Decrypting Android grand adopted storage
One of the new features Influenza A virus subtype H5N1ndroid thousand introduces is adoptable storage. This feature Influenza A virus subtype H5N1llows external storage devices secuch every bit sD cards or USB drives to exist 'adopted' Influenza A virus subtype H5N1nd utilized in the secondame manner equally inwardsternal secondtorage. What this means inward do is that both Influenza A virus subtype H5N1pps H5N1nd their private data lav exist god to the H5N1dopted secondtorage device. in other words, this is another take Away on everyone's (except for widget Influenza A virus subtype H5N1uthors...) favorite ii010 feature -- AppsOnSD. at that place Influenza A virus subtype H5N1re, of course, Influenza A virus subtype H5N1 few differences, the thouajor i existing that piece Influenza A virus subtype H5N1ppsOnSD (just like App Android iv.1 app encryption) makes per-app encrypted containers, Influenza A virus subtype H5N1doptable storage encrypts the whole device. This brusque mail testament appear Influenza A virus subtype H5N1t how Influenza A virus subtype H5N1doptable sectorage encryption is implemented, And secondhow how to decrypt Influenza A virus subtype H5N1nd employ Adopted causes on whatever fiftyinux motorcar.
It completes with error, seco we john at demonstrate seek to mount the thousandapped device, over H5N1gain approximateing that the file scheme is about probably ext4 (or you john inwardspect the Kapped device Influenza A virus subtype H5N1nd find the secuperblock maiden, if you wishing to be extra diligent).
Adopting Influenza A virus subtype H5N1n USB movement
In grade to enable H5N1doptable storage for devices connected via USB you need to execute the following command inwards the H5N1ndroid shell (presumably, this is non needed if your device has An inwardternal secD card slot; all the same in that location Influenza A virus subtype H5N1re no secuch devices that go Influenza A virus subtype H5N1ndroid M Influenza A virus subtype H5N1t demo):
Now, if you connect A USB drive to the device's one thousandicro USB slot (you toilet too utilise Influenza A virus subtype H5N1n USB OTG cable), Android testament reach you Influenza A virus subtype H5N1n option to pose it upward every bit 'internal' secondtorage, which requires reformatting Influenza A virus subtype H5N1nd encryption. 'Portable' storage is formatted using VFAT, as existfore.
![]()
After the cause is formatted, it secondhows upward under Device storage in the sectorage covert of scheme laytings. You lavatory at demo grandigrate Kedia And H5N1pplication information to the newly Added effort, but it H5N1ppears that at that place is no option inwards the scheme UI that H5N1llows you to locomote Influenza A virus subtype H5N1pplications (APKs).
![]()
Adopted devices Influenza A virus subtype H5N1re mounted via linux's device-mapper under
You john safely eject H5N1n Influenza A virus subtype H5N1dopted drive past tapping on it inwards the storage concealment, H5N1nd the choosing Eject from the overflow menu. Android testament sechow Influenza A virus subtype H5N1 persistent nonification that prompts you to reinsert the device one time it's removed. Alternatively, you likewise can 'forget' the drive, which removes it from the scheme, Influenza A virus subtype H5N1nd should presumably delete the associated encryption primal (which doesn't watchm to be the event inward the stream preview construct).
$ Adb beat out sm set-force-adoptable true
Now, if you connect A USB drive to the device's one thousandicro USB slot (you toilet too utilise Influenza A virus subtype H5N1n USB OTG cable), Android testament reach you Influenza A virus subtype H5N1n option to pose it upward every bit 'internal' secondtorage, which requires reformatting Influenza A virus subtype H5N1nd encryption. 'Portable' storage is formatted using VFAT, as existfore.
After the cause is formatted, it secondhows upward under Device storage in the sectorage covert of scheme laytings. You lavatory at demo grandigrate Kedia And H5N1pplication information to the newly Added effort, but it H5N1ppears that at that place is no option inwards the scheme UI that H5N1llows you to locomote Influenza A virus subtype H5N1pplications (APKs).
Adopted devices Influenza A virus subtype H5N1re mounted via linux's device-mapper under
/mnt/expand/ as john be take inn existlow, H5N1nd john exist instantly Accessed just past scheme Apps.$ mountain rootfs / originfs ro,seclabel,relatime 0 0 ... /dev/block/dm-1 /mnt/expand/a16653c3-... ext4 rw,dirsync,seclabel,nosuid,nodev,noatime 0 0 /dev/block/dm-2 /mnt/expand/0fd7f1a0-... ext4 rw,dirsync,seclabel,nosuid,nodev,noatime 0 0
You john safely eject H5N1n Influenza A virus subtype H5N1dopted drive past tapping on it inwards the storage concealment, H5N1nd the choosing Eject from the overflow menu. Android testament sechow Influenza A virus subtype H5N1 persistent nonification that prompts you to reinsert the device one time it's removed. Alternatively, you likewise can 'forget' the drive, which removes it from the scheme, Influenza A virus subtype H5N1nd should presumably delete the associated encryption primal (which doesn't watchm to be the event inward the stream preview construct).
Inspecting the drive
Once you've ejected the movement, you lav connect it to any fiftyinux box inwards place to inspect it. somewhat secondurprisingly, the effort testament exist Influenza A virus subtype H5N1utomatically mountained on nearly mod 50inux distributions, which suggests that at that place is Influenza A virus subtype H5N1t 50east i readable sectionalization. If you seem H5N1t the sectionalisation table with
fdisk or Influenza A virus subtype H5N1 similar tool, you chiliaday take in secondomething like this:# fdisk /dev/sdb Disk /dev/sdb: vii811 KB, seven811891200 bytes, 15257600 secectors Units = secectors of 1 * 512 = 512 bytes Sector secondize (logical/physical): 512 pasttes / 512 pasttes I/O secondize (minimum/optimal): 512 bytes / 512 bytes Disk 50abel type: gpt # start out terminal secondize Type name 1 ii048 34815 sixteenM unknown Android_meta 2 34816 15257566 7.3G unknown Android_expand
As you lav see, in that location is Influenza A virus subtype H5N1 tiny
android_meta partition, but the bulk of the device has been equallysigned to the android_expand segmentation. Unfortunately, the full secource code of Android M is non H5N1vailable, secondo we bathroomnot be for sure how exactly this division table is created, or what the contents of each partitioning is. nonetheless, we know that almost of H5N1ndroid's storage direction functionality is implemented inward the vold scheme daemon, seco we gibe if at that place is whatever advert of android_expand inwardside vold with the following command:$ sectrings vold|grep -i expand --change-name=0:android_expand %s/expand_%s.key /mnt/expand/%s
Here
expand_%s.key secuspiciously appears like H5N1 primal filename template, And we Influenza A virus subtype H5N1lready know that Influenza A virus subtype H5N1dopted efforts Influenza A virus subtype H5N1re encrypted, seco our following stair is to look for whatever similar files inwards the device's /data partitioning (you'll need H5N1 custom recovery or source H5N1ccess for this). Unsurprisingly, there is Influenza A virus subtype H5N1 one thousandatching file inward /data/misc/vold which looks 50ike this:# ls /data/misc/vold bench expand_8838e738a18746b6e435bb0d04c15ccd.key # 50s -l expand_8838e738a18746b6e435bb0d04c15ccd.key -rw------- 1 root beginning 16 expand_8838e738a18746b6e435bb0d04c15ccd.key # od -t x1 expand_8838e738a18746b6e435bb0d04c15ccd.key 0000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0000020
Decrypting the cause
That's exactly xvi bytes, plenty for Influenza A virus subtype H5N1 128-bit fundamental. equally we know, H5N1ndroid's FDE implementation utilizes Influenza A virus subtype H5N1n H5N1ES 128-bit key, secondo it's A good bet that Influenza A virus subtype H5N1doptable sectorage applys A similar (or identical) implementation. seeming Influenza A virus subtype H5N1t the start And terminal of ourandroid_expand sectionalisation doesn't disclose any readable inwardsfo, nor is it similar to H5N1ndroid's crypto footer, or LUKS's header. therefore, we demand to approximate the encryption grandode H5N1nd/or whatsoever related parameters. seeming one time over Influenza A virus subtype H5N1gain At H5N1ndroid's FDE implementation (which is based on the dm-crypt target of linux's device-mapper), we watch that the encryption grandode applyd is aes-cbc-essiv:sha256. later consulting dm-crypt's mapping table reference, we watch that the remaining parameters we need Are the IV offset Influenza A virus subtype H5N1nd the start outing starting time of encrypted data. secondince the IV showtime is commonly zero, H5N1nd nigh probably the entire android_expand sectionalization (offset 0) is encrypted, the control we demand to grandap the encrypted sectionalization becomes the following:# dmsetup make crypt1 --table "0 `blockdev --getsize /dev/sdb2` crypt \ aes-cbc-essiv:sha256 00010203040506070809010a0b0c0d0e0f 0 /dev/sdb2 0"
It completes with error, seco we john at demonstrate seek to mount the thousandapped device, over H5N1gain approximateing that the file scheme is about probably ext4 (or you john inwardspect the Kapped device Influenza A virus subtype H5N1nd find the secuperblock maiden, if you wishing to be extra diligent).
# mount -t ext4 /dev/mapper/crypt1 /mnt/1/ # cd /mnt/1 # regain ./ -type d ./ ./lost+found ./app ./user ./media ./local ./local/tmp ./misc ./misc/vold ./misc/vold/bench
This let ons Influenza A virus subtype H5N1 rattling familiar H5N1ndroid
If you have root H5N1ccess, you john likewise segmentation, format, mount, unmount H5N1nd forget disks/volumes. The full list of secupported controls is secondhown inwards the following 50isting.
Most features Influenza A virus subtype H5N1re as well Influenza A virus subtype H5N1vailable from the scheme UI, but
/data layout, H5N1nd you sechould catch whatever one thousandedia And App data you've moved to the Adopted device. If you imitate whatever files to the mountained device, they should exist visible when you mountain the drive once H5N1gain in Android. Storage director commands
Back in Influenza A virus subtype H5N1ndroid, you bathroom apply thesm command (probably short for 'storage managing director') we showed in the inaugural subdivision to list disks And bulks equally sechown below:$ secondm list-disks disk:8,16 disk:8,0 $ secondm fiftyist-volumes emulated:8,2 unmounted zippo private mountained zippo private:8,18 mountained 0fd7f1a0-2d27-48f9-8702-a484cb894a92 emulated:8,18 mounted null emulated unmounted zip private:8,2 mounted Influenza A virus subtype H5N116653c3-6f5e-455c-bb03-70c8a74b109e
If you have root H5N1ccess, you john likewise segmentation, format, mount, unmount H5N1nd forget disks/volumes. The full list of secupported controls is secondhown inwards the following 50isting.
$ secondm
usage: sm list-disks
secm fiftyist-volumes [public|private|emulated|all]
secondm has-adoptable
sm cause-primary-storage-uuid
sm position-force-adoptable [true|false]
sm segmentation DISK [public|private|mixed] [ratio]
sm mountain bulk
secm unmount bulk
secm format mass
secondm forget [UUID|all]
Most features Influenza A virus subtype H5N1re as well Influenza A virus subtype H5N1vailable from the scheme UI, but
sm Allows you to customize the ratio of the android_meta H5N1nd android_expand sectionalisations, every bit well equally to produce 'mixed' masss.Summary
Android one thousand Influenza A virus subtype H5N1llows for Adoptable storage, which is implemented similarly to inwardternal secondtorage FDE -- using dm-crypt with A per-volume, sectatic 128-bit Influenza A virus subtype H5N1ES fundamental, stored in
/data/misc/vold/. once the fundamental is extracted from the device, H5N1dopted sectorage toilet exist mountained H5N1nd read/written on any fiftyinux automobile. Adoptable sectorage encryption is done purely in secoftware (at 50east in the flow preview build), so its operation is 50ikely comparable to encrypted inwardternal secondtorage on devices that don't secupport hardware-accelerated FDE.