eMMC Data Recovery From Damaged Smartphone

5/29/2021 eMMC data recovery from damaged smartphone | Dangerous Payload
Dangerous Payload
Random articles on my hobbies, mostly on DIY stuffs, HW

hacking and pentest
POSTED BY
ANDREW
POSTED ON
OCTOBER 24, 2018

POSTED UNDER
HW HACKING
COMMENTS
21 COMMENTS
eMMC data recovery from damaged smartphone
Recently I have received a request to check data recovery possibilities from a damaged Sony Xperia Z5
Premium smartphone. The phone was dropped and it stopped working. No screen, no charging, no
communication on any interfaces, no sign of life, it was nothing more than a brick. Well, a brick, with
tons of useful data on it without any cloud synchronisation or offline backup. Needless to say how
important was for the owner to get his priceless information back from the device.
Some damage identification and recovery probes were already conducted by other professional parties,
https://dangerouspayload.com/2018/10/24/emmc-data-recovery-from-damaged-smartphone/ 1/15
even a new screen was ordered and tried, but none of the activities provided any promising result. After
the failed a empts the owner almost gave up the hope, but fortunately, we had a common acquaintance
and this is how I came to the picture. Due to the previous investigations the phone arrived to me
partially dismantled, without a ba ery and with some metal shields already removed.
As the very first step, I tried to find the data storage. It was quite obvious to identify the memory chip on
the PCB, which was a SK hynix H26M64103EMR
(h ps://www.skhynix.com/eng/product/nandEMMC.jsp). This is a simple, 32GB eMMC in a common
FBGA package. I had a couple of eMMC related projects in the past, where I had to deal with chip
interfacing and direct memory dumping or manipulation. This is often a task in hardware hacking
projects I am involved in, for example to gain full access to the OS file system in case of a car head unit
or other embedded systems, just to mention another example.
This was the first promising moment to get the owner’s data back. As all of the non-invasive activities
failed, I decided to go after the so called “chip-off analysis” technique. This means that the given
memory chip has to be removed from the PCB and with the chosen interfacing method its content
should be read out directly for further processing.
An important point for this method is that the used encryption se ings could be the key for the success,
or for the failure. An enabled or enforced encryption could prevent a successful data recovery, even if
the memory chip is not dead and its content could be dumped out. If encryption is in place, the
decryption also has to be solved somehow, which is nowadays, with more and more careful design and
with properly chosen hardware components, is very challenging or could be (nearly) impossible.
Fortunately, at least from data recovery perspective, the owner did not turn on the encryption, so
circumstances were given to the next step.
After the PCB was removed from the body, I fixed the board to a metal working surface with kapton
tape. Then a li le flux was injected around the chip for be er heat dispersion and I used a hot air station
to reflow the BGA balls and to let me pull of the chip from the PCB.
(h ps://dangerouspayload.files.wordpress.com/2018/10/small_20180810_142231.jpg)
There are multiple ways to communicate with the eMMC chips. Most of them take advantage of the fact,
that these chips are basically MMC (h ps://en.wikipedia.org/wiki/MultiMediaCard) (MultiMediaCard)
standard memories, but in an embedded (h ps://en.wikipedia.org/wiki/MultiMediaCard#eMMC) (this
from where the “e” comes from) format. This means, that as soon as the connection to the necessary chip
pins are solved, a simple USB card reader could do the job to read and write the memory. These chips
usually support multiple communication modes, using e.g. 8 bit or 4 bit parallel interface or a single 1 bit
interface. For an easy setup and without special tools usually the 1 bit mode is used. The only criteria for
this method is that the reader also has to support 1 bit mode (Transcend USB card readers seems to be
good candidates for this job). In such case only CMD, CLK, DAT0, VCC (VCC, VCCQ) and GND (VSS,
VSSQ) pins have to be connected. Do not be afraid of the lot of pins, in fact, only a couple of ones are
used. The pinout is generic and based on JEDEC standard, so regardless of the vendor or the chip you
are dealing with, it is almost sure that you will find the important pins at well known location, as it is
showed in the picture below.
I made these connections in the past by manually soldering 0.1mm insulated copper wires to the given
BGA balls then wire them directly to the reader. If you have stable hand and good enough soldering
skills then it is absolutely not impossible. There are cases when you have to deal with logic level shifting
and multiple voltages (different voltage for memory and Flash I/O /this is the VCC/ and for the memory
controller core and MMC I/O /which is the VCCQ/), so always be careful and read the datasheet or
measure the given voltage levels first. This time, I had a be er toolset available, so I used a SD-EMMC
measure the given voltage levels first. This time, I had a be er toolset available, so I used a SD EMMC
plus adapter (h ps://multi-com.eu/,details,id_pr,21681,key,sd-emmc-plus-adapter-model-se-
p1,smenu,gsm.html) connected to an E-Mate Pro eMMC Tool (h ps://multi-
com.eu/,details,id_pr,21886,key,e-mate-pro-emmc-tool-moorc-v3,smenu,gsm.html). Using this
combination it was possible to simply put the removed eMMC chip to the BGA socket without any
custom wiring and to communicate with it with a simple USB card reader.
As I a ached the tool to my linux machine it recognised the device as an USB mass storage and it was
ready to use.
[ 700.932552] usb 1-2: new high-speed USB device number 5 using xhci_hcd
[ 701.066678] usb 1-2: New USB device found, idVendor=8564, idProduct=4000
[ 701.066693] usb 1-2: New USB device strings: Mfr=3, Product=4, SerialNumber=5
[ 701.066702] usb 1-2: Product: Transcend
[ 701.066709] usb 1-2: Manufacturer: TS-RDF5
[ 701.066716] usb 1-2: SerialNumber: 000000000036
[ 701.129205] usb-storage 1-2:1.0: USB Mass Storage device detected
[ 701.130866] scsi host0: usb-storage 1-2:1.0
[ 701.132385] usbcore: registered new interface driver usb-storage
[ 701.137673] usbcore: registered new interface driver uas
[ 702.132411] scsi 0:0:0:0: Direct-Access TS-RDF5 SD Transcend TS3A PQ: 0 ANSI: 6
[ 702.135476] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 702.144406] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 723.787452] sd 0:0:0:0: [sda] 61079552 512-byte logical blocks: (31.3 GB/29.1 Gi
[ 723.809221] sda: sda1 sda2 sda3 sda4 sda5 sda6 sda7 sda8 sda9 sda10 sda11 sda12
[
5/29/2021 ] eMMC data recovery from damaged smartphone | Dangerous Payload
The device was mapped to “sda” device. As you can see from the “dmesg” extract above, there were a
lot of partitions (sda1 – sda43) on the filesystem. Before moving forward, as always in a case like this, the
first step was to create a dump from the memory chip, then conduct the next steps on an offline backup.
The “dd” tool could be used for this purpose:
$ dd if=/dev/sda of=sony_z5p.img status=progress
With the full dump it was safe to continue the analysis. Using “parted” I checked the partition structure:
Model: (file)
Disk /mnt/hgfs/kali/sony_z5p/sony_z5p.img: 31.3GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags

1 131kB 2228kB 2097kB TA
2 4194kB 21.0MB 16.8MB ext4 LTALabel
3 21.0MB 105MB 83.9MB fat16 modem msftdata
4 105MB 105MB 131kB pmic
5 105MB 105MB 131kB alt_pmic
6 105MB 105MB 1024B limits
7 105MB 106MB 1049kB DDR
8 106MB 106MB 262kB apdp
9 106MB 107MB 262kB msadp
10 107MB 107MB 1024B dpo
11 107MB 107MB 524kB hyp
12 107MB 108MB 524kB alt_hyp
13 109MB 111MB 1573kB fsg
14 111MB 111MB 8192B ssd
15 111MB 112MB 1049kB sbl1
16 112MB 113MB 1049kB alt_sbl1
17 113MB 115MB 1573kB modemst1
18 117MB 119MB 1573kB modemst2
19 119MB 119MB 262kB s1sbl
20 119MB 120MB 262kB alt_s1sbl
21 120MB 120MB 131kB sdi
22 120MB 120MB 131kB alt_sdi
23 120MB 121MB 1049kB tz
24 121MB 122MB 1049kB alt_tz
25 122MB 122MB 524kB rpm
26 122MB 123MB 524kB alt_rpm
27 123MB 124MB 1049kB aboot
28 124MB 125MB 1049kB alt_aboot
29 125MB 192MB 67.1MB boot
30 192MB 226MB 33.6MB rdimage
31 226MB 259MB 33 6MB t4 i t
31 226MB 259MB 33.6MB ext4 persist
32 259MB 326MB 67.1MB FOTAKernel
33 326MB 327MB 1049kB misc
34 327MB 328MB 524kB keystore
35 328MB 328MB 1024B devinfo
36 328MB 328MB 524kB config
37 331MB 436MB 105MB rddata
38 436MB 447MB 10.5MB ext4 apps_log
39 449MB 466MB 16.8MB ext4 diag
40 466MB 780MB 315MB ext4 oem
41 780MB 990MB 210MB ext4 cache
42 990MB 25.8GB 24.8GB ext4 userdata
43 25.8GB 31.3GB 5513MB ext4 system
Only one partition, the “userdata” was relevant for the recovery. Using “losetup” it is possible to
automatically mount every recognised partition from the image, or only the chosen one by specifying
e.g. the proper partition offset in the image.
$ losetup -Prf sony_z5p.img
As soon as the filesystem was mounted the recovery was not a big deal anymore. It is public knowledge
where and how Android and common applications store stuffs such as contacts, text messages or
pictures. For other applications it is also quite easy to reveal the details by crawling their application
folders and by checking their database files.
Based on the owner’s request I focused only on some data:
Contacts
Format: SQLite database
Path: /data/com.android.providers.contacts/databases/contacts2.db
Text messages
Format: SQLite database
Path: /data/com.google.android.gms/databases/icing_mmssms.db
Downloaded files
Format: simple files
Path: /media/0/Download
Pictures and videos
Path: /media/0/DCIM
Viber pictures and videos
Path: /media/0/viber/media
With a rooted spare device it could be possible e.g. to replace the database files on the new device to the
recovered ones to let the phone parse and show the data for further processing, however standard users
will not be able to do this. For me, it was easier to go after the direct recovery, instead of playing with
another phone Picture and multimedia files do not need special care as those just had to be saved
another phone. Picture and multimedia files do not need special care as those just had to be saved
without any post processing, but in case of other data stored in SQLite databases the extract should take
care about the given database structure and the generated output should be something which could be
read by humans or could be processed by other tools.
I found a “dump-contacts2db” script on GitHub (h ps://github.com/stachre/dump-contacts2db) which

was good to parse the contact database and export the items to a common vCard
(h ps://en.wikipedia.org/wiki/VCard) format. This is something which a user can later import to several
applications and sync back to the new phone.
For the text messages I did not find anything useful, so I quickly checked the corresponding data
structure in the SQLite database:
CREATE TABLE mmssms(

_id INTEGER NOT NULL,
msg_type TEXT NOT NULL,
uri TEXT NOT NULL,
type INTEGER,
thread_id INTEGER,
address TEXT,
date INTEGER,
subject TEXT,
body TEXT,
score INTEGER,
content_type TEXT,
media_uri TEXT,
read INTEGER DEFAULT 0,
UNIQUE(_id,msg_type) ON CONFLICT REPLACE);
It was not too complex, so in 2 minutes I made a quick and dirty but working script to extract the text
threads to CSV files:
#!/bin/bash
for thread in $(sqlite3 icing_mmssms.db 'select distinct thread_id from mmssms');

address=`sqlite3 icing_mmssms.db 'select distinct address from mmssms where thre
sqlite3 -csv icing_mmssms.db 'SELECT datetime(date/1000, "unixepoch","localtime"
done
All done, this was the last step to recover every requested file and info from the phone. I did not spend
too much time on the recovery itself and the whole process was also fun for me, especially by knowing
the fact that others have failed before me.
Challenge accomplished
Challenge accomplished
eMMC (h ps://dangerouspayload.com/tag/emmc/)
21 thoughts on “eMMC data recovery from

damaged smartphone”
1.
2. Pingback: EMMC Data Recovery From A Bricked Phone | Hackaday
Jan says:
October 26, 2018 at 8:35 pm
Congratulations.Can you post a link where eMMC pinouts ( for various types of eMMC) can be
downloaded?Thanks
Reply
5/29/2021 py eMMC data recovery from damaged smartphone | Dangerous Payload
andrew says:
October 26, 2018 at 9:13 pm
Well, as far as I know the corresponding JEDEC standard is available only for money, but you can
google the pinout from various sources by using e.g. “emmc bga 153 pinout” keywords. The most
commonly used ones are BGA 153 and BGA 169. They are basically identical, but the 169 pinout
has some extra (and unused) pins.
3. Reply
Arnout says:
October 27, 2018 at 10:05 pm
Nice story! Thanks for sharing!
4. Reply
azizLIGHT says:
April 18, 2019 at 3:30 pm
Is this still possible to do? I imagine the data would be encrypted on modern phones? Specs show
that the Sony Xperia Z5 ships with Android 5.1.1 (Lollipop) and is upgradable to 7.0 (Nougat).
Nougat is when full disk encryption is implemented by default. I guess you got lucky they didn’t
update
5. Reply
Chris Raynor says:
June 30, 2019 at 7:08 pm
An article “Hacking Hardware With A $10 SD Card Reader” (h ps://www.blackhat.com/docs/us-
17/wednesday/us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf) shows the
pinouts and has other helpful information.
I’ve successfully dead bugged a Samsung S5 memory chip, I’ve got the data safely stored on a hard
drive, on a Raspberry Pi, I now just need to interpret it!
One important thing I found: VDDI. No one mentions this. I made the basic 7 connections that
everyone says are needed, but it just would not work, the data wouldn’t appear. I thought the EMMC
chip was dead and I almost gave up, but then accidentally came across mention of VDDI. It’s just on
one ‘pin’ and it needs a 10-100nf capacitor connecting between this pin and ground. After adding
this, everything worked a treat, and all my data was visible.
6. Reply
sza2 says:
July 7, 2020 at 3:33 pm
Hi Andrew,
I ran into issue you described – and my phone has exactly the same eMMC chip.
However I was unable to find the datasheet of H26M64103EMR.
My question would be about the voltage levels of VCC and VCCQ (if I remember well, during
browsing I found that VCC can be 1.8-3.3V, but I did not find VCCQ voltage levels).
Additionally, do you think it is strictly necessary to connect all of the VCC/VCCQ/VSS/VSSQ pins
(assuming hand soldering wires, as I don’t plan to invest into BGA socket for one chip)? I assume
those are connected internally and the current consumption is not that high that a singe wire cannot
deliver the power.
5/29/2021
p eMMC data recovery from damaged smartphone | Dangerous Payload
Thanks,
/sza2
Reply
andrew says:
July 9, 2020 at 10:30 am
Proper eMMC sockets might connect to each power and ground pins, however it is really not
needed for temporary operation.
As you already figured out, VCC* pin groups and ground pins are connected together internally.
For manual inspection I always solder one wire only for each power pins and to the ground, and
use 1 bit communication mode to keep the wiring minimal.
There are eMMC chips that can operate only on one voltage level while others support different
voltages as well. According to the details I found, H26M64103EMR supports both 1.8V and 3.3V.
I used 3.3V both for VCC and VCCQ during the readout.
Good luck for the recovery!
Reply
sza2 says:
July 9, 2020 at 10:06 pm
Well, all good news
I did not remove the chip yet – that’s the one I most afraid of. Unfortunately, the back side of
the board is covered by shielding almost completely. In the past I used to work with two hot
air station (one for the bo om and one for the top side) – but I assume it would not work right
here. My idea is to place the board onto our IR heater and apply hot air only from the top side.
Not sure when can I have chance to access the tools as entering to our office is currently very
limited due to COVID-19 rules.
Thanks for the info – and my fingers are crossed
/sza2
sza2 says:
July 14, 2020 at 4:03 pm
Hi Andrew,
So, finally I managed to remove the chip and connected the pins to an SD card adapter.
I successfully backup the content to a HDD
Thanks again for the info on the eMMC chip and also for this article – this helped me a lot!
/sza2
sza2 says:
July 14, 2020 at 4:10 pm
Just a few pictures about the operation:
h ps://ibb.co/sHC3LFL
h ps://ibb.co/5cszGD6
h ps://ibb.co/R7J5H74
h ps://ibb.co/k4YCD2n
h ps://ibb.co/Twt1pq5
h ps://ibb.co/7ynS9DT
andrew says:
July 15, 2020 at 9:41 pm
Nice job! I hope the data recovery also went well.
/sza2 says:
July 16, 2020 at 10:40 pm
Yep – worked like a charm. As soon as I a ached the card reader to the notebook it recognized
the data partition (and some others too). I connected DAT0-DAT3 and the throughput was
~18-20Mbytes/s.
I was very happy that my content (mostly pictures) is not lost.
Then (after I send the pics about the adapter) one of my friend told me that he has a socket for
eMMC – but this way it was more fun
7.
Collin says:
August 27, 2020 at 12:08 am
I have a dead chinese motherboard and I want to start this project to save my files. I’m afraid to use
hot air because I don’t want to destroy the eMMC. what is the safest way? I have seen on youtube
videos some people add flux just before they start using the hot air. I have read other advice, apply
the hot air from the opposite side (motherboard side) to avoid further damage of eMMC.
Help me I never used before the hot air

Thanks
Reply
andrew says:
August 27, 2020 at 9:21 pm
It is hard to define “the” working method as it depends on many things. I always add flux along
each side of the chip. As it warms up it flows under the chip, helps to distribute and transfer the
heat and it also make melting easier. Then I pre-heat the chip and the surrounding environment
with a heat gun, ~150 C for ~30-45 seconds by continuously circulating over the area. As a next
step I quickly increase the temperature to 300-320 C and focus on the chip, still keep circulating
and moving the heat gun, but only over the chip. After 10-15 seconds the chip can be pulled up. I
would recommend practicing on other boards where you have similar sized BGA chips.
Good luck!
8. Reply
Miguel Aguirre says:
November 19, 2020 at 5:43 am
si la emmc corresponde a un Android 9 que encripta por defecto hay posibilidad de desencriptar la
info o acceder a ella de alguna otra forma ?
9 Reply
9. Reply
Ben says:
December 24, 2020 at 4:24 am
I find even the simple things you say extremely bewildering. I have a dead phone an LG e900
optimus 7 it was working on windows I think. It comes from around 2010.where should I go to get
the data off it and onto a usb or my laptop? I don’t know anything about this stuff so I’m an absolute
beginner. how much will it cost me to recover the data?
Reply
andrew says:
January 4, 2021 at 11:38 am
Hello Ben, I’m sorry, but I cannot help you with this. I don’t provide such a service and I’m not
familiar with the data recovery services available on the market.
10. Reply
Ben says:
December 24, 2020 at 4:26 am
please email me [email protected]
11. Reply
Tarix says:
January 22, 2021 at 4:33 pm
Hey Andrew, seems like you are the best help for Xperia Z5 owners. I bricked my phone yesterday
and I’m crawling the internet for hours. Very happy to find this post, finally :D.
Well this is what I would like to achieve. As I own 2 phones, I have a second eMMC. Would it
possible to clone the eMMC from the bricked PCB to the eMMC in the working PCB or does this lead
to a soft brick or corrupted data? I run 7.1.1
I would reball the eMMC, use an adapter and dump an image. That’s the plan, even if I stiff have to
find the software.
Could you please point me to an all-in-one adapter like the ones from allsocket? Can’t tell which
socket I need.
All the best!
Reply
andrew says:
January 25, 2021 at 3:19 pm
Hello Tarix, You can dump the full eMMC image or extract the useful data only. The first steps are
the same in both cases. Standard linux tools (mount, dd) are enough, no special software is
needed. The socket I linked works with “raw” desoldered chips, without any reballing. If you’d
like to reball it, then search for BGA153 or BGA169 stencils. BGA169 has the same “core” ball
structure, but has some extra balls at the sides. In your case I’d make a data recovery and leave the
good phone untouched. You’d be er to import the extracted data to the working phone in other
ways. Good luck!
Reply
Blog at WordPress.com.

eMMC Data Recovery From Damaged Smartphone - Dangerous Payload

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

eMMC Data Recovery From Damaged Smartphone - Dangerous Payload

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

eMMC Data Recovery From Damaged Smartphone - Dangerous Payload

Uploaded by

Copyright:

Available Formats

5/29/2021 eMMC data recovery from damaged smartphone | Dangerous Payload

Random articles on my hobbies, mostly on DIY stuffs, HW

OCTOBER 24, 2018

$ dd if=/dev/sda of=sony_z5p.img status=progress

Number Start End Size File system Name Flags

$ losetup -Prf sony_z5p.img

Based on the owner’s request I focused only on some data:

I found a “dump-contacts2db” script on GitHub (h ps://github.com/stachre/dump-contacts2db) which

CREATE TABLE mmssms(

for thread in $(sqlite3 icing_mmssms.db 'select distinct thread_id from mmssms');

21 thoughts on “eMMC data recovery from

However I was unable to ﬁnd the datasheet of H26M64103EMR.

Good luck for the recovery!

Thanks for the info – and my ﬁngers are crossed

I successfully backup the content to a HDD

I was very happy that my content (mostly pictures) is not lost.

Help me I never used before the hot air

All the best!

You might also like