Tel: (+355) 69 518 4660    e-Mail:

01 Mar

Android Full Disk Encryption

Android – FDE  can be used on an encrypted data.img, over USB from recovery mode and over fastboot using a “fastboot oem read_mmc” command.

Android Full Disk Encryption Disclaimer

The Full Disk Encryption tools are heavily based on Thomas Cannon tools and support HTC One, Wiko WAX (including the Blackphone). See below.

Use over “fastboot oem read_mmc” currently only supports HTC One HBOOT < 1.56.0000.

To dump Wiko WAX phones, use the scripts included in the “dump_nvtegra” directory. The dumping process for Linux and Windows is described also in the of this same directory.

Android Full Disk Encryption Android Full Disk Encryption Android Full Disk Encryption


Requirements (Debian):


Create folders. “mnt” is used to have our virtual device in it where a read in it corresponds to a read in the raw device. “mnt2″ is used as a mounting point to mount the raw device as an ext4 partition.

$ mkdir mnt mnt2

 Prepare cache files to hold the copies of bytes already got from the raw device.

$ cd out
$ ./


Quick use guide

Start phone in bootloader mode (HBOOT) and connect it to the computer. You need to select the “fastboot mode” on the device.

Setup USB serial for this device

$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 003: ID 0bb4:0ff0 HTC (High Tech Computer Corp.) 
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
# modprobe usbserial vendor=0xbb4 product=0xff0

 (Optional) Check that everything is fine.

# ls /dev/ttyU*

 Run the usb program. “-f” option tells to run in the foreground and “mnt” for the starting folder for our FS.

# ./usb -f mnt


Mount the (simulated) raw device in the mounting point and get the interesting files you want.

Case 1: /data is not encrypted.

# mount mnt/dev mnt2

# ls mnt2
anr   app_g        audio         data   DxDrm  lost+found  preload   radio       ssh     user
app   app-lib      backup        dontpanic  efs    media       property  resource-cache  system
app-asec  app-private  dalvik-cache  drm   local  misc    qcks      secure      tombstones


Case 2: /data is encrypted.

Using our python tools, dump what is necessary from read_mmc and bruteforce the PIN/password locally.

# python
Output directory: output
oem read_mmc emmc 6422528 1 1 1
oem read_mmc emmc 586799 1 1 1
Magic          : 0xD0B5B1C4
Major Version  : 1
Minor Version  : 0
Footer Size    : 104 bytes
Flags          : 0x00000000
Key Size       : 256 bits
Failed Decrypts: 0
Crypto Type    : aes-cbc-essiv:sha256
Encrypted Key  : 0x15D29C161C54401CB4C1E49169104B552E4764311352AD2DBD8C428ED6C48400
Salt           : 0xC71F34809709FD390B4A91D9D9D800CD
Trying to Bruteforce Password... please wait
Trying passwords from 0 to 100
Password       : 0000
Derived Key    : 0xC0D086752DE152B0DA895ED15113041CDE5E7B7A8A3BC68451FC5BA8B9049F90
Derived IV     : 0x127DEA4BFC5A6572F2B0986E2DB2BBD4
Decrypted Key  : 0xA5E63B8F33F7739FE298482ADE5E57DD7505ADEBC22B09B4EDA9283D260AF1D8
Found PIN!: 0000
Saving decrypted master key to 'output/keyfile'<

 Copy keyfile locally.

$ cp python/output/keyfile c/

 Mount the partition using dm-crypt, and extract files from phone.

# ./

 After use, unmount the raw device and the FUSE device.

$ ./


 Source && Download

  • Posta elektronike
  • Media
Kostaq Cipo

Programmer analyst, Web developer, Technology Evangelist and Enthusiast, Tech Author, Blogger, C C++ Java .NET VB, Mobile developer, Security analyst, Project Manager.

Faqja web: Posta elektronike This email address is being protected from spambots. You need JavaScript enabled to view it.


We specialize in designing and implementing cost-effective, creative information solutions to your complex business problems. No matter what C-Systems services you utilize, you can count on our committment and expertise. We are committed to your success and satisfaction.



Our Newsletter

The latest technologies and news!

Contact Us

 Address: Rr. "Luigj Gurakuqi", Nr.21, Tirana 1001, Albania