So here’s a fun little story and interesting side project rolled up into one post. It all started when my girlfriend and I were out one evening to see Distant Worlds at Boston Symphony Hall for an orchestral rendering of some Final Fantasy classics. As the clumsy person I am, I managed to land my bum on her phone and snap it in half -_-; rendering it completely unusable. At that point I iterated through all the possibilities in my head to defuse the situation and probably offered them all up in the span of one minute. Offer to replace it? Apologize profusely? Maybe Google backed everything up for her? Give her my phone? Recover the data myself? Needless to say it wasn’t a fun few days. I ended up lending her my phone while we sorted this out, figured that I don’t use it nearly as much. The transition was as simple as doing a NAND backup and leaving her with a clean phone to do whatever with. I did relish in the idea of recovering the data from the EMMC chip since I knew such a project was well within my abilities and quickly turned my attention to it.
I was confident in my baseline knowledge at the onset that I had built up the technical know how to carry this out. At the university I’ve worked with EMMCs with GumStix boards and knew that they looked exactly like an SD card from a software perspective. On one of our products at work, I know that electrically it looks like a BGA version of an MMC card on the schematic. Past curiosities in hardware reverse engineering has taught me that one of the first things people do is dump the data on the EMMC by soldering wires directly to the data pins. From Cyber Security, I learned enough about disk forensics to recover the data once I dd’d the image by recovering the file system and/or scalping any useful files.
The basic approach I formulated was the following:
1) Information gathering. Learn as much about the hardware as possible, find pinouts, understand the EMMC protocol, how it compares to traditional SD, similar works, soldering techniques for BGA pins, anything that fills in the gaps of my knowledge.
2) Desolder the chip with a hot air gun.
3) Solder wires directly to the BGA pins on the EMMC and solder them to the corresponding pins on a MicroSD card adapter.
4) Plug the MicroSD adapter into a standard SD card reader.
5) Immediately dd the /dev/sdx device into an image file and discard the physical media.
6) Mount the image file and recover files from file system (repair as necessary).
7) For fun, recover deleted files using scalping tools 😉
I think my greatest difficulty in this attempt was in finding high quality technical resources online. There’s just far too much crap on the internet and a lot of attention is given to explaining these concepts to the lay man. Anything more sophisticated than “sending it in to an expert” or “accepting your losses” is quickly dismissed as impossible. GSM-Forum was probably the best source I found for this kind of information. Their focus was more on mobile phone repair, than data recovery but I was able to find good information on performing reworks on EMMCs.
Unfortunately, I couldn’t find test points for her particular phone so I had to remove the BGA. This wasn’t too difficult, just blow hot air on it and lever it off with a blade. The annoying bit was the glue that they put under the chip which left a bit of a mess to clean up on the underside of the BGA. This consisted first of a rubbing alcohol sweep. Then a lot of flux and solder to get a nice soupy surface of molten metal on the package. This could then be swept up with my iron and some desoldering braid. A final rub down with alcohol and we have a nice clean surface.
Since these EMMC’s are jelly bean parts the pinout is pretty much standardized for each package regardless of the vendor. It was just a matter of me carefully laying down my wire on the solder tiny BGA pins. I managed to solder wires to all the pins, but ended up lifting the clk pin when soldering the chip to the micro SD adapter. The project was pretty much toast afterwards since I didn’t want to go through the effort of dremeling into the package to expose some more metal.
In hindsight, one step I regret not taking was to try to power on the board and try to recover the data through the Android Debug Bridge directly. Not once did I consider the chance that the logic board was still functional and probably could’ve saved me a lot of trouble. Anyway, it was a fun little project to pursue which didn’t have the outcome I desired, but I learned a lot from it. If the opportunity ever arises again, I’ll be prepared to succeed. 🙂