Cant Enter LUKS Key Librem 5

CrimsonCube · June 21, 2024, 7:28pm

Hello, I may have caused a bit of an oopsy-soft-brick. I tried to update to Crimson by editing the /etc/apt/sources.list (I included crimson-proposed, probably should not have) because I needed a new version of something. I did a apt upgrade and apt full-upgrade.

The update itself did get interrupted, there was a point where text encodings seemed to break and I couldn’t sign in with my pin and was not even sure the update was making progress, so I restarted. But apt gave me instructions for what to do after trying apt upgrade again.

Something seemed to go wrong and triggers failed to process for tpm-udev, I just updated again but didn’t examine the result all that closely.

I restarted and I started to have issues, I didnt see the prompt/keyboard to type in my LUKS key, I see the Librem 5 splash screen in between console log messages, this is what I see:

“Nothing to read on input”
“cryptsetup: ERROR: crypt_root: cryptsetup failed, bad password or options?”
“cryptsetup: ERROR: crypt_root: maximum number of tries exceeded”

Each message is repeated multiple times, first a number of the first one, then in cycles several of the second and one of the third.

It seems to be an issue with I/O.
I know some people have had similar issues after trying to update their L5:

I researched the “Nothing to read on input” error in particular and found that people on laptops resolve it by just typing in the password unprompted and it seems to work.

I don’t have an on screen keyboard and I tried connecting 2/3 external keyboards, but they don’t even seem to be getting power. If I press caps lock, the indicator light does not turn on. The L5 doesent seem to be responding to inputs either (could it be usbguard? or too early in the boot?) At least one keyboard I tried was PS/2 and the other(s) were USB.

I would like to avoid flashing the phone, and it may be a bit paranoid but I honestly would like to avoid connecting it an external computer (or really anything else external),

Summary

(it might be a bit paranoid but it was expensive and I would like to avoid giving certain/untrusted hardware direct memory access, and I would like to continue to know an issues with other hardware have not made it onto there or had the chance to exploit vulnerabilities, not everything is FLOSS/easily auditable all the way down :()

I have also contacted support. Any help would be greatly appreciated.

A possibility: somehow writing a file to disk with the decryption key (then changing it later on perhaps):

Also the LUKs prompt itself disabling I/O?: No keyboard input at LUKS passphrase prompt - #2 by linux-aarhus - Support - Manjaro Linux Forum

FranklyFlawless · June 22, 2024, 12:49am

Does not exist:

Index of /pureos/dists/

Use apt to pin select packages as higher priority:

AptConfiguration - Debian Wiki

If you want to use the Librem 5 again, you must reflash. Before doing that though, you can attempt to backup your Librem 5 using Jumpdrive:

Whether you eventually reflash your Librem 5 yourself or Purism support does it instead is your choice. Either way, an external computer will be used to restore the Librem 5 to its original state.

CrimsonCube · June 22, 2024, 2:12am

Thanks for the reply! Its apprecieted

I strongly advise a fresh flash rather than change repo’s and upgrade. When I changed repos and upgraded the phone never behaved quite right again. It also would not create the .scr properly on kernel updates making it impossible to enter the decrypt password and would boot loop.

Darn, I actually did look through your post but not in that much detail, if I had seen that before I might not have tried.

I should have said crimson-updates-proposed

Huh’ didnt know about that specifically, thank you. I figured there had to be some way to do it. Had some concerns about compatability with other packages. I tried to remove the app I had and install the more recent flatpak one, however there were some l5 specific system packages that went along with it, I didn’t want it to conflict with anything else. And honestly Crimson reviews also looked fairly solid (relatively speaking) so I thought I would give it a try.

You still would have to add the newer repo right? The link you sent mentioned third party libraries, I suppose you could add the newer distribution repos as “third party libraries” but wouldent that mean the older/current repos would need to have a higher priority than the newer ones?

If that is the case then that is the case, but it seems strange that it wont accept input. I feel like I shouldn’t have to re-flash because it wont show a prompt but the “underlying machinery” (cryptboot) seems to be working, but there may just be no other pragmatic way around it right now.

Are you sure there is nothing else I can try to get it to accept input or boot into some sort of recovery prompt (or maybe write a keyfile onto it like one of the ones I linked above without resorting to a full flash)?

In the case that I re-flash it, is there a way to retrieve some data if I know the key? I don’t know at the moment that the partition is corrupted.

Would they would do that for free ? If so, do you happen to know if operations like this typically done in a timely manner?

FranklyFlawless · June 22, 2024, 2:43am

Yes.

You can selectively increase the priorities of packages in different repositories so that they are used instead. The rest of the packages in your default repository will remain the same priority so you minimize compatibility issues.

@OpojOJirYAlG

There may be, but that depends on how much time and resources you have to spend on troubleshooting.

Jumpdrive, already mentioned earlier.

Warranty is provided for Purism products for one year by default:

“Timely manner” is dependent on your expectations, but I can provide instructions for reflashing Crimson on your Librem 5, with the whole operation itself being under 15 minutes.

OpojOJirYAlG · June 22, 2024, 2:58pm

If you mount the Librem5 on a PC via jumpdrive you can mount and browse to /boot and there is a .scr file I cant remember the name of, rename it to .scr.bak and rename the older .scr file to not have the date or whatever in the name and it should then be able to boot normally.

I don’t remember all of the finer details but this will hopefully get you close enough. It might be a few weeks before I could give more precise guidance because life…

CrimsonCube · June 22, 2024, 8:11pm

Thanks for the reply!

Wouldn’t both distros have the same priorities on all packages by default though? Since the newer one has higher version numbers, wouldn’t it just update? Or you would have to change priority on all packages for the enteries for the older distro version?

Might be good, I have some thoughts on something else I may try as well

CrimsonCube · June 22, 2024, 8:12pm

Thank you I appreciate you taking the time to post! If I try this I will post what happens.

FranklyFlawless · June 25, 2024, 4:22am

Not necessarily, as backports are assigned a lower priority. You can change the global priority for any source using apt-cache policy, then modifying the numeric value associated with them to be higher or lower depending on your use case.

CrimsonCube · June 26, 2024, 5:09am

Interesting, I can keep that in mind! Thank you!

CrimsonCube · June 27, 2024, 12:05am

(asking anyone) Does this require serial download mode?

FranklyFlawless · June 27, 2024, 1:45am

Yes it does:

CrimsonCube · June 27, 2024, 1:59am

Thank you!