EMMC To SD Hack Rescues Data From A Waterlogged Phone

July 12, 2017 by Adam Fabio 59 Comments

How do I get the data off this destroyed phone? It’s a question many of us have had to ponder – either ourselves or for friends or family. The easy answer is either spend a mint for a recovery service or consider it lost forever. [Trochilidae] didn’t accept either of those options, so he broke out the soldering iron and rescued his own data.

A moment’s inattention with a child near a paddling pool left [Trochilidae’s] coworker’s wife with a waterlogged, dead phone. She immediately took apart the phone and attempted to dry it out, but it was too late. The phone was a goner. It also had four months of photos and other priceless data on it. [Trochilidae] was brought in to try to recover the data.

The phone was dead, but chances are the data stored within it was fine. Most devices built in the last few years use eMMC flash devices as their secondary storage. eMMC stands for Embedded Multimedia Card. What it means is that the device not only holds the flash memory array, it also contains a flash controller which handles wear leveling, flash writing, and host interface. The controller can be configured to respond exactly like a standard SD card.

The hard part is getting a tiny 153 ball BGA package to fit into an SD card slot. [Trochilidae] accomplished that by cutting open a microSD to SD adapter. He then carefully soldered the balls from the eMMC to the pins of the adapter. Thin gauge wire, a fine tip iron, and a microscope are essentials here. Once the physical connections were made, [Trochilidae] plugged the card into his Linux machine. The card was recognized, and he managed to pull all the data off with a single dd command.

[Trochilidae] doesn’t say what happened after the data was copied, but we’re guessing he analyzed the dump to determine the filesystem, then mounted it as a drive. The end result was a ton of recovered photos and a very happy coworker.

If you like crazy soldering exploits, check out this PSP reverse engineering hack, where every pin of a BGA was soldered to magnet wire.

LTE IMSI Catcher

May 30, 2017 by Michael Uttmark 19 Comments

GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video, embedded below).

First of all, what is an IMSI? IMSI stands for International Mobile Subscriber Identity. If an IMEI (International Mobile Equipment Identity) is your license plate, your IMSI would be your driver’s license. The IMEI is specific to the phone. Your IMSI is used to identify you, allowing phone companies to verify your origin country and mobile network subscription.

Now, with terminology in tow, how does [Domi] steal your IMSI? Four words: Tracking Area Update Request. When a phone on an LTE network received a tracking area request, the LTE protocol mandates that the phone deletes all of its authentication information before it can reconnect to a base station. With authentication out of the way [Domi] spoofs a tower, waits for phones to connect, requests the phone’s IMSI and then rejects the phones authentication request, all under the nose of the phone’s user.

Now, before you don your tinfoil hat, allow us to suggest something more effective. Need more cell phone related hacks? We’ve got your back.

Continue reading “LTE IMSI Catcher” →

Hackaday Prize Entry: A Femtocell Repeater

May 13, 2017 by Brian Benchoff 9 Comments

For a Hackaday Prize entry, [TegwynTwmffat] is building a cell phone signal repeater. This sort of device is commercially available, but the options are either expensive or, as with some units available for $30 on DealExtreme, obviously noncompliant with RF regulations. This project intends to create a cost-effective, hackable device that works properly and conforms to the right regulations.

The core of this system is a LimeSDR transceiver. This is a board we’ve seen before, and it has a few interesting features. Basically, the core of the LimeSDR is a programmable RF transceiver with coverage from 100kHz to 3.8GHz. There’s also on-chip signal processing and USB 3.0 bandwidth to get the signals to and from a computer.

Right now, [TegwynTwmffat]’s focus is getting his LimeSDR up and working and figuring out how to set up a few radio blocks to do what is needed. There’s a great update to the project that showcases Pothos, and so far [Tegwyn] has a full-duplex repeater working. This is great work, and really showcases the capabilities of what software-defined radio can do.

Tearing Down The Boss Phone

May 11, 2017 by Alasdair Allan 84 Comments

Poke around enough on AliExpress, Alibaba, and especially Taobao—the Chinese facing site that’s increasingly being used by Westerners to find hard to source parts—and you’ll come across some interesting things. The Long-CZ J8 is one of those, it’s 2.67 inch long and weighs just 0.63 ounces, and it’s built in the form factor of a Bluetooth headset.

A couple of months ago Cory Doctorow highlighted this tiny phone, he’d picked up on it because of the marketing. The lozenge-shaped phone was being explicitly marketed that it could “beat the boss”. The boss in question here being the B.O.S.S chair—a scanning technology that has been widely deployed across prisons in the U.K. in an attempt to put a halt to smuggling of mobile phones to inmates.

The Long-CZ J8 is just 2.67 inch (6.8cm) long.

I wasn’t particularly interested in whether it could make it through a body scanner, or the built-in voice changer which was another clue as to the target market for the phone. However just the size of the thing was intriguing enough that I thought I’d pick one up and take a look inside. So I ordered one from Amazon.

Continue reading “Tearing Down The Boss Phone” →

Linger Keeps You Around After You’ve Gone

April 29, 2017 by Elliot Williams 40 Comments

We’re not sure if this is art, anti-snooping guerilla warfare, or just a cheeky hack, but we do know that we like it! [Jasper van Loenen]’s Linger keeps the SSIDs that your cell phone (for example) spits out whenever it’s not connected to a WiFi network, and replays them after you’re gone.

Some retail stores and other shady characters use MAC addresses and/or the unique collection of SSIDs that your phone submits in probe requests to fingerprint you and track your movement, either through their particular store or across stores that share a tracking provider. Did you know that you were buying into this when you enabled “location services”? Did the tracking firms ask you if that was ok? Of course not. What are you going to do about it?

Linger replays the probe requests of people who have already moved on, making it appear to these systems as if nobody ever leaves. Under the hood, it’s a Raspberry Pi Zero, two WiFi dongles, and some simple Python software that stores probe requests in a database. There’s also a seven-segment display to indicate how many different probe-request profiles Linger has seen. We’re not sure the price point on this device is quite down to “throwie” level, but we’d love to see some of these installed in the local mall. Continue reading “Linger Keeps You Around After You’ve Gone” →

Upgrading RAM On A Nexus 5X

April 18, 2017 by Lewin Day 42 Comments

A screenshot of the status screen indicating the phone has detected the extended RAM.

A denizen of the venerable XDA forums reports that it is possible to upgrade the RAM of the Nexus 5X from 2GB to 4GB. Having suffered the dreaded bootloop, [Cathair2906] decided to send their phone off to China for repair. The technician advised that since reflow of the CPU was necessary anyway, it makes sense to upgrade the RAM as well. This is due to the RAM actually being fitted directly on top of the CPU, a method amusingly known as Package on Package (SFW).

Upgrading RAM in the average computer is a relatively trivial task. Pop the case open, and you slide the new sticks into the extra slots. It’s not the same case for smartphones and tablets — in the endless quest for the slimmest form factor, all parts are permanently soldered. In addition, every device is essentially bespoke hardware; there’s no single overarching hardware standard for RAM in portable devices. You could find yourself searching high and low for the right chips, and if you do track them down, the minimum order quantity may very well be in the thousands.

Unless, of course, you had access to the Shenzhen markets where it’s possible to buy sample quantities of almost anything. Given access to the right parts, and the ability to solder BGA packages, it’s a simple enough job to swap a bigger RAM chip on top of the CPU during the repair.

It’s the sort of thing that’s trivial in Shenzhen, and almost mind-bogglingly impossible in the West. The price of the repair? About $60 USD. [Cathair2906] was even nice enough to share the address of the shop that did the work.

We’ve seen similar antics before – like this Nexus 5 storage upgrade to 64GB.

[via XDA Developers, thanks to Jack for the tip!]

Dual SIM Hack For Single SIM Slot Phones.

April 14, 2017 by Jack Laidlaw 67 Comments

[RoyTecTips] shows us an ingenious hack which turns a single-SIM-slot phone into a fully functioning dual-SIM phone. All that’s needed for this hack is a heat-gun, solvent, micro SD card, nano SIM and some glue. The trick is that the phone has a SIM reader on the backside of an SD-card slot. Through some detailed dissection and reconstruction work, you can piggy-back the SIM on the SD card and have them both work at the same time.

Making the SD/SIM Franken-card is no picnic. First you start by filing away the raised bottom edge of the micro SD card and file down the side until the writing is no longer visible. Next get a heat gun and blast your nano SIM card until the plastic melts away. Then mark where the SIM card’s brains go and glue it on. Turn the phone on then, hey presto, you now have a dual SIM phone while keeping your SD storage.

This hack is reported to work on many Samsung phones that end in “7” and some that end in “5”, along with some 8-series phones from Huawei and Oppo clones of the Samsungs. Since you’re only modifying the SIM card, it’s a fairly low-risk hack for a phone. Combining two cards into one is certainly a neat trick, almost as neat as shoe-horning a microcontroller into an SD card. We wonder how long it will be before we see commercial dual SIM/SD cards on the market.

[Update] I got a little confused on this one as we only have the single sim variants of these phones where I live. this hack is for dual sim phones that either accept 2 sim cards or 1 sim + 1 SD card. This hack solves this problem and allows 2 sims plus 1 SD card in these phones. Sorry for the confusion and thanks to all who pointed this out in the comments.

Continue reading “Dual SIM Hack For Single SIM Slot Phones.” →