Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Blame Permalink
  • nkk71's avatar
    71c6c50d
    crypto: Use system's vold for decryption · 71c6c50d
    nkk71 authored 
      If TWRP crypto fails to decrypt partition, mount the system
  partition and use system's own vold to attempt decryption.
  This provides a fallback for proprietary OEM encryption as well as
  encryption methods which TWRP hasn't been updated for.

  Requirements in device tree:
  * fstab.{ro.hardware} in device/recovery/root
    The fstab does not need to be complete, but it does need the
    data partition and the encryption entries.

  * 'TW_CRYPTO_USE_SYSTEM_VOLD := true' in BoardConfig
  or
  * 'TW_CRYPTO_USE_SYSTEM_VOLD := <list of services>'

  Notes:
  * Setting the flag to 'true' will just use system's vdc+vold
    or
  * Setting the flag with additional services, will also start them
    prior to attempting vdc+vold decryption, eg: for qualcomm based
    devices you usually need 'TW_CRYPTO_USE_SYSTEM_VOLD := qseecomd'

  * For each service listed an additional import will be automatically
    added to the vold_decrypt.rc file in the form of
    init.recovery.vold_decrypt.{service}.rc
    You will need to add any not already existing .rc files in
    your device/recovery/root folder.

  * The service names specified in the vold_decrypt.{service}.rc files
    have to be named 'sys_{service}'
    eg: 'service sys_qseecomd /system/bin/qseecomd'

  * Any service already existing in TWRP as {service} or sbin{service} will
    be stopped and restarted as needed.

  * You can override the default init.recovery.vold_decrypt.rc file(s)
    by placing same named ones in your device/recovery/root folder.
    If you do, you'll need to manually add the needed imports.

  * If /vendor and /firmware folders are temporarily moved and symlinked
    to the folders and files in the system partition, the properties
    'vold_decrypt.symlinked_vendor' and 'vold_decrypt.symlinked_firmware'
    will be set to 1.
    This allows for additional control in the .rc files for any extra
    actions (symlinks, cp files, etc) that may be needed for decryption
    by using: on property:vold_decrypt.symlinked_vendor=1 and/or
    on property:vold_decrypt.symlinked_firmware=1 triggers.

  Debug mode: 'TW_CRYPTO_SYSTEM_VOLD_DEBUG := true' in BoardConfig
  * Specifying this flag, will enable strace on init and vdc, which will
    create separate log files in /tmp for every process created, allowing
    for detailed analysis of which services and files are being accessed.
  * Note that enabling strace will expose the password in the logs!!
  * You need to manually add strace to your build.

Thanks to @Captain_Throwback for co-authoring and testing.

Tested successfully on HTC devices:
M8 (KK through MM), M9 (MM and N), A9 (N), 10 (N), Bolt (N),
Desire 626s (MM), U Ultra (N)

HTC One X9 (MTK device)

And by Nikolay Jeliazkov on: Xiaomi Mi Max

Change-Id: I4d22ab55baf6a2a50adde2e4c1c510c142714227
    71c6c50d
    crypto: Use system's vold for decryption
    nkk71 authored 
      If TWRP crypto fails to decrypt partition, mount the system
  partition and use system's own vold to attempt decryption.
  This provides a fallback for proprietary OEM encryption as well as
  encryption methods which TWRP hasn't been updated for.

  Requirements in device tree:
  * fstab.{ro.hardware} in device/recovery/root
    The fstab does not need to be complete, but it does need the
    data partition and the encryption entries.

  * 'TW_CRYPTO_USE_SYSTEM_VOLD := true' in BoardConfig
  or
  * 'TW_CRYPTO_USE_SYSTEM_VOLD := <list of services>'

  Notes:
  * Setting the flag to 'true' will just use system's vdc+vold
    or
  * Setting the flag with additional services, will also start them
    prior to attempting vdc+vold decryption, eg: for qualcomm based
    devices you usually need 'TW_CRYPTO_USE_SYSTEM_VOLD := qseecomd'

  * For each service listed an additional import will be automatically
    added to the vold_decrypt.rc file in the form of
    init.recovery.vold_decrypt.{service}.rc
    You will need to add any not already existing .rc files in
    your device/recovery/root folder.

  * The service names specified in the vold_decrypt.{service}.rc files
    have to be named 'sys_{service}'
    eg: 'service sys_qseecomd /system/bin/qseecomd'

  * Any service already existing in TWRP as {service} or sbin{service} will
    be stopped and restarted as needed.

  * You can override the default init.recovery.vold_decrypt.rc file(s)
    by placing same named ones in your device/recovery/root folder.
    If you do, you'll need to manually add the needed imports.

  * If /vendor and /firmware folders are temporarily moved and symlinked
    to the folders and files in the system partition, the properties
    'vold_decrypt.symlinked_vendor' and 'vold_decrypt.symlinked_firmware'
    will be set to 1.
    This allows for additional control in the .rc files for any extra
    actions (symlinks, cp files, etc) that may be needed for decryption
    by using: on property:vold_decrypt.symlinked_vendor=1 and/or
    on property:vold_decrypt.symlinked_firmware=1 triggers.

  Debug mode: 'TW_CRYPTO_SYSTEM_VOLD_DEBUG := true' in BoardConfig
  * Specifying this flag, will enable strace on init and vdc, which will
    create separate log files in /tmp for every process created, allowing
    for detailed analysis of which services and files are being accessed.
  * Note that enabling strace will expose the password in the logs!!
  * You need to manually add strace to your build.

Thanks to @Captain_Throwback for co-authoring and testing.

Tested successfully on HTC devices:
M8 (KK through MM), M9 (MM and N), A9 (N), 10 (N), Bolt (N),
Desire 626s (MM), U Ultra (N)

HTC One X9 (MTK device)

And by Nikolay Jeliazkov on: Xiaomi Mi Max

Change-Id: I4d22ab55baf6a2a50adde2e4c1c510c142714227