Process XRY FBE Phy...
 
Notifications
Clear all

Process XRY FBE Physical image with PA?

5 Posts
4 Users
0 Reactions
4,148 Views
 nic
(@nic)
Active Member
Joined: 4 years ago
Posts: 7
Topic starter  

Hi there,

I have a Samsung Galaxy A21s (SM-A217F/DSM, Exynos 850, And. 10, Patch-Lvl. 1. Jan 2021) where FFS backup with UFED 4PC was impossible but XRY managed to back it up the Physical way (known passcode).

Is it possible to decode the extracted eMMC image (export is possible with Elements) and process it with Physical Analyzer?

 

Thanks!

Nico

This topic was modified 3 years ago by nic

   
Quote
(@arcaine2)
Estimable Member
Joined: 9 years ago
Posts: 239
 
Posted by: @nic

Is it possible to decode the extracted eMMC image (export is possible with Elements) and process it with Physical Analyzer?

I'm not using Xry daily, but i belive there's an option to export filesystem to a directory in XAMN. You can then select that directory as data source in PA.


   
ReplyQuote
(@plan_b)
Eminent Member
Joined: 7 years ago
Posts: 31
 

Hey nic

 

The functionality to do this is built into XAMN, but it's hidden in a right-click option at the data source option.

If you have access to MSAB Customer Portal there is a quick video guide to show you how to do this:

MSAB Customer Portal > Video/Webinars > XAMN & Analysis > XAMN in 5 - Quick Views - Exporting a Binary File - This video will show you two ways to export a Physical extraction binary file using XAMN Elements.

Basically you go to the Data Source view in XAMN and right-click the mouse for "Export to .bin"

 

Its worth a try to import the .bin into PA with the right phone profile.

 

Greetz


   
ReplyQuote
AmNe5iA
(@amne5ia)
Estimable Member
Joined: 9 years ago
Posts: 174
 

So you can export the physical image using the method described above but as far as I can tell XAMN doesn't give you an option to export the decryption keys.  AP also doesn't include an option when loading the physical to load the keys required to decrypt the file based encryption.

 

That means that although it is possible to export the physical from XAMN and import it into PA there is no way for PA to decrypt the encrypted file system.  Therefore PA will only be able to analyse some system files that are not encrypted.  All the useful user data will remain encrypted.


   
ReplyQuote
(@arcaine2)
Estimable Member
Joined: 9 years ago
Posts: 239
 
Posted by: @amne5ia

That means that although it is possible to export the physical from XAMN and import it into PA there is no way for PA to decrypt the encrypted file system.  Therefore PA will only be able to analyse some system files that are not encrypted.  All the useful user data will remain encrypted.

It's possible to do it the other way around, but it's quite time-consuming. In XAMN, once everything loads, you can switch to filesystem view, and then export the whole decrypted filesystem to a directory. Once that's done, you can point that directory to PA, or better compress that exported data to .zip and process it with PA. https://imgur.com/a/twNvmyZ

 

 


   
ReplyQuote
Share: