIN once after booting, and my old one doesn't work. It just states "Try again".
As far as I can see it from the lock screen, all my apps and setting are the same as before.
I don't have an internet connection with it and I can't activate it as this would require typing in the right PIN code. Same for ADB and MTP mode, but I can access the file system through TWRP. I don't want to remove the PIN by deleting the key files in /data/system, because my sd card is encrypted and I don't want to lose the data on it.
Click to expand...
Click to collapse
during making my experiences i got the same result! No way to enter pin! I think, during the update process, the "no-verity... patch was killed. So you can only try to use the solution you doesn’t want to use.
I will follow this thread to see if a way to solve was found.
Delete (wrong thread, sorry)
Craz Basics said:
Can you access adb I'm twrp? If so, try these:
Make sure to mount/data first...
adb shell mount -o rw,remount /data
And I don't think you have to but if you get an error about read only filesystem or something, mount system too...
adb shell mount -o rw,remount /system
Click to expand...
Click to collapse
I tried it and got the same result: I have access, but my SD card cannot be mounted anymore. Still, thanks for the answer.
anonymus1994.1 said:
I tried it and got the same result: I have access, but my SD card cannot be mounted anymore. Still, thanks for the answer.
Click to expand...
Click to collapse
Try this :https://www.google.com/amp/s/forum....king/remove-lockscreen-recovery-t3530008/amp/
In short, delete those files from "/data/system" and reboot. It also says that if it asks you to install superSU, say no
Craz Basics said:
In short, delete those files from "/data/system" and reboot. It also says that if it asks you to install superSU, say no
Click to expand...
Click to collapse
I did this. The problem is that after removing my PIN, I can't decrypt my SD card anymore because it was encrypted with this PIN. I even tried setting the same PIN as before, but the salt changed, so I still couldn't mount the SD card.
anonymus1994.1 said:
I did this. The problem is that after removing my PIN, I can't decrypt my SD card anymore because it was encrypted with this PIN. I even tried setting the same PIN as before, but the salt changed, so I still couldn't mount the SD card.
Click to expand...
Click to collapse
Check this out: https://www.easeus.com/storage-media-recovery/recover-data-from-encrypted-sd-card.html
Craz Basics said:
Check this out: https://www.easeus.com/storage-media-recovery/recover-data-from-encrypted-sd-card.html
Click to expand...
Click to collapse
I really appreciate your effort, but this doesn't work either. It does recover deleted files, even encrypted ones, but as I can't decrypt them, this does not help ...
The tool can't decrypt the files. I tried it out: it shows me a lot of deleted files, but all of them are still encrypted.
anonymus1994.1 said:
I really appreciate your effort, but this doesn't work either. It does recover deleted files, even encrypted ones, but as I can't decrypt them, this does not help ...
The tool can't decrypt the files. I tried it out: it shows me a lot of deleted files, but all of them are still encrypted.
Click to expand...
Click to collapse
Ah, so that means you can put them on your pc? If so I'd look for a program to decrypt them
Craz Basics said:
Ah, so that means you can put them on your pc? If so I'd look for a program to decrypt them
Click to expand...
Click to collapse
Yes, I can copy them to my computer. I used the Android setting to encrypt the SD card, and I have no idea how to decrypt them manually. I searched for a way, but all I found was "not possible" .
I do have my PIN, and I have access to all data which are not on my SD card (well, I have access to them, but they're encrypted). I think it should be possible to decrypt my files with these two factors. I just don't know enough about Android and what kind of encryption it uses for the external storage locations. It's file based, as I can see every single file on my SD card - I just can't open them. I tried, but they're encrypted and therefore just more or less random bytes.
Android Open Source Project has a some information about the encryption used for the internal storage, but nothing about the external storage.
If you have any idea how to decrypt the files - please tell me
anonymus1994.1 said:
Yes, I can copy them to my computer. I used the Android setting to encrypt the SD card, and I have no idea how to decrypt them manually. I searched for a way, but all I found was "not possible" .
I do have my PIN, and I have access to all data which are not on my SD card (well, I have access to them, but they're encrypted). I think it should be possible to decrypt my files with these two factors. I just don't know enough about Android and what kind of encryption it uses for the external storage locations. It's file based, as I can see every single file on my SD card - I just can't open them. I tried, but they're encrypted and therefore just more or less random bytes.
Android Open Source Project has a some information about the encryption used for the internal storage, but nothing about the external storage.
If you have any idea how to decrypt the files - please tell me
Click to expand...
Click to collapse
Does it ask for a password when trying to open a file? If so enter your pin. And I don't know how to manually, but im sure there is a program out there that can.
Edit: do you have the firmware you were on when you encrypted the files? If so you'll probably have to go back to that...
anonymus1994.1 said:
I did this. The problem is that after removing my PIN, I can't decrypt my SD card anymore because it was encrypted with this PIN. I even tried setting the same PIN as before, but the salt changed, so I still couldn't mount the SD card.
Click to expand...
Click to collapse
Try getting any file manager from play store and change rw/ rw to rw/ ro....see if this helps.
Craz Basics said:
Does it ask for a password when trying to open a file? If so enter your pin. And I don't know how to manually, but im sure there is a program out there that can.
Click to expand...
Click to collapse
No, it doesn't. It just tells me that it can't mount the SD card.
Craz Basics said:
Edit: do you have the firmware you were on when you encrypted the files? If so you'll probably have to go back to that...
Click to expand...
Click to collapse
I saved the system as well in my backup, but after I restored it (wiped everything in TWRP and restored the full backup), I have exactly the same problem as before (it doesn't accept my PIN).
stinka318 said:
Try getting any file manager from play store and change rw/ rw to rw/ ro....see if this helps.
Click to expand...
Click to collapse
If you mean the salt: it is stored in /data/system/locksettings.db. This is the file that has to be deleted to remove the PIN. I tried setting the salt in the new file (created after the first startup of the system after deleting this file) to the old value, but there is no salt at all without a PIN (I tried adding a line with the old salt, but it gets overwritten as I set a new password), and if I change the salt after I set my new PIN, I can't login again.
anonymus1994.1 said:
No, it doesn't. It just tells me that it can't mount the SD card.
I saved the system as well in my backup, but after I restored it (wiped everything in TWRP and restored the full backup), I have exactly the same problem as before (it doesn't accept my PIN).
If you mean the salt: it is stored in /data/system/locksettings.db. This is the file that has to be deleted to remove the PIN. I tried setting the salt in the new file (created after the first startup of the system after deleting this file) to the old value, but there is no salt at all without a PIN (I tried adding a line with the old salt, but it gets overwritten as I set a new password), and if I change the salt after I set my new PIN, I can't login again.
Click to expand...
Click to collapse
Talking about the permission only nothing else.......
stinka318 said:
Talking about the permission only nothing else.......
Click to expand...
Click to collapse
Of which file?
anonymus1994.1 said:
Of which file?
Click to expand...
Click to collapse
The permission to Wright to sd card itself......
stinka318 said:
The permission to Wright to sd card itself......
Click to expand...
Click to collapse
The files are encrypted already. Forbidding write access does not change this ...
My problem is that I have to delete the files which store my PIN code, but then I can't access my encrypted SD card anymore because it's encrypted with this PIN.

Struggling recovering data

So one of my phone's android just stopped working for no reason AFAIK, and so now it's luck in a infinite boot, so i tried to backup user data in an attempts to recover my internal storage, got 6 backup files, merged them into a .ext4 using this tutorial https://www.youtube.com/watch?v=cY4cKKimEFU, but it's won't open once in windows using 7z, stating "cannot open the file as [Ext] archive"
so i'm basically stuck now, and i can't just wipe my phone's data either cause i'll loose all my 2FA apps.
edit:
userdata store apps, files, encryption key used for sd when formatted as internal storage and other things like contacts...
See here: https://trenovision.com/how-to-read-ext4-partitions-on-windows/
jwoegerbauer said:
See here: https://trenovision.com/how-to-read-ext4-partitions-on-windows/
Click to expand...
Click to collapse
already tried these in the past for other purposes, never worked, tried again, and nope, i can see the folder, but i can't the their content, an error pop up
so i have couple thing to say,
first, i reinstalled android using the tool provided by the manufacturer.
second, i had my backup file, made while stuck in infinite boot, restored user data via recovery mode, my apps are back, my data, videos and all that stuff are back, my sd card, formatted as internal storage is back.
2FA apps are backs, codes are still available, everything is working!
so i know those things are stored within the user data backups, i still don't know how to unpack them properly though

Categories

Resources