Galaxy SM-G925F Run...
 
Notifications
Clear all

Galaxy SM-G925F Running 6.0.1

7 Posts
6 Users
0 Likes
718 Views
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?

 
Posted : 21/03/2017 8:28 am
(@agolding)
Posts: 31
Eminent Member
 

Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?

unfortunately as its encrypted you cant see the file system (thats why its showing up as blank) and therefore cant remove the gesture.key. Only possible option I know of is attempting encryption passwords.

 
Posted : 21/03/2017 4:12 pm
Bolo
 Bolo
(@bolo)
Posts: 97
Trusted Member
 

Few things
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?

@agolding 6.x doesn't use pattern/password.key files and HASH/SALT for storing passwords so those files are not available…instead it uses Gatekeeper mechanism with CRYPT hash type

 
Posted : 22/03/2017 12:36 am
(@almrasl)
Posts: 10
Active Member
 

Few things
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?

a) The Phone boots up normally after the root, yes.
b) The partitions aren't empty, i can see lots of directories and files, i have attached a picture below.
That is an interesting note about Android 6.x changing its hashing mechanism to gatekeeper. Is there any articles i can read that can help me to decrypt or get rid of the pattern?

Thanks!

 
Posted : 22/03/2017 8:34 am
(@arcaine2)
Posts: 235
Estimable Member
 

Screenshot you posted is from the wrong partiton. SYSTEM partition is (so far) never encrypted which is why all the files are visible. You should take a look at userdata partition and then look for system directory if possible.

 
Posted : 23/03/2017 1:14 am
(@tazmaniak)
Posts: 1
New Member
 

By default, Android 6 Marshmallow encryption is mandatory for most new devices which make a physical dump (using the TWRP method for example) of these mobile devices useless since you will end with an encrypted dump which cannot (yet) be decrypted. Below you will find a method using a custom recovery image that will root your device and allow you to physically dump the decrypted user partition from the operating system itself.

1. Go to https://autoroot.chainfire.eu/
2. Find the model and choose the right Android version.
3. Download the zip and extract all the files
4. Put your phone into download mode (Vol Down+Home+Power) then when prompted push Vol Up to continue
5. Open ODIN, go to “options” and leave auto-reboot enable
6. Flash the phone with the included tar.md5 file. The device boots-up automatically
7. Enable adb debuging.
8. Make a physical dump of your device.
9. After imaging is complete choose in supersu "full unroot". It asks if the stock boot image should be replaced.
10.Reboot the devices and check if supersu is still there. If there is bootloop, flash again the same custom recovery and repeat the unroot procedure with no stock boot image

Hope it helps.

 
Posted : 28/03/2017 7:03 pm
Bolo
 Bolo
(@bolo)
Posts: 97
Trusted Member
 

By default, Android 6 Marshmallow encryption is mandatory for most new devices which make a physical dump (using the TWRP method for example) of these mobile devices useless since you will end with an encrypted dump which cannot (yet) be decrypted.

This is NOT true and correct information if we are talking generally - while NEW produced devices witch got Marshmallow at start are mostly encrypted by default (you can turn if off in Settings but nobody care this) then pure 6.0 don't got any requirements for encryption at all and devices which got update to this system also not require encryption. In fact S6 (G920F) or S6 Edge (G925F) are not encrypted by default - as many of older phones too. In such situation you can easily make dump using UFED or Oxygen and then analyse it - of course you will get KNOX triggered and cannot access containers so be aware. This information reflect to Android up to 6.0.1. If Android version is higher you can make chip off , read them and then put chip back and give working phone to client. Here are short videos showing such process

Galaxy S6 G920F chip preparation / read / analyse in UFED

Galaxy S6 UFS IC movie - chip back into phone board

P.S
This answer it's not related of subject since as author writes device seems to be encrypted so obviously user has turn it ON.

 
Posted : 28/03/2017 10:17 pm
Share: