My Attempt at EMMC Data Recovery

This slideshow requires JavaScript.

So here’s a fun little story and interesting side project rolled up into one post. It all started when my girlfriend and I were out one evening to see Distant Worlds at Boston Symphony Hall for an orchestral rendering of some Final Fantasy classics. As the clumsy person I am, I managed to land my bum on her phone and snap it in half -_-; rendering it completely unusable. At that point I iterated through all the possibilities in my head to defuse the situation and probably offered them all up in the span of one minute. Offer to replace it? Apologize profusely? Maybe Google backed everything up for her? Give her my phone? Recover the data myself? Needless to say it wasn’t a fun few days. I ended up lending her my phone while we sorted this out, figured that I don’t use it nearly as much. The transition was as simple as doing a NAND backup and leaving her with a clean phone to do whatever with. I did relish in the idea of recovering the data from the EMMC chip since I knew such a project was well within my abilities and quickly turned my attention to it.

I was confident in my baseline knowledge at the onset that I had built up the technical know how to carry this out. At the university I’ve worked with EMMCs with GumStix boards and knew that they looked exactly like an SD card from a software perspective. On one of our products at work, I know that electrically it looks like a BGA version of an MMC card on the schematic. Past curiosities in hardware reverse engineering has taught me that one of the first things people do is dump the data on the EMMC by soldering wires directly to the data pins. From Cyber Security, I learned enough about disk forensics to recover the data once I dd’d the image by recovering the file system and/or scalping any useful files.

The basic approach I formulated was the following:
1) Information gathering. Learn as much about the hardware as possible, find pinouts, understand the EMMC protocol, how it compares to traditional SD, similar works, soldering techniques for BGA pins, anything that fills in the gaps of my knowledge.
2) Desolder the chip with a hot air gun.
3) Solder wires directly to the BGA pins on the EMMC and solder them to the corresponding pins on a MicroSD card adapter.
4) Plug the MicroSD adapter into a standard SD card reader.
5) Immediately dd the /dev/sdx device into an image file and discard the physical media.
6) Mount the image file and recover files from file system (repair as necessary).
7) For fun, recover deleted files using scalping tools 😉

I think my greatest difficulty in this attempt was in finding high quality technical resources online. There’s just far too much crap on the internet and a lot of attention is given to explaining these concepts to the lay man. Anything more sophisticated than “sending it in to an expert” or “accepting your losses” is quickly dismissed as impossible. GSM-Forum was probably the best source I found for this kind of information. Their focus was more on mobile phone repair, than data recovery but I was able to find good information on performing reworks on EMMCs.

Unfortunately, I couldn’t find test points for her particular phone so I had to remove the BGA. This wasn’t too difficult, just blow hot air on it and lever it off with a blade. The annoying bit was the glue that they put under the chip which left a bit of a mess to clean up on the underside of the BGA. This consisted first of a rubbing alcohol sweep. Then a lot of flux and solder to get a nice soupy surface of molten metal on the package. This could then be swept up with my iron and some desoldering braid. A final rub down with alcohol and we have a nice clean surface.

Since these EMMC’s are jelly bean parts the pinout is pretty much standardized for each package regardless of the vendor. It was just a matter of me carefully laying down my wire on the solder tiny BGA pins. I managed to solder wires to all the pins, but ended up lifting the clk pin when soldering the chip to the micro SD adapter. The project was pretty much toast afterwards since I didn’t want to go through the effort of dremeling into the package to expose some more metal.

In hindsight, one step I regret not taking was to try to power on the board and try to recover the data through the Android Debug Bridge directly. Not once did I consider the chance that the logic board was still functional and probably could’ve saved me a lot of trouble. Anyway, it was a fun little project to pursue which didn’t have the outcome I desired, but I learned a lot from it. If the opportunity ever arises again, I’ll be prepared to succeed. 🙂

12 thoughts on “My Attempt at EMMC Data Recovery”

  1. hi brothers,i just got the same issue like you which that i wanted to solder the BGA pins into micro sd card reader , instead your picture showing the EMMC layout only consist 5 points ( VCC , CLK ,CMD , VCCQ , D0 ) , could you please tell me further the others points ? Vss1 and Vss2

    1. VSS1 and VSS2 can both be connected to any of the VSS pins in the BGA pinout. They’re also synonymous with any pin named GND if you encounter that in a pinout.

    1. I realize this is spam, but that’s a nice product for any industry users that may want to do this kind of work. For the “DIY” user like me, it’s way out of my price range. Perhaps others will be able to find something cheaper on Aliexpress by searching for EMMC sockets.

      “Will a pc read the data itself?”
      From the looks of the product page, it looks like it routes the EMMC pins to the SD cards via a socket. However, it doesn’t look like it has any onboard voltage regulation so it may very well fry your EMMC is you connect it directly to a PC. Can you comment on this Meg?

  2. you made a mistake, pinout is from PCB side, not the chip

    wrap your brain around it for a moment (I hope you still have the NAND), hold the chip solder-side down, then hold your thumb on D0, then flip the chip over and orient it to match the schematic… totally inverted. I only noticed it because ive been screwed over by orientations before, I’ve got a whole notebook dedicated to cable pinouts that I draw out by hand.
    Source: http://forum.gsmhosting.com/vbb/f672/guide-how-find-direct-emmc-pinout-step-step-pictures-1724774/index3.html

    thank you btw, I greatly appreciate the article, I take it you are Anonymous? Source: https://www.quora.com/How-can-data-be-recovered-from-an-eMMC-card

    you are my only lead towards more fun, and I thank you for that – I have an associates in digital forensics and various certs, its nice to know im not the only crazy one out there.

    I popped a NAND today, will take it under the microscope tomorrow at work and report back with my findings

    1. Thanks for the tip, I’ll be sure to watch out for that in the future. It’s hard enough dealing with all the other complexities that geometry is the last thing I’d want to be tripped up by haha. I’m glad there’s people like you doing this work in digital forensics; reverse engineering fringe these minute details of our devices fascinates me. And yeah anonymous=me

  3. Im posting this in october 2017. Lol. But with mobo that intact(before the attempt), the easiest way is to put the board on another working phone and copy the data to pc using usb. But surely, trying data recovery from direct emmc is fun tho. 🙂

Leave a Reply

Your email address will not be published.