FORUMS

Imaging rooted 1st gen Pixel running Android 10?

3 posts
Thanks Meter: 0
 
By windomearle, Junior Member on 16th May 2020, 07:58 PM
Post Reply Email Thread
Hi guys!!!

I have a rooted first generation Pixel running stock Android 10. I would like to take a physical image of the device using ADB.

If I command "mount" in ADB shell, I get for example the following line:

/dev/block/sda35 on /data type ext4

If I image /dev/block/sda35 with dd and netcat, I get an image but the file based encryption comes in the way and the files are useless.

So if I would like to take a clear text (physical) image of this device, what should I image? Or maybe the other way of asking this is, what is the best image I can expect through ADB with root privileges?

Thanks!!!
17th May 2020, 01:12 AM |#2  
NZedPred's Avatar
Senior Member
Flag Wellington
Thanks Meter: 1,630
 
Donate to Me
More
Any particular reason you don't want to backup through TWRP?
17th May 2020, 07:38 AM |#3  
OP Junior Member
Thanks Meter: 0
 
More
The main reason is that I am interested to know how this is done manually through ADB.

I am also interested how the file based encryption works and what kind of information I can get out from the device with a best possible image.

So for me this is only an experiment, I dont have any valuable data on the device
17th May 2020, 09:35 PM |#4  
NZedPred's Avatar
Senior Member
Flag Wellington
Thanks Meter: 1,630
 
Donate to Me
More
dd allows you to get a bit-perfect copy of the partition. You are seeing the contents exactly as they are. For Android to view the actual files (well, those that are encrypted, not necessarily everything is encrypted with FBE) it has to decrypt them, which requires the key. Additionally, as you can have multiple users on a device, each of the user's files have a separate key.

In the old days of encrypted partitions, there was a metadata partition or similar that you could get the key from. Under FBE, I'm not sure how to do it, but the principle would be similar. So the only way to get a clear text copy of the files using dd is to decrypt.
19th May 2020, 06:28 AM |#5  
OP Junior Member
Thanks Meter: 0
 
More
Do have any knowledge how Android does this decryption in practise?

When I imaged /dev/block/sda, which should be the ”raw” memory device, my phone was open (passcode was entered to gain access to the phone) and the device remained in this state through the imaging.

Still this raw device is FBE, as I would expect actually. So Android does the decryption somehow to the mounted partition, but I dont know how.

Actually I can see that my root directory / comes from a device /dev/root, but in ADB shell I cannot find this device.

Maybe the next thing I will try is to use ADB when my phone is booted to TWRP and TWRP does the decryption...

In any case, Thanks for your answer!
19th May 2020, 11:21 PM |#6  
NZedPred's Avatar
Senior Member
Flag Wellington
Thanks Meter: 1,630
 
Donate to Me
More
I don't know the details, but one key point about decrypting is that it does not change the actual content on disk. Think of decrypting as a translation service. There is something on disk you want to read, so the translator turns it into the plain text view. Similarly if you want to store some data, the translation service converts it into the encrypted view to be stored on disk. This is all done as the files are requested, and is transparent to any app. (Otherwise if you decrypted the disk and 'pulled the plug', you could go in and get the plain text content, which would defeat the purpose of encryption).

So doing this in TWRP won't make any difference.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes