Samsung Knox Partit...
 
Notifications
Clear all

Samsung Knox Partition Lockout

8 Posts
3 Users
0 Likes
1,427 Views
(@mrjude)
Posts: 3
New Member
Topic starter
 

Hi all.

I tried to make a physical acquisition of a Samsung Galaxy S5 using Magnet Acquire. Note that I had to manually root the device using Magisk.

At first, physical acquisition did not complete successfully and from the logs I found something that infers that Samsung Knox denied access to the partition (21) containing the user data.
Quoting
E/audit ( 5130) type=1400 msg=audit(1517955498.830203) avc denied { read } for pid=5686 comm=4173796E635461736B202335 name="magisk.apk" dev="mmcblk0p21" ino=33 scontext=urknox_untrusted_apps0 tcontext=uobject_rsu_files0 tclass=file

After that, physical acquisitions have been successful, giving me an image size of about 3gb, instead of 16gb (the missing 13gb is from the partition that access is denied). As such, the 3gb image is unreadable when I try to browse its contents.

My questions are
1) Has anyone encountered such an issue before?
2) How would you suggest I go about it to get the full image?
3) As I have another S5 with similar security features, do you know if Knox can be disabled (either by the company, or other method) to allow full imaging?

Please also note that I don't have access to Cellebrite, Oxygen or other specialised tools, and have tried another rooting method - CF-Auto-Root. It appears as though the device/Knox has locked out the user data partition from any sort of imaging.

One method I have not but intend trying on the second device is to use CF-Auto-Root alone to root (without Magisk), so possibly, Knox does not detect it as an 'untrusted' app and allow the acquisition of its data partition as well.
Please let me have your comments/answers. Thanks.

 
Posted : 09/02/2018 11:12 am
(@arcaine2)
Posts: 235
Estimable Member
 

Easiest way to avoid this would be to flash TWRP to the device and make dump while in custom recovery.

 
Posted : 09/02/2018 5:14 pm
(@mrjude)
Posts: 3
New Member
Topic starter
 

Hi arcaine2. Do you mean TWRP backup? If so, I already tried that.

First, TWRP backup would select partitions of the device, not the entire disk.
Second, TWRP backup fails when it when it tries backing up the "Data" folder. I googled and saw that I could check and delete the file causing the error through the log.
I can't quite remember the particular file but I was not sure of deleting it.

In summary, TWRP backup fails and might not get the whole disk.

Please explain further if the TWRP dump you mentioned is different and captures the entire disk.

 
Posted : 09/02/2018 5:27 pm
(@arcaine2)
Posts: 235
Estimable Member
 

No, while in TWRP connect phone to PC and you can just "adb pull /dev/block/mmbclk0 some_filename.bin" to dump the whole eMMC or replace mmcblk0 with mmbclk0p21 for specific partiton, userdata in this case. This works in TWRP because adbd works in root mode by default and produces raw and direct copy that can be mounted or scanned by any tool later on.

 
Posted : 09/02/2018 7:27 pm
(@plan_b)
Posts: 31
Eminent Member
 

I think the problem is the encrypted /data partition.

When u launch TWRP (System read only) u cant mount the data partition.

If u switch over to the terminal in TWRP, type in mount

If im right, there should no data partition mounted.

No matter if u do a twrp backup or an android dd image.. u dont have the users data.

Dont swipe to allow modifications.. this will give u an bootloop.

BUT.. if u can mount the /data partition and it is listet when u type in mount in terminal prompt… fell free to dump the hole emmc like arcaine2 wrote before.

 
Posted : 13/02/2018 6:01 am
(@mrjude)
Posts: 3
New Member
Topic starter
 

Thanks a lot arcaine2 and Plan_B.

I managed to acquire the second device using the "dd" command from TWRP terminal without any issue.

For the initial device, the "adb pull" command gave the error that "remote object '/dev/block/mmcblkp21' does not exist".

I also tried "cp" command on "adb shell" (since the pull command does not work on shell) and it was not successful as well.
I did these before Plan_B's comment so did not try the "Mount" command. However, I think the /data partition was already mounted and not encrypted.

The "dd" command on TWRP terminal also failed to get the full partition.

I then ran TWRP Backup and still got errors but this time, traced the files causing the backup error, copied them first, then deleted them as suggested from some googling - the files were most related to Chrome.
After that, TWRP Backup worked but "dd" still did not acquire the full disk.
I then manually copied and pasted the data folder on my usb-otg device, to identify which file in particular might cause an error.
I got no error after the manual copy/paste, so retried the dd command and acquired the userdata partition successfully.

With that, I launched Magnet Acquire again to do the full disk acquisition and got a similar error. Quoting
E/audit ( 5241) type=1400 msg=audit(1518469966.410262) avc denied { write } for pid=12119 comm="app_process32_o" name="system@framework@boot.art" dev="mmcblk0p21" ino=130836 scontext=urshells0 tcontext=uobject_rdalvikcache_data_files0 tclass=file

Perhaps the problem was not with Samsung Knox or Magisk after all.

On a second trial, Magnet Acquire got the full disk without any error.

 
Posted : 13/02/2018 9:51 am
(@plan_b)
Posts: 31
Eminent Member
 

Congratz D

 
Posted : 13/02/2018 12:32 pm
(@arcaine2)
Posts: 235
Estimable Member
 

For the initial device, the "adb pull" command gave the error that "remote object '/dev/block/mmcblkp21' does not exist".

There's a typo here. You wrote "mmcblkp21"m should be "mmcblk0p21". Not sure if you actually typed it wrong when trying to make a dump but from my experience, "adb pull" method works just fine while you're in TWRP for many devices, including S5, S6 etc, just have to adapt the path to correct one.

 
Posted : 13/02/2018 1:04 pm
Share: