MEC recovery leads ================== Source artifacts: - /home/jetson/mec is a LUKS2 encrypted container, not a plain archive. UUID: e3e91452-59dd-41ec-ba8d-89f0950251ec Cipher: aes-xts-plain64 Data offset: 16777216 bytes Keyslot 0 PBKDF: argon2i, time cost 4, memory 937857 KiB, threads 4 - /home/jetson/mec.crc is an MD5-style checksum file: 123844de7ba12662c06205a22d04309d ./mec_tgt_10.03.25 - Current recovered mec MD5: 133777b26e9530751c37c339f567b53e /home/jetson/mec The mec.crc value does not match the recovered mec file. Root shell history shows the original name was mec_tgt_10.03.25 and it was renamed to mec; the ThunderGaze_3285.gpg file was also renamed to ThunderGaze.gpg. Recovered script evidence: - tar_from_prepare_tg/prepare_tg.sh accepts the passphrase as argv[1]. - smartStart_readpass_fragment_78121021440.sh reads the passphrase from stdin. - smartStart_readpass_fragment_116238860288.sh reads the passphrase from stdin. - All variants use the same passphrase for: 1. cryptsetup --readonly open /home/jetson/mec my_enc_mec 2. gpg --passphrase-fd 0 ... /home/jetson/ThunderGaze.gpg - clean_EPD scripts shred ThunderGaze.gpg, update archives, close_mec.sh, prepare_tg.sh, smartStart.sh, and clean_EPD.sh. One recovered variant also shreds autoKill.sh, /home/videoview/top.log, and /home/videoview/term.log. Operational evidence: - /home/jetson/resultMapOpen says: Start mount map Crypt result: 0 Mount result: 0 Map ready! - Kernel/syslog remnants show /dev/mapper/my_enc_mec was mounted in the past. Passphrase status: - No passphrase was found embedded in recovered startup files. - Tested obvious candidates, version strings, file names, hashes, UUIDs, default user/device names, known IPs, "12345678", empty, newline, and space; all failed against the LUKS2 header. Current conclusion: - The realistic recovery lead is the missing passphrase, or another copy of the original smartStart/launcher/update package that supplied it on stdin. - There is no apparent cryptographic shortcut from the surviving LUKS2 header.