main question is in the title. Some clarification though:
When you factory reset your encrypted phone, the old device encryption key (DEK a) gets deleted and a new encryption key (DEK b) is being generated, which is used to encrypt the device. The DEK is stored in the TEE (correct?). In this case, the PIN before the factory reset was the default android password (default_password).
Since flash-storage is difficult to erase, let's assume the old key encryption key (KEK) for the DEK (a) has been found. The default android password is known (default_password).
Given the process, on how android gets from the DEK to the KEK...
Previously, we encrypted the master key with a key generated by applying scrypt to the user's password and the stored salt. In order to make the key resilient against off-box attacks, we extend this algorithm by signing the resultant key with a stored TEE key. The resultant signature is then turned into an appropriate length key by one more application of scrypt. This key is then used to encrypt and decrypt the master key. To store this key:[...]
...is it possible to decrypt the old data? Now, obviously, the KEK can't decrypt the DEK, because it's not there anymore (DEK (a) has been deleted), but is it possible to derive the lost DEK (a) with a given PIN (default_password) and the found KEK of the old encryption?
I found this thread already, but i'm not sure if the answer fits my question.
The scrypt KDF is designed to be slow and sufficiently memory-hard to make it difficult to parallelise on common compute platforms (e.g. CUDA). Also notice that they said "one more application of scrypt"; the DEK is already transformed via scrypt, hence it is made infeasible to try to "crack" the DEK by deriving it repeatedly against candidate passwords.
