Capturing RAM in Android systems simplified
Occasionally, the question arises concerning the capture of RAM from Android devices. Since the term “Android devices” can cover not just mobile handsets from any number of handset manufacturers, but also a number of other Internet of Things (IoT) and embedded devices, the real answer is “it depends”.
In mobile handsets, which we will be concerned with here, the general answer is no, but there are ways to dump RAM from devices dependent on certain conditions. Those conditions can partially be defined by what you want the RAM dump for, and also what state the handset is in. Here, we look at handsets that have been rooted or handsets that have a special state that can be accessed to dump RAM. For other states, the handset will have to be exploited and a RAM dump taken after exploitation.
RAM Dumps from rooted devices
Android handsets are usually sold in a locked down state. This means that access to internal areas is secured and protection mechanisms are in place to stop both legitimate and malicious users from accessing the internal areas of the device.
Most handsets can be unlocked in some way so that access to internal areas is easier. However, these elevated permissions only give better access to system settings and the ability to run commands that are normally privileged. These will also give access to normally unseen areas within the file system but still not allow access to RAM, since this is under the control of the kernel. To access RAM in the device we can use a loadable kernel module, Linux Memory Extractor – LiME.
Kernel modules need to be compiled with the kernel that is used on the device. Fortunately, due to the open-source nature of Android, we can download the source code for a devices kernel and build LiME. The newly built kernel can then be installed on the device and RAM dumped from the device using the module. The link above will show how to compile both kernel and module. The new kernel can then be installed once it has been made into a boot image. The instructions for this are sometimes handset specific and this is left as an exercise for the reader.
RAM dumps from Samsung devices
Samsung devices have a special mode that can be accessed to enable a RAM dump. This special mode is called ‘upload mode’ and can be initiated from the handset via a menu that can be accessed from the dialler app. Upload mode is usually used by developers to extract the RAM if there has been a serious problem with the system. It was primarily used by kernel developers to see the system memory so that the kernel could be debugged. This is not normally turned on, and access is via the ‘sysdump’ menu which can be accessed by typing *#9900# in the dialler app. Once in the ‘sysdump’ menu we can scroll to the debug level and set it to MID and then set upload mode to enabled. Rebooting the handset will put it into upload mode where the RAM can be accessed programmatically.
Accessing the RAM dump can be achieved using the Samsung Upload Client. This is a python script and will run as-is from a Linux machine. Windows users will require the USB development kit (Releases · daynix/UsbDk · GitHub) to be installed to reliably use the python script. If using the script on a windows machine with XRY installed it is best to turn off the MSAB driver by opening the XRY systray tool and selecting “use MSAB drivers only when XRY Wizard is running”:
Once installed, and MSAB drivers turned off, the script should run and dump the RAM. After the script runs there should be a folder with around 60 files within it. The memory can be carved for artifacts from the files below (for this particular handset):
About the author:
Dave Lauder is a Security Researcher at MSAB.