Hey,
i want to analyse the partitions of my Android Emulator using Autopsy for a prototype i am developing. I started with the userdata partition. However, it seems like that the partition does not contain any data, even though i produced some data (installed apps, phone calls, messages, browsing, etc). It is basically "empty" besides the default stuff that was already there before producing data (see the picture at the bottom). I dont really understand why this is the case. I also tried to reboot the emulator as i thought that the data i produced might be cached somewhere and is written to the userdata partition during shutdown (i checked if the generated data is still there after the reboot). Still, the size of the partition did not change. Other images (not created by me), which i analysed using autopsy during my digital forensic class, contained way more data in der userdata partition and were also produced using an emulator. Besides the AVD Emulator i tried the Genymotion Emulator. Nothing changed except the mapping.
This is what i did to extract the userdata:
1. Launched the emulator (latest API Level) and generated some data
2. Checked the connection via ADB (adb devices)
3. Become and verify root (adb root; whoami; id)
4. List the partition mapping (adb shell; ls -l /dev/block/mapper/)
emulator64_x86_64_arm64:/ # ls -l /dev/block/mapper/
total 0
drwxr-xr-x 2 root root 160 2022-03-26 11:09 by-uuid
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 product -> /dev/block/dm-2
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 system -> /dev/block/dm-0
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 system-verity -> /dev/block/dm-4
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 system_ext -> /dev/block/dm-1
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 userdata -> /dev/block/dm-5
lrwxrwxrwx 1 root root 15 2022-03-26 11:09 vendor -> /dev/block/dm-3
5. Extracted the partition (adb pull /dev/block/dm-5 /DESTINATION_PATH)
6. Renamed the file to .img and created a new autopsy case
I expected the image to atleast contain data within the /app and /data folder.
Also: I would like to know if there is a possibility to extract the whole file system using the ADB only.
Thanks in advance!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Related
For experienced users only.
As the thread title suggests, this is a guide to backup, protect and restore root (su) as is sometimes needed after a system upgrade, broken Superuser update, etc...
Yes, there is an app for this, but if your like me, and enjoy full control over your system and don't mind working from the terminal, than this guide is for you.
What's involved:
We will be using two Linux commands orignially for the Linux second extended file system (ext2) but also works on ext3 and ext4.
- chattr (change file attributes)
- lsattr (list file attributes)
What's needed:
1. Terminal Emulator - there is an excellent one by Jack Palevich HERE
2. BusyBox compiled with the aforementioned utils/applets - an excellent pre-built binary by Linus Yang can be found HERE
-- I've also created a flashable zip for Linus Yang's BusyBox HERE
3. Extended file system as previously mentioned
A picture is worth a 1000 words:
Let's start with that and then review below
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
su ~ we need root access rights to make changes to the system
mount -o remount ~ we remount the system rw (read/write) to make the changes
cp -p ~ we copy/backup the su binary preserving (-p) the current file attributes/permissions, i.e. [rwsr-sr-x root root]
lsattr ~ list attributes; shows the files immutable bit is unset (not protected)
chattr +i ~ the +i is to set the immutable bit on the file
lsattr ~ list attributes; shows the files immutable bit is now set (protected)
chattr -i ~ the -i is to unset the immutable bit on the file
lsattr ~ list attributes; again, shows the files immutable bit is unset (not protected)
mount -o remount,ro ~ we remount the system read-only when finished making changes (always - don't forget)
Now what:
To restore root (su), i.e. after a system upgrade, we call the (su)protected /system/su-bak from terminal and use it to restore root access rights to /system/bin/su
Code:
/system/su-bak
mount -o remount,rw /system
chown 0.0 /system/bin/su
chmod 06755 /system/bin/su
mount -o remount,ro /system
Notes:
-In all my examples above, my su binary is in the /system/bin folder, however yours may very well be in the /system/xbin folder, so handle accordingly
-As long as the upgrade (OTA) is an in-place file system update then this should work, it is essentially the same process as the OTA RootKeepers
Sources and info:
chattr:
http://en.wikipedia.org/wiki/Chattr
http://linuxcommand.org/man_pages/chattr1.html
lsattr:
http://en.wikipedia.org/wiki/Lsattr
http://linuxcommand.org/man_pages/lsattr1.html
-JR-
Do any of you have any suggestions on how to do this? I ran parted via ADB on my 8GB tablet's internal storage (/dev/block/mmcblk0)
Code:
Disk /dev/block/mmcblk0: 7818MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 4194kB 25.2MB 21.0MB ext4 EFS
2 25.2MB 27.3MB 2097kB SBL1
3 27.3MB 29.4MB 2097kB SBL2
4 29.4MB 37.7MB 8389kB PARAM
5 37.7MB 46.1MB 8389kB KERNEL
6 46.1MB 54.5MB 8389kB RECOVERY
7 54.5MB 789MB 734MB ext4 CACHE
8 789MB 810MB 21.0MB MODEM
9 810MB 2278MB 1468MB ext4 FACTORYFS
10 2278MB 7281MB 5004MB ext4 DATAFS
11 7281MB 7818MB 537MB ext4 HIDDEN
I knew more or less what each partition did but was curious about "HIDDEN" so I mounted it to see what was there. All that was in that partition is Retail.apk (its the "Demo Mode" that runs when the tablet is sitting at Best Buy) and the sample multimedia files used in the demo. In total these files were less than 100MB and the multimedia already copied on the /sdcard/Samsung directory in the main storage.
537MB is quite significant considering how littte space there is on this 8GB model? The next time I do a factory reset can I just delete "HIDDEN" and DATAFS and create a new larger DATAFS partition with no ill effects? I'm thinking this would work because they are contiguous and enlarging DATAFS would not change its partition number so the mounting scripts during the boot process wouldn't get thrown off.
Are there any other suggestions on how I could reclaim 537 MB of internal storage?
I've done it successfully. delete p9,p10,p11 and recreate them in new size.
parted can only create ext2 partition, need tune2fs and e2fsck to convert ext2 to ext4 fs.
first, use tar to backup the system and data partition(p9,p10) to external_sd,
after repartition can restore them.
If you want to do it, must be careful, it's VERY DANGEROUS, maybe brick your device.
my device:Samsung Galaxy Tab2 P3110, CM 10.1.3RC2
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
For more detail you can have a look of this, it's in chinese and for kindle fire, but i think the commandline code you can understand.
http://bbs.imp3.net/thread-10515210-1-1.html
Have you succeeded in using all memory? I repartitioned device, in clockworkmod everything is fine, but I can't access all the space from system. For DATAFS I have now 5480MB instead of 5004MB, but system says me, that internal storage is still ~5GB with only 4,5GB available. I even hard resetted device - nothing changed. How to make system see all space?
it seems that all the memory of DATAFS are ok for my p3110, have a look of the snapshots below.
i use cm 10.1.3, i dont know which rom do you flash, stock rom?
sorry it is in chinese, but you could see the numbers of memory.
No problem with language, everything is clear . I'm using stock odexed Samsung 4.1.2 rom with my own changes for tabletui and a couple of others (like editing systemui.apk). I guess, that Samsung gives fixed amount of space for /data and I haven't found where it is. Anyway, thank you for idea
probably obvious to most, but don't delete all those partitions! i was in the middle of surgery via adb, and stupidly typed
Code:
du -hs
and the device rebooted.
http://forum.xda-developers.com/galaxy-tab-2/help/argh-deleted-internal-partitions-boot-t2912866
Hi people, i want to resize the internal partition of my P3100.
Can anyone help me?
First of all I decided to put all the memory available in user app (is /data?) so I can install more app, after this I need to know ho to resize /system partition and how much space I can take (I think 500MB is perfect)
After I need to enlarge my user app partitions without lost all my app and data app
Filesystem Size Used Free Blksize
/dev 345M 48K 345M 4096
/mnt/asec 345M 0K 345M 4096
/mnt/obb 345M 0K 345M 4096
/system 1G 363M 1014M 4096
/data 4G 3G 1G 4096
/cache 688M 11M 677M 4096
/efs 19M 8M 11M 4096
/storage/sdcard0 4G 3G 1G 4096
/storage/sdcard1 29G 10G 19G 32768
P.s.: what is it /mnt/asec and mntt/obb?
Can anyone make a short info about all the filesystem?
Aliendex said:
Hi people, i want to resize the internal partition of my P3100.
Can anyone help me?
First of all I decided to put all the memory available in user app (is /data?) so I can install more app, after this I need to know ho to resize /system partition and how much space I can take (I think 500MB is perfect)
After I need to enlarge my user app partitions without lost all my app and data app
P.s.: what is it /mnt/asec and mntt/obb?
Can anyone make a short info about all the filesystem?
Click to expand...
Click to collapse
I just want my girlfriend to be in the mood tonight. I think I have a better chance of that.
DigitalMD said:
I just want my girlfriend to be in the mood tonight. I think I have a better chance of that.
Click to expand...
Click to collapse
Very helpfull
Does this guide works?
[HOW-TO] Easily resize system + data partition!
The situation after 2 months is this:
System storage: 342MB used of 1024MB
Internal storage: 1.8GB used of 4.6GB
If i resize the system partition I can have a total of 5.1GB / 5.3GB for user apps
:cyclops:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
WARNINGS:
NEVER try to flash in "format all" mode ! Otherwise, you will LOSE all secure and identifying infos for your device. Like IMEI.
Keep your backup files safe and secure ! If you can, encrypt them.
Never try to share your backups or your security and privacy will be compromised.
USE AT YOUR OWN RISK. I AM NOT RESPONSIBLE FOR YOUR ACTIONS.
Why to backup ?
If you backup the partitions listed here, you can avoid mistakes without risking all of your device's identification details.
Like IMEI, WiFi MAC, Bluetooth MAC, calibration data, NVDATA, NVRAM, RADIO/MODEM/BASEBAND and others.
How to backup ?
You can backup using TWRP, PBRP, DD, SP Flash Tool or anyway you want.
How to restore ?
You can restore using TWRP, PBRP, DD, SP Flash Tool or anyway you want.
I suggest you to use same tool of backup.
Partition: frpDescription: This partition stores persistent data for factory reset protection. Like google account and miaccount/micloud.Size: 1.024 KiB (1 MiB)Block: /dev/block/mmcblk0p5Start address: 0x5508000Length: 0x100000
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Partition: md_udcDescription: This partition stores master keys for encrypting and decrypting files.Size: 23.144 KiB (22,6 MiB)Block: /dev/block/mmcblk0p9Start address: 0x6e08000Length: 0x169a000
Partition: nvcfgDescription: This partition stores variable configs of NVDATA and NVRAM.Size: 32.768 KiB (32 MiB)Block: /dev/block/mmcblk0p11Start address: 0xa4a2000Length: 0x2000000
Partition: nvdataDescription: This partition stores variable data of secure and identifying infos for your device. Like IMEI, WiFi MAC, Bluetooth MAC, calibration data and others.Size: 65.536 KiB (64 MiB)Block: /dev/block/mmcblk0p12Start address: 0xc4a2000Length: 0x4000000
Partition: nvramDescription: This partition stores persistent data of secure and identifying infos for your device. Like IMEI, WiFi MAC, Bluetooth MAC, calibration data and others.Size: 65.536 KiB (64 MiB)Block: /dev/block/mmcblk0p21Start address: 0x19f00000Length: 0x4000000
Partition: persistDescription: This partition stores persistent data for factory reset protection. Like google account and miaccount/micloud.Size: 49.152 KiB (48 MiB)Block: /dev/block/mmcblk0p13Start address: 0x104a2000Length: 0x3000000
Partition: proinfoDescription: This partitions stores persistent data of default structure for NVRAM/RADIO/MODEM/BASEBAND.Size: 3.072 KiB (3 MiB)Block: /dev/block/mmcblk0p19Start address: 0x18200000Length: 0x300000
Partition: protect1 (or protect_f)Description: This partition stores variable data of SIM/RADIO/MODEM/BASEBAND settings and infos.Size: 8.192 KiB (8 MiB)Block: /dev/block/mmcblk0p15Start address: 0x164a2000Length: 0x800000
Partition: protect2 (or protect_s)Description: This partition stores variable data of SIM/RADIO/MODEM/BASEBAND settings and infos.Size: 11.640 KiB (11,36 MiB)Block: /dev/block/mmcblk0p16Start address: 0x16ca2000Length: 0xb5e000
Partition: seccfgDescription: This partition stores the state of the bootloader. (Locked or Unlocked.)Keep atention: If you backup this partition in locked bootloader, it will keep locked after restoring. If you want to backup this partition in unlocked bootloader, you need to unlock bootloader first.Size: 8.192 KiB (8 MiB)Block: /dev/block/mmcblk0p17Start address: 0x17800000Length: 0x800000
Do you need help with your MERLIN device ?
Read this FAQ: https://forum.xda-developers.com/t/...for-merlin-redmi-10x-4g-redmi-note-9.4225177/
Hey, i'm trying to root crosscall core m5 but to no avail. Any help ?
What have you tried so far to root phone's Android 11?
jwoegerbauer said:
What have you tried so far to root phone's Android 11?
Click to expand...
Click to collapse
I have tried rooting Xiaomi Redmi 9 with success and flashed lineage os, the only thing is that the android 11 version doesn't allow read write permission to some config file i was trying to modify.
I'm now working with crossCall Core-M5 phones but i couldn't find the boot image that i need to get root access with magisk method.
I noted that Android 11 locked read only permission on / partition, tried many methods to get read write permission on files but no success.
To get RW access to folders / files you've to mount the partitions where these folders / files are located as RW.
jwoegerbauer said:
To get RW access to folders / files you've to mount the partitions where these folders / files are located as RW.
Click to expand...
Click to collapse
Yeah i did that but same error of read only
Bash:
lancelot:/ # mount -o remount,rw /dev/block/dm-1 /vendor
'/dev/block/dm-1' is read-only
Bash:
lancelot:/ # mount -o remount,rw /dev/block/dm-0 /
'/dev/block/dm-0' is read-only
these are the partitions identifiers
Bash:
adb remount
failed to remount partition dev:/dev/block/dm-0 mnt:/: Permission denied
failed to remount partition dev:/dev/block/dm-1 mnt:/vendor: Permission denied
failed to remount partition dev:/dev/block/dm-2 mnt:/product: Permission denied
remount failed
Re-mounting a partition as RW only can be applied by superuser ( AKA ROOT).
Example:
Code:
adb shell "su -c 'mount -o rw,remount <BLOCK> <MOUNTPOINT>'"
jwoegerbauer said:
Re-mounting a partition as RW only can be applied by superuser ( AKA ROOT).
Example:
Code:
adb shell "su -c 'mount -o rw,remount <BLOCK> <MOUNTPOINT>'"
Click to expand...
Click to collapse
Yes i'm root when i executed the previous commands
Bash:
su -c mount -o rw,remount -force /dev/block/dm-1 /vendor
but when i try to verify nothing happened still no write permission
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The complete command passed to su must be enquoted as I've shown it above.
Device must get re-booted so change take effect.