71c6c50d0d
If TWRP crypto fails to decrypt partition, mount the system
partition and use system's own vold to attempt decryption.
This provides a fallback for proprietary OEM encryption as well as
encryption methods which TWRP hasn't been updated for.
Requirements in device tree:
* fstab.{ro.hardware} in device/recovery/root
The fstab does not need to be complete, but it does need the
data partition and the encryption entries.
* 'TW_CRYPTO_USE_SYSTEM_VOLD := true' in BoardConfig
or
* 'TW_CRYPTO_USE_SYSTEM_VOLD := <list of services>'
Notes:
* Setting the flag to 'true' will just use system's vdc+vold
or
* Setting the flag with additional services, will also start them
prior to attempting vdc+vold decryption, eg: for qualcomm based
devices you usually need 'TW_CRYPTO_USE_SYSTEM_VOLD := qseecomd'
* For each service listed an additional import will be automatically
added to the vold_decrypt.rc file in the form of
init.recovery.vold_decrypt.{service}.rc
You will need to add any not already existing .rc files in
your device/recovery/root folder.
* The service names specified in the vold_decrypt.{service}.rc files
have to be named 'sys_{service}'
eg: 'service sys_qseecomd /system/bin/qseecomd'
* Any service already existing in TWRP as {service} or sbin{service} will
be stopped and restarted as needed.
* You can override the default init.recovery.vold_decrypt.rc file(s)
by placing same named ones in your device/recovery/root folder.
If you do, you'll need to manually add the needed imports.
* If /vendor and /firmware folders are temporarily moved and symlinked
to the folders and files in the system partition, the properties
'vold_decrypt.symlinked_vendor' and 'vold_decrypt.symlinked_firmware'
will be set to 1.
This allows for additional control in the .rc files for any extra
actions (symlinks, cp files, etc) that may be needed for decryption
by using: on property:vold_decrypt.symlinked_vendor=1 and/or
on property:vold_decrypt.symlinked_firmware=1 triggers.
Debug mode: 'TW_CRYPTO_SYSTEM_VOLD_DEBUG := true' in BoardConfig
* Specifying this flag, will enable strace on init and vdc, which will
create separate log files in /tmp for every process created, allowing
for detailed analysis of which services and files are being accessed.
* Note that enabling strace will expose the password in the logs!!
* You need to manually add strace to your build.
Thanks to @Captain_Throwback for co-authoring and testing.
Tested successfully on HTC devices:
M8 (KK through MM), M9 (MM and N), A9 (N), 10 (N), Bolt (N),
Desire 626s (MM), U Ultra (N)
HTC One X9 (MTK device)
And by Nikolay Jeliazkov on: Xiaomi Mi Max
Change-Id: I4d22ab55baf6a2a50adde2e4c1c510c142714227
127 lines
3.1 KiB
Plaintext
127 lines
3.1 KiB
Plaintext
import /init.recovery.logd.rc
|
|
import /init.recovery.usb.rc
|
|
import /init.recovery.service.rc
|
|
import /init.recovery.vold_decrypt.rc
|
|
import /init.recovery.${ro.hardware}.rc
|
|
|
|
on early-init
|
|
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
|
|
write /sys/fs/selinux/checkreqprot 0
|
|
|
|
# Set the security context for the init process.
|
|
# This should occur before anything else (e.g. ueventd) is started.
|
|
setcon u:r:init:s0
|
|
|
|
# Set the security context of /postinstall if present.
|
|
restorecon /postinstall
|
|
|
|
start ueventd
|
|
start healthd
|
|
|
|
service set_permissive /sbin/permissive.sh
|
|
oneshot
|
|
seclabel u:r:recovery:s0
|
|
|
|
on init
|
|
export PATH /sbin:/system/bin
|
|
export LD_LIBRARY_PATH .:/sbin
|
|
|
|
export ANDROID_ROOT /system
|
|
export ANDROID_DATA /data
|
|
export EXTERNAL_STORAGE /sdcard
|
|
|
|
mkdir /boot
|
|
mkdir /recovery
|
|
mkdir /system
|
|
mkdir /data
|
|
mkdir /cache
|
|
mkdir /sideload
|
|
mount tmpfs tmpfs /tmp
|
|
|
|
chown root shell /tmp
|
|
chmod 0775 /tmp
|
|
|
|
write /proc/sys/kernel/panic_on_oops 1
|
|
write /proc/sys/vm/max_map_count 1000000
|
|
|
|
on fs
|
|
mount pstore pstore /sys/fs/pstore
|
|
|
|
mkdir /dev/usb-ffs 0770 shell shell
|
|
mkdir /dev/usb-ffs/adb 0770 shell shell
|
|
mount functionfs adb /dev/usb-ffs/adb uid=2000,gid=2000
|
|
|
|
on boot
|
|
ifup lo
|
|
hostname localhost
|
|
domainname localdomain
|
|
|
|
class_start default
|
|
|
|
# Load properties, pre-Android 6.0
|
|
on load_all_props_action
|
|
load_all_props
|
|
|
|
# Load properties, Android 6.0+
|
|
on load_system_props_action
|
|
load_system_props
|
|
|
|
# Load properties, Android 6.0+, vendor init lives here
|
|
on load_persist_props_action
|
|
load_persist_props
|
|
|
|
on firmware_mounts_complete
|
|
rm /dev/.booting
|
|
|
|
# Mount filesystems and start core system services.
|
|
on late-init
|
|
trigger early-fs
|
|
trigger fs
|
|
trigger post-fs
|
|
trigger post-fs-data
|
|
|
|
# Load properties, pre-Android 6.0
|
|
trigger load_all_props_action
|
|
|
|
# Load properties from /system/ + /factory after fs mount. Place
|
|
# this in another action so that the load will be scheduled after the prior
|
|
# issued fs triggers have completed.
|
|
trigger load_system_props_action
|
|
|
|
# Load properties, Android 6.0+, vendor init lives here
|
|
trigger load_persist_props_action
|
|
|
|
# Remove a file to wake up anything waiting for firmware
|
|
trigger firmware_mounts_complete
|
|
|
|
trigger early-boot
|
|
trigger boot
|
|
|
|
on property:sys.powerctl=*
|
|
powerctl ${sys.powerctl}
|
|
|
|
service ueventd /sbin/ueventd
|
|
critical
|
|
seclabel u:r:ueventd:s0
|
|
|
|
service healthd /sbin/healthd -r
|
|
critical
|
|
seclabel u:r:healthd:s0
|
|
|
|
service adbd /sbin/adbd --root_seclabel=u:r:su:s0 --device_banner=recovery
|
|
disabled
|
|
socket adbd stream 660 system system
|
|
seclabel u:r:adbd:s0
|
|
|
|
# Always start adbd on userdebug and eng builds
|
|
on property:ro.debuggable=1
|
|
#write /sys/class/android_usb/android0/enable 1
|
|
#start adbd
|
|
setprop service.adb.root 1
|
|
|
|
# Restart adbd so it can run as root
|
|
on property:service.adb.root=1
|
|
write /sys/class/android_usb/android0/enable 0
|
|
restart adbd
|
|
write /sys/class/android_usb/android0/enable 1
|