OTA Updates - how are they working?

Hi there,
last night I just received the first OTA Update on my Samsung Galaxy S9 (Android 10) and I was just wondering how this works! My device is encrypted and reboots during Update into TWRP where it prompted for the Encryption Passphrase, I tapped on cancel and then the update went through. How is that working/ possible. I’d really like to understand this. :slight_smile:
Thank you guys!!

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

Hi !

Updater doesn’t need to access your encrypted data, but TWRP is asking for passphrase unconditionally.

Only the data partition (aka userdata) gets encrypted. Encrypting “the phone” or “the device”, as it is referred to most often, is a simplification or, if you want, incorrect.

TWRP asks for the decryption password to be able to access the encrypted data partition. You canceled that part.
OS updates don’t access the data partition, so they work fine nonetheless.

2 Likes

Thanks for the quick replies!

… I just switched from macOS and Windows to Linux and from iOS to /e/ and want to understand how things are working and totally appreciate the input! :slight_smile:

back to the topic - that means if my Phone gets into the wrong hands, someone could temper with the system partion, because this is not encrypted, right?

Updates are stored in the data partition, however before the updater invokes the recovery it rewrites it decrypted so that the recovery can access it without needing any keys for data partition.

https://cs.android.com/android/platform/superproject/+/master:frameworks/base/services/core/java/com/android/server/power/ShutdownThread.java;l=715

https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/os/RecoverySystem.java;l=511

1 Like

Right.
More reading here : https://twrp.me/faq/securetwrp.html

The good news is, when you get your phone back you can re-apply the whole same system image you already have, simply using the TWRP’s Install button (it’s in /data/lineageos_updates/, you can check md5 against /e/ web site).