Could not find handle to decrypt synthetic password blob on Android 15.0

[ikeyan]

actual output:

file:///Users/user/hobby/fbe-decrypt/fbe-decrypt.mjs:2512
				throw new Exception('Could not find handle to decrypt synthetic password blob');
				^

ReferenceError: Exception is not defined
    at file:///Users/user/hobby/fbe-decrypt/fbe-decrypt.mjs:2512:5

Node.js v22.11.0

avd created from system-images;android-35;google_apis_playstore;arm64-v8a

[ikeyan]

with this patch for logging:

--- a/fbe-decrypt.mjs
+++ b/fbe-decrypt.mjs
@@ -2473,6 +2473,7 @@ for await (const dev of using(await BlockDevQcow2.open('encryptionkey.img.qcow2'
                        ext4_data.addKey(await decryptKey((await navigatePath(ext4_data.root, 'misc', 'vold', 'user_keys', 'ce', '0', 'current', 'encrypted_key')).open(), (await navigatePath(ext4_data.root, 'misc', 'vold', 'user_keys', 'ce', '0', 'current', 'keymaster_key_blob')).open(), await prefixHashFile('Android secdiscardable SHA512', ext4_data.root, 'misc', 'vold', 'user_keys', 'ce', '0', 'current', 'secdiscardable')));
                }
                else {
+                       console.log('sp_handle:', sp_handle);
                        const spblob = await readAsBuffer((await navigatePath(ext4_data.root, 'system_de', '0', 'spblob', sp_handle.padStart(16, '0') + '.spblob')).open());
                        if (spblob.length < 58 || spblob.readUInt16BE() !== 0x0300) {
                                // Must be version 3 LSKF
@@ -2494,12 +2495,18 @@ for await (const dev of using(await BlockDevQcow2.open('encryptionkey.img.qcow2'
                                synthetic_password_key_id = id.value;
                                break;
                        }
+                       console.log('synthetic_password_key_id:', synthetic_password_key_id);
                        // In version 1, the order of decryption is opposite:
                        // Using the inner key first, and the key from the database second
                        // In versions 2 and 3, the inner key comes second
                        let spblob_decrypt_1 = null;
                        for await (const row of persistent_sqlite.getTableRows('blobentry')) {
                                const [id, subcomponent_type, keyentryid, blob] = await iteratorToArrayAsync(row(), 4);
+                               for await (const file of using(await blob.open())) {
+                                       const buffer = Buffer.alloc(8192);
+                                       const len = await file.read(buffer, 0, 8192, 0);
+                                       console.log('blobentry:', id.value, subcomponent_type.value, keyentryid.value, buffer.subarray(0, len));
+                               }
                                if (keyentryid.value !== synthetic_password_key_id) {
                                        continue;
                                }
~
~

sp_handle: ef14cd8adaffe4cd
synthetic_password_key_id: -4262532403762386885n
blobentry: null 0n 3833731635640680876n <Buffer 00 20 00 00 00 57 69 b4 2e 3f 27 b4 3c 43 26 d4 74 a7 17 c1 1a c4 cd 29 eb d5 a3 e6 fb 09 ba 2f 4e c8 97 5e f7 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 109 more bytes>
blobentry: null 0n -1241749245648479867n <Buffer 6c d5 0c 5c e7 3e a7 f6 c9 94 eb 84 4f 3c 57 33 98 5e 6b 0c d4 52 4b 57 93 7d d6 d4 88 54 e5 87 1e 53 71 fc ed 3f 9a 79 3f f2 c9 65 2f a9 b4 1a 0c fd ... 132 more bytes>
blobentry: null 0n 5456121752707742965n <Buffer a1 b6 af 90 19 28 94 02 cb 27 d6 e0 85 2b c5 31 62 6f c7 fe 6c 24 63 08 8d 08 1f 4b e9 7a 17 46 f1 91 64 36 d1 0c 0d 06 cb a9 31 23 38 99 d3 5b f1 69 ... 1297 more bytes>
blobentry: null 1n 5456121752707742965n <Buffer 30 82 02 cd 30 82 01 b5 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 1d 30 1b 06 03 55 04 03 0c 14 41 6e 64 72 6f 69 ... 671 more bytes>
file:///Users/user/hobby/fbe-decrypt/fbe-decrypt.mjs:2539
				throw new Exception('Could not find handle to decrypt synthetic password blob');
				^

ReferenceError: Exception is not defined
    at file:///Users/user/hobby/fbe-decrypt/fbe-decrypt.mjs:2539:5

Node.js v22.11.0

[SlugFiller]

That Exception should indeed be Error.

For debugging the contents of the db, it would be better to extract the file using readAsBuffer, and writeFile. Then you can open it with a dedicated tool, like DB Browser.

You can then directly look in the keyentry table and see if it has a key with an alias that starts with synthetic_password_. Then match its id with the keyentryid in the blobentry table.

If there's no matching entry, it might be an issue with the database, or the file did not extract correctly. If there's a matching entry, it might indicate an issue with the SQLiteDatabase class.

[zbysogi]

Hi.

I have never used anything like this and I am trying to retrieve data from userdata file downloaded from my MI9 which got encrypted after failed magisk v28 update and I was forced to format. Any way for anyone to provide comprehensive step-by-step on how to use it and start the script? I got stuck under "npm install":

If thats the only way to even try and retrieve some data I would really much appreciate any help.

[ikeyan]

@zbysogi this repository has no package.json, so you don't (or can't) do npm install. the next steps are cd to the avd directory and node ~/fbe-decrypt/fbe-decrypt.mjs, which is written in #usage in README.