Android encrypted partition dump
#1
Hello everyone.

My android phone (OnePlus 5T) encountered weird bug this morning. It couldn't decrypt my data despite using correct pin (I'm 100% sure it was correct as I'm using same one for past year or so). TWRP nor stock recovery couldn't decrypt anything either ('Password failed, please try again!') so I decided to do full partition backup using adb using command: "adb pull /dev/block/sda13 userdata.img". Right now I have encrypted ~120GB file, I know last working pin code and I'm wondering if there's a way to use hashcat to get some files out of this dump. It's not anything crucial, just some save states from emulator app, I've backed up everything else....

Thanks in advance!
Reply
#2
hey

as far as I know hashcat is able to crack the backups generated by "adb backup"
see https://9to5google.com/2017/11/04/how-to...id-basics/ and https://github.com/magnumripper/JohnTheR...ohn.py#L16


you can use androidbackup2john.py (see above link) with python 2.7 to convert that backup to a valid hash that hashcat supports with -m 18900 = Android Backup

I'm not sure if you need to provide any password to make backups. If that's the case you probably can't use this way to backup your data (because you do not remember the password as far as I understood). If you already have such a backup, hashcat would support it with -m 18900

I think all other types of data dumps are harder to crack and modern android versions use the scrypt algorithm (which is actually very difficult to accelerate with GPU power, that's a feature of the scrypt hashing function).

I would also suggest to read up on Nikolay Elenkov blogs who as far as I know did a lot of documentation and analysis of the different password protected data system used by different android versions. e.g. https://nelenkov.blogspot.com/2014/10/re...ption.html (but might be outdated for your specific android device and android version, I don't know for sure)
Reply