Sunday, 23 August 2020

Rooting Samsung devices (2020) with Magisk [RESEARCH]

 Oh Samsung. Truly if any device has ever been the bane of my existence in mobile forensics, it's Samsung devices. From the "latest and greatest" in security advancements, proprietary applications and storage areas, and seemingly zero consistency Samsung has all of the hallmark pieces to cause annoyances to anyone doing forensics. 


According to gs.statcounter.com (link), Samsung is currently sitting at the top of the market share for all mobile devices, even beating out Apple. Since Android is probably the most popular OS for mobile phones worldwide, I can't say I'm surprised. 


It's no wonder with all of these points that I commonly choose a Samsung device to add to my research testing bank of devices. Especially when you consider that Samsung LOVES to push their own proprietary applications instead of the commonly used ones on Android devices. Recently I mentioned adding a Samsung A11 (SM-A115U1) to my test bank in this post here. If it serves no more purpose than a place for me to remember what I did to finally get this working after messing with it for days, I'm going to post the guide of information that I used in order to get this device rooted for full filesystem testing. Hopefully, someone else will find this relevant to their interests eventually too. 


Starting out, I like Magisk. If you're not familiar with Magisk, then go read about it from GitHub here. I think Magisk does a great job of being able to maintain my ability to keep a device rooted, safe(er) than some other options, and gives me more control over my environment. So time to start down the Magisk road. 


In a perfect world, you'll pick a Samsung device where TWRP is already built and available. Save yourself a lot of time and headache and pick a device where TWRP is already available. Do yourself a favor and GTS. (Google that... stuff) I THOUGHT I did that. But, in my excitement for adding another device I saw that the 2019 version of the A11 had a TWRP, but that didn't work on my 2020 version of the A11. 


Okay, so without TWRP, how do you install Magisk? It's a little bit harder but it's actually more to my preferred method. I like to keep things as stock as possible, so I actually usually prefer to go this method and simply take a stock firmware and allow MagiskManger to patch it. It usually works great, except for this one. I'm going to skip over all the stuff that DIDN'T work, and just give you the stuff that does. 


Step 1: 

Find firmware. You're going to need stock firmware from the manufacturer in order to feed it to MagiskManger. Samsung actually doesn't make this impossible. Or well, great developers from across the world make this not impossible. I usually use a site like https://www.sammobile.com but they didn't have the firmware I wanted listed. Then I turned over to some fairly sketchy looking 3rd party sites but it got the job done. Remember that not only are you going to need your model number but you're going to Country Specific Code that Samsung makes integral to their binaries. 

Smarter Move: Just use Feija. I WISH I would have realized this exists and it's now one of my favorite tools. https://forum.xda-developers.com/s10-plus/how-to/tool-frija-samsung-firmware-downloader-t3910594

TL;DR: It's a Samsung firmware downloader where you don't have to pay for "premium" access to get a download that doesn't crash 5000 times just to get a firmware. 



Step 2: 

Set up your Samsung device. Lots of mini-steps going on here but it's all super easy stuff you are probably familiar with. 

  • Proceed through initial setup; Turn on Developer options
  • In Developer options, enable OEM unlock and USB debugging
  • Reboot device in download mode.
    • CAREFUL: There are two? different download modes. One available via "adb reboot download" and another that is available from a specific keystroke command using the physical buttons. The only way I could get into the device wipe/OEM unlock mode was to use the keystroke method. The ADB command would NOT give me the option. For my A11 it was Volume Up + Volume Down + and Power/Bixby buttons all at once. This mode is VERY important to Magisk later. 
  • Unlock Bootloader - WARNING: This causes a device wipe
  • Proceed through initial setup again, enabling developer options and usb debugging. 
  • Install MagiskManager 
    • Download it from the web OR
    • Download it on your PC and use "adb install [Path_to_File_onPC]\MagiskManager.apk"
  • Download Odin: https://samsungodin.com/download/
  • Also, download 7-zip from here: https://github.com/mcmilk/7-Zip-zstd/releases

Okay, now, warning time. This is where I'm going off the rails. Up to this point, you could have really just followed the default directions from Magisk's website. However, 2020 Samsung Devices are doing something different and I can't quite put my finger on it. NORMALLY, you would just push the AP file from your Frija or SamMobile download into MagiskManager do :DoTheThing: but it's not that easy this time around. If you do this, you'll likely get an error returned on the device that says Secure Fail: vbmeta

So what is VBMeta? Well, it's part of AVB or Android Verified Boot. For more info on AVB, go here: https://android.googlesource.com/platform/external/avb/+/oreo-dev/README.md

So let's break down what's actually in the AP image that is getting patched by Magisk. If you expand the zip of the firmware you got you'll see this: 


So let's use that 7zip we got and expand the AP .md5 file. You'll see this: 


Oh great. Lz4... (link) This is one of the reasons I said download the 7zip I mentioned, and not the one you'd just likely already have on your system (because 7z is life). Each of the img.lz4 files are responsible for a different partition on the Samsung phone. I spent a few days pulling these apart the best I could figure out and experimenting with just patching specific image files and trying that. 

Now, Samsung has bee using lz4 since Oreo. So I don't think that's the issue here completely. But it causes another layer of complexity. Magisk will even recommend the ability to just patch a boot image which can be used when you don't already have a custom recovery or your device isn't using an A/B structure. My Samsung is NOT using A/B structure, there's no TWRP available for it, so you know what, why not? Worth a shot right? This is why having the stock firmware is so important. Screw up? Flash it back. 

Step 3: 

Once you've expanded your AP_.md5 file, open the boot.img.lz4 file from within 7zip. Export the boot.img file to your PC. 

Step 4: 

Push the boot.img file to your phone by using the command: adb push boot.img /sdard/
This pushes the boot.img file to your sdcard of your device and puts it in a location where MagiskManger should be able to see it. 

Step 5: 

Using the MagiskManager app, select "Install" and then "Select and patch a file" 
Point MagiskManager to your uploaded boot.img file. After completing, it will create a magisk_patched.img file in your /sdcard/Download (or /media/0/Download depending on how you're seeing your device. 

Pull this file back to your PC using "adb pull /sdcard/Download/magisk_patched.img" 

Step 6: 

Normally if you have a patched boot image you can just send your device into Fastboot and flash the boot volume. But, not with Samsung. 

Take your magisk_patched.img file and rename it to boot.img. Using the same 7zip I mentioned, send this to a .tar file. (Right click --> 7zip --> Add to Archive --> Select tar) You'll end up with boot.tar

Step 7: 

Finally time to invoke the All-Father. 

Send the Samsung device back to the download mode. I used the keystroke command not adb. 

Using Odin, flash the boot.tar file that you have created from the patched boot.img using the AP option in Odin. 

Step 8:

Once the device boots, launch MagiskManager. It should :DoTheThing: and you should have  it come back as successfully installed. 

Just for good measure, I like to throw up an adb terminal and do: 
adb devices
adb shell
su

MagiskManager should prompt to allow you access and then BAM you're G2G. Now you can selectively image your device (or Full File System) to your heart's content. 

One benefit to doing it this way instead of the standard procedure for Samsung is that we're not forced to wipe our devices in between. Another benefit to just patching the boot volume is that you don't to restart it using the recovery mode keystroke every time either. 

Okay! Go forth and plunder the data off those Sammies! Like I said, I hope this goes to help even one person out or maybe even myself the next time I have to deal with Samsung and forget this. 

No comments:

Post a comment