-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TWRP backup doesn't work with Google "work profiles" #1256
Comments
work profiles uses part of multiuser |
They use android's file based encryption (FBE): https://source.android.com/security/encryption/file-based The system_ce and system_de folders are actually Credential Encrypted (CE) storage and Device Encrypted (DE) storage as documented above. I can't even do an adb pull on my work profile's folders: adb: error: failed to copy '/data/system_ce/10/gZbggZAffqRWsSUW3jB7gD' to './10/gZbggZAffqRWsSUW3jB7gD': open failed: Required key not available``` |
Having the same issue. Is there any way to exclude certain folders from the backup? |
I agree that excluding secondary users (if backup is not possible) would be great. |
Please ignore that files on backup AND restore. So that the other user of profile will not be touched at all. |
Hi, I use work profile as a secondary user. So, PLEASE, include:
With all of this we'll can do a full backup using multiuser profiles. |
Any update on this one? I backed up my phone while work profile was enabled. Now I am unable to restore: extractTarFork() process ended with ERROR: 255 |
This should work fine now, but you would need to backup the phone with the newest version of TWRP, and then the new backup should restore properly. Any previous backups would not work as the work profile would've been encrypted. |
No, it didn't work. I created the backup with 3.4.0 and tried to restore it with 3.4.0. Error 255. Cannot find key for 11 So I deleted all files and folders named "11" from /data/system_de/, /data/misc/user/ and /data/vendor_de/ manually from the backup files (with 7-Zip) and pushed them back to my phone. Then I was able to restore the backup. Not sure if this is a corner case, but apparently TWRP did not skip this profile when creating the backup. |
Did you first decrypt the work profile before performing the backup? Where is the recovery log? You shouldn't have to delete or skip anything. Without logs it's impossible to determine what happened here. |
I did not decrypt anything before taking the backup. It initially failed on the first file (data.f2fs.win000) with "11" files/folders in /data/misc/user/ and /data/vendor_de/. So I deleted them and then it failed on the last file (data.f2fs.win012) with "11" files in /data/system_de/. I was not unable to restore anything without deleting these files. Here is the log from the second attempt https://www.dropbox.com/s/9jec7aobe02to0p/recovery%5B1%5D.7z?dl=0 |
I think I'm missing a log. You're going to need to walk through your entire process, and provide the logs from each step. There should be a log from the backup in the backup folder - I think that one will be the most useful. For the restore, did you format the device or do something that would've deleted the work profile prior to restoring? According to that log, there's no user 11 on the device, which explains why it couldn't restore it. |
I do not have any other logs. All previous logs got deleted during my ROM flashing attempts. As already mentioned, I had Island (https://island.oasisfeng.com/) installed on my phone and I think this is where that user "11" came from? But it was not in use, I think the work profile was not even active when taking the backup. |
There is a recovery log in your backup folder. Since you were able to restore your backup, that folder/log must exist. That's the log we need to see. |
Yes, thanks, found it. |
Backup/restore operations will fail without all users decrypted. Whether they are in use or not. TWRP will automatically try to decrypt secondary profiles with the default password and/or the password provided by the user for the primary profile. I don't know what "password" is used by Island. I'll work on adding ignore logic for non-decrypted users. |
Ok, but the backup operation succeeded without any errors while the restore operation failed with Shouldn't the backup abort at this point instead of going on? |
Right now there is no logic to explicitly abort backups with undecrypted users. I'm not sure why it doesn't error out when backing up but does when restoring. |
Hi,
The path for /data/misc/vold/user_keys/ce/0/current and /data/misc/vold/user_keys/ce/10/current twrp path https://github.com/redispade/device_xiaomi_grus-twrp Xiaomi Mi 9SE |
Do you have a separate password for user 10? If so, did you attempt to decrypt using Advanced -> Decrypt Users? |
I only have a password for user 0, then I think the password is derived from user 0. |
I found this ticket after having this problem myself. The question below triggered something I wanted to try:
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin. Somehow 'use one lock' and setting it once (main) is in Android 10 different from setting the same code twice. With the 'use one lock' I guess Android 10 thinks of a lock for the work profile and sets (and unlocks) it via internal code instead of setting the same code. Advanced -> Decrypt Users doesn't work with 'use one lock' but it is even not needed when you manually set the same code on both main and work profile. (is probably needed when you set 2 different codes) Device: Samsung Tab S5e |
Great man, works on my Xiaomi Mi 9SE too |
Sadly does not work for me. Oneplus 7 GM1903 Edit: With TWRP 3.4.0-0 it works! Thanks! |
While it did work for the backup, after formatting Data I couldn't restore it back. I guess it's that time of the year again where I have to start everything from scratch :/ . I guess it could be worse too, at least I have a way to recover my contacts and other stuff. |
Just create the user account in Android again first, and then the restore should work fine. |
Can anyone confirm this? I'm worried my backup strategy isn't sufficient. |
Hi having quite similar error, but for system user:
More context on this xda post. |
Is this after a wipe/format of data? Do all users on the backup already exist on the device? |
Tried wipe at first. Then did a full data format. Still same issue. |
Do you not know the user profiles you had on the original device? If you
did a format you will need to boot again and recreate the users. If you
only had one user (0) then just booting should be sufficient.
…On Thu, Apr 1, 2021 at 12:08 PM vukisz ***@***.***> wrote:
Tried wipe at first. Then did a full data format. Still same issue.
I am not quite sure how to check users from backup and create them in
destination.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSXEETPMHF6NFAI62GLTGSK7ZANCNFSM4FFOF36Q>
.
|
I am still using old device. I have not created any additional user profiles explicitly. Maybe created guest account, buy then deleted it. |
Post a recovery.log of both the restore on the new device and of just
booting TWRP and mounting /data on the old device.
…On Thu, Apr 1, 2021, 12:19 PM vukisz ***@***.***> wrote:
I am still using old device. I have not created any additional user
profiles explicitly. Maybe created guest account, buy then deleted it.
How I can check user existing profiles on the original device? And how
those could be recreated in twrp? Using advanced -> terminal?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSTA26SEAV6HKSPDMHDTGSMKVANCNFSM4FFOF36Q>
.
|
Sure. https://drive.google.com/file/d/1CZTV5sFlTBN8-dZ3AMb6Amw8jytfpQHl/view?usp=drivesdk |
Did you boot system at all on the new device before attempting to restore?
…On Thu, Apr 1, 2021 at 12:34 PM vukisz ***@***.***> wrote:
Sure.
https://drive.google.com/file/d/1CZTV5sFlTBN8-dZ3AMb6Amw8jytfpQHl/view?usp=drivesdk
Can you access it?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSXLPPRZXHO3QFYPZ6LTGSOBRANCNFSM4FFOF36Q>
.
|
Nope, just did format, restart twrp, copied backup using twrp file manager and hit restore. |
Boot first to create user 0.
…On Thu, Apr 1, 2021, 12:40 PM vukisz ***@***.***> wrote:
Nope, just did format, restart twrp, copied backup using twrp file manager
and hit restore.
I have try booting after data format? :-)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSUW6PE5ZMLVVD6A5PLTGSOX3ANCNFSM4FFOF36Q>
.
|
Data format + restart ends in a bootloop. Is it as expected? |
Actual format (the button literally says "Format Data") or a factory reset?
…On Thu, Apr 1, 2021, 12:43 PM vukisz ***@***.***> wrote:
Data format + restart ends in a bootloop. Is it as expected?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSWGKMZ2NOBMM7RUGFTTGSPD3ANCNFSM4FFOF36Q>
.
|
TWRP->Wipe-Format data-> Then full screen text:
Typing yes and confirming And this ends in:
|
Then no that is not expected. Is it actually bootlooping or just taking
time to boot?
…On Thu, Apr 1, 2021, 12:48 PM vukisz ***@***.***> wrote:
TWRP->Wipe-Format data-> Then full screen text:
Wipe
Format Data
Format Data will wipe all of your apps, backups, pictures, videos, media, and removes encryption on internal storage.
This cannot be undone.
Type yes to continue. Press back to cancel.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5PUSV3J2GPULSHBGCLFMLTGSPUFANCNFSM4FFOF36Q>
.
|
Bootlooping:
Maybe I'll try flashing boot, vendor and system again |
Finally resolved. |
Hi all, just to be sure I'm good, backing up now with "warning: not all users decrypted" after "failed to decrypt user 10" [using work profile with a few apps in it, generated with app "Shelter" from f-droid. Backup is now proceeding after skipping the warning. A. Is there a way to also decrypt user 10? Thanks! |
Only after you (or someone else) read through the AOSP (Android Open Source Project) source code and implement a way to decrypt user 10 into TWRP. The AOSP source code is publicly available so theoretically it would be possible if you know Java and C++ enough and have the time. If you decide to do that please make your source code available and make a pull request so it works for others as well. |
Not a dev here so unfortunately I won't be able to contribute here. About question B has anyone tried with latest TWRP? Thanks |
There is a solution: look back at #1256 (comment) |
Oh, right, I forgot about this since when I had the issue I couldn't enable "Use one lock" as my phone always got stuck at the boot animation. |
Very useful info and discovery, however it's the exact opposite for me. I had one lock enabled already, disabled it, set the exact same password for user 10, and TWRP automatically decrypts both successfully in sequence. OnePlus 7 Pro on Resurrection Remix 10, work profile managed by shelter |
The real point is that, if you enable "use one lock", the low-level encryption keys for two users are different. That is to say, we suspect that Android use one key to compute that of the other, so in this case, you could not simply input the same key to decrypt both. That is why we need to read the code of Android to understand what is really happening. |
Having the same problem and unfortunately I wiped data and forgot to backup my work profile beforehand. I did some digging: Looks like the managed profile is using a randomly generated key, which is presumably stored somewhere? Seems to be in |
So what exactly would be my decryption password for users |
Hello! Was there any progression on this?
I dug down to a file Edit: formatting |
IME, if your work pattern is the same as your user pattern, it decrypts both. |
Well unfortunately it seems like it does not in my case. I can decrypt user 0 with my pin code, but decrypting user 11 fails. I have a somewhat "particular" work profile though as it was actually set up by the app Shelter. |
@biboon mine was also set up by shelter. What I missed is that I ticked the "Use one lock" setting under security. |
I'll share the knowledge I've gained here: @yshui's answer is correct, Android does generate a password when "unifying" the work profile with the main user. It also generates a secret key which it uses to encrypt the password. The encrypted password is being saved to While I was successful finding the blob associated to the key inside So I'm not sure how to proceed from here, if I happen to get custom code to interface with my device, I might be able to extract key. |
Device: OP6
Google "Work profile" created for work account (https://support.google.com/work/android/answer/6191949?hl=en)
TWRP/Nandroid backup from recovery throws the following error:
It seems that (similar to multi-user account or parallel apps), work profiles create a new user on the device, and
/data/system_ce/10
might be an artifact of my work profile (not sure). The other folder is/data/system_ce/0
.Going by XDA, TWRP doesn't support multi-user profiles. Does it not support work profiles either?
The text was updated successfully, but these errors were encountered: