EMMC Data Recovery From A Bricked Phone

We’ve probably all got at least one old cell phone lurking somewhere around our bench. In most cases they’ll still work, but their  batteries may be exhausted and their OS could be an ancient version. But sometimes there will be a phone that just died. One minute the flagship model, the next a useless slab of plastic and glass with the added annoyance of those priceless photos of Aunty May’s 80th forever locked in its memory.

[Andras Kabai] had just such a device land on his desk, a high-end Sony whose screen had gone blank. Others had tried, he was the last hope for the data it contained. He zoomed in on the eMMC chip on its motherboard, desoldered it and hooked it up via a specialist eMMC reader to recover those files. That was a very simple description of a far more involved process that he sets out in his post about it, a post that is fascinating reading and serves as a handy primer for any reader who might like to try it for themselves. We learn about the MMC interface and how simple it can be in its serial form, how with some fine soldering you can use a cheap USB reader, and that eMMC chips have a pinout conforming to a JEDEC standard.

Finally we see the software side as he takes the various SQLite databases and extracts the data for the user. It shows, all is not necessarily lost, however dead a phone may be.

We’ve seen [Andras] before, using an old scanner in his PCB fab.

11 thoughts on “EMMC Data Recovery From A Bricked Phone

  1. I like the Idea of the Odroid’s from Hardkernel.
    These are small Linux computers ( Just like Beaglebone, Cubieboard, Orange pi and many others) and they have a nice feature where they put the EMMC module on a separate pcb with a connector to the main board.
    They can be easily replaced if damaged / worn out or if you want to experiment with different linux distributions.

    They also have an adapter print, whith which you can use their eMMC modules just like any regular uSD card.

    1. This is my issue (minus the “before the Phone is broken” part). I have an old phone PCB lying around with about 6 months of photos and videos in case I ever figure that out. Encrypted flash android phone.

      1. If you can get the flash dumped, there’s cli Linux tools to open the crypt container and mount the data partition into a loop filesystem. I managed to recover stuff off of my wife’s bricked LG G2 (classic LG bootloop) by sticking it in the freezer to stop the bootloops long enough to dump the flash, then unencrypted the data partition and mounted it on my laptop.

    2. Depends on the manufacturer and how they handled the encryption keys. I’m aware that some manufacturers (esp Qualcomm based) utilise hardware keys to try to bind the keys to the hardware via TrustZone. There’s a fair bit of detail on http://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html that might help you there.
      I’m also aware of some QC manufacturers that utilise a different way of protecting the key encryption key (KEK), but still utilising the SHK to try to bind to hardware. It’s a little complex!

  2. This great show of data recovery reminded me of someone who knew similar to build their own memory card:
    https://ripitapart.com/2016/10/28/emmc-adventures-episode-1-building-my-own-64gb-memory-card-with-a-6-emmc-chip/

    Great show of success with the data recovery
    Since [Andras Kabai] used an adapter and I’m currently still using enamel wire, I wonder how much the adapters or kits cost?
    I’m gonna search around for one soon, looks too handy.

    Luckily the eMMC wasn’t encrypted.

    1. Oh hey, that’s my blog! ^^

      Back in late 2016 I purchased an eMMC test socket for $184 USD total (including shipping to Canada); it breaks out the eMMC into an MMCplus-shaped PCB so you can stick it into any device that accepts full-size SD/MMC cards. The price has since gone down significantly, only $105 USD now: https://www.ebay.com/itm/eMMC153-169-Reader-test-socket-SD-BGA153-169-IC-Size-11-5x13mm-Data-Recovery/152151938830 (Note that there are different sizes of eMMC packages, but 11.5x13mm is the most common now.)

      I’ve already used it to recover data from my Galaxy S II. The nice thing about these sockets is that it will work with or without solder balls (so reballing is not necessary to read/write to the eMMC).

    1. I think the G3 had a similar issue in which putting (maybe keeping) the device in the freezer let the device work just long enough to recover information from it. My guess is that there are cracked BGA joints that might even be reflowable.

  3. I don’t want to be the negative guy, but what is the challenge/hack here if you are using a 150$ E-Mate Pro eMMC Tool MoorC v3 that was basically made for that exact purpose beside de-soldering the chip from the phone?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.