Recently I have received a request to check data recovery possibilities from a damaged Sony Xperia Z5 Premium smartphone. The phone was dropped and it stopped working. No screen, no charging, no communication on any interfaces, no sign of life, it was nothing more than a brick. Well, a brick, with tons of useful data on it without any cloud synchronisation or offline backup. Needless to say how important was for the owner to get his priceless information back from the device.

Some damage identification and recovery probes were already conducted by other professional parties, even a new screen was ordered and tried, but none of the activities provided any promising result. After the failed attempts the owner almost gave up the hope, but fortunately, we had a common acquaintance and this is how I came to the picture.  Due to the previous investigations the phone arrived to me partially dismantled, without a battery and with some metal shields already removed.

As the very first step, I tried to find the data storage. It was quite obvious to identify the memory chip on the PCB, which was a SK hynix H26M64103EMR. This is a simple, 32GB eMMC in a common FBGA package. I had a couple of eMMC related projects in the past, where I had to deal with chip interfacing and direct memory dumping or manipulation. This is often a task in hardware hacking projects I am involved in, for example to gain full access to the OS file system in case of a car head unit or other embedded systems, just to mention another example.

This was the first promising moment to get the owner’s data back. As all of the non-invasive activities failed, I decided to go after the so called “chip-off analysis” technique. This means that the given memory chip has to be removed from the PCB and with the chosen interfacing method its content should be read out directly for further processing.

An important point for this method is that the used encryption settings could be the key  for the success, or for the failure. An enabled or enforced encryption could prevent a successful data recovery, even if the memory chip is not dead and its content could be dumped out. If encryption is in place, the decryption also has to be solved somehow, which is nowadays, with more and more careful design and with properly chosen hardware components, is very challenging or could be (nearly) impossible. Fortunately, at least from data recovery perspective, the owner did not turn on the encryption, so circumstances were given to the next step.

After the PCB was removed from the body, I fixed the board to a metal working surface with kapton tape. Then a little flux was injected around the chip for better heat dispersion and I used a hot air station to reflow the BGA balls and to let me pull of the chip from the PCB.

There are multiple ways to communicate with the eMMC chips. Most of them take advantage of the fact, that these chips are basically MMC (MultiMediaCard) standard memories, but in an embedded (this from where the “e” comes from) format. This means, that as soon as the connection to the necessary chip pins are solved, a simple USB card reader could do the job to read and write the memory. These chips usually support multiple communication modes, using e.g. 8 bit or 4 bit parallel interface or a single 1 bit interface. For an easy setup and without special tools usually the 1 bit mode is used. The only criteria for this method is that the reader also has to support 1 bit mode (Transcend USB card readers seems to be good candidates for this job). In such case only CMD, CLK, DAT0, VCC (VCC, VCCQ) and GND (VSS, VSSQ) pins have to be connected. Do not be afraid of the lot of pins, in fact, only a couple of ones are used. The pinout is generic and based on JEDEC standard, so regardless of the vendor or the chip you are dealing with, it is almost sure that you will find the important pins at well known location, as it is showed in the picture below.

I made these connections in the past by manually soldering 0.1mm insulated copper wires to the given BGA balls then wire them directly to the reader. If you have stable hand and good enough soldering skills then it is absolutely not impossible. There are cases when you have to deal with logic level shifting and multiple voltages (different voltage for memory and Flash I/O /this is the VCC/ and for the memory controller core and MMC I/O /which is the VCCQ/), so always be careful and read the datasheet or measure the given voltage levels first. This time, I had a better toolset available, so I used a SD-EMMC plus adapter connected to an E-Mate Pro eMMC Tool. Using this combination it was possible to simply put the removed eMMC chip to the BGA socket without any custom wiring and to communicate with it with a simple USB card reader.

As I attached the tool to my linux machine it recognised the device as an USB mass storage and it was ready to use.

[ 700.932552] usb 1-2: new high-speed USB device number 5 using xhci_hcd
[ 701.066678] usb 1-2: New USB device found, idVendor=8564, idProduct=4000
[ 701.066693] usb 1-2: New USB device strings: Mfr=3, Product=4, SerialNumber=5
[ 701.066702] usb 1-2: Product: Transcend
[ 701.066709] usb 1-2: Manufacturer: TS-RDF5
[ 701.066716] usb 1-2: SerialNumber: 000000000036
[ 701.129205] usb-storage 1-2:1.0: USB Mass Storage device detected
[ 701.130866] scsi host0: usb-storage 1-2:1.0
[ 701.132385] usbcore: registered new interface driver usb-storage
[ 701.137673] usbcore: registered new interface driver uas
[ 702.132411] scsi 0:0:0:0: Direct-Access TS-RDF5 SD Transcend TS3A PQ: 0 ANSI: 6
[ 702.135476] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 702.144406] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 723.787452] sd 0:0:0:0: [sda] 61079552 512-byte logical blocks: (31.3 GB/29.1 GiB)
[ 723.809221] sda: sda1 sda2 sda3 sda4 sda5 sda6 sda7 sda8 sda9 sda10 sda11 sda12 sda13 sda14 sda15 sda16 sda17 sda18 sda19 sda20 sda21 sda22 sda23 sda24 sda25 sda26 sda27 sda28 sda29 sda30 sda31 sda32 sda33 sda34 sda35 sda36 sda37 sda38 sda39 sda40 sda41 sda42 sda43

The device was mapped to “sda” device. As you can see from the “dmesg” extract above, there were a lot of partitions (sda1 – sda43) on the filesystem. Before moving forward, as always in a case like this, the first step was to create a dump from the memory chip, then conduct the next steps on an offline backup. The “dd” tool could be used for this purpose:

$ dd if=/dev/sda of=sony_z5p.img status=progress

With the full dump it was safe to continue the analysis. Using “parted” I checked the partition structure:

Model: (file)
Disk /mnt/hgfs/kali/sony_z5p/sony_z5p.img: 31.3GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number Start End Size File system Name Flags
1 131kB 2228kB 2097kB TA
2 4194kB 21.0MB 16.8MB ext4 LTALabel
3 21.0MB 105MB 83.9MB fat16 modem msftdata
4 105MB 105MB 131kB pmic
5 105MB 105MB 131kB alt_pmic
6 105MB 105MB 1024B limits
7 105MB 106MB 1049kB DDR
8 106MB 106MB 262kB apdp
9 106MB 107MB 262kB msadp
10 107MB 107MB 1024B dpo
11 107MB 107MB 524kB hyp
12 107MB 108MB 524kB alt_hyp
13 109MB 111MB 1573kB fsg
14 111MB 111MB 8192B ssd
15 111MB 112MB 1049kB sbl1
16 112MB 113MB 1049kB alt_sbl1
17 113MB 115MB 1573kB modemst1
18 117MB 119MB 1573kB modemst2
19 119MB 119MB 262kB s1sbl
20 119MB 120MB 262kB alt_s1sbl
21 120MB 120MB 131kB sdi
22 120MB 120MB 131kB alt_sdi
23 120MB 121MB 1049kB tz
24 121MB 122MB 1049kB alt_tz
25 122MB 122MB 524kB rpm
26 122MB 123MB 524kB alt_rpm
27 123MB 124MB 1049kB aboot
28 124MB 125MB 1049kB alt_aboot
29 125MB 192MB 67.1MB boot
30 192MB 226MB 33.6MB rdimage
31 226MB 259MB 33.6MB ext4 persist
32 259MB 326MB 67.1MB FOTAKernel
33 326MB 327MB 1049kB misc
34 327MB 328MB 524kB keystore
35 328MB 328MB 1024B devinfo
36 328MB 328MB 524kB config
37 331MB 436MB 105MB rddata
38 436MB 447MB 10.5MB ext4 apps_log
39 449MB 466MB 16.8MB ext4 diag
40 466MB 780MB 315MB ext4 oem
41 780MB 990MB 210MB ext4 cache
42 990MB 25.8GB 24.8GB ext4 userdata
43 25.8GB 31.3GB 5513MB ext4 system

Only one partition, the “userdata” was relevant for the recovery. Using “losetup” it is possible to automatically mount every recognised partition from the image, or only the chosen one by specifying e.g. the proper partition offset in the image.

$ losetup -Prf sony_z5p.img

As soon as the filesystem was mounted the recovery was not a big deal anymore. It is public knowledge where and how Android and common applications store stuffs such as contacts, text messages or pictures. For other applications it is also quite easy to reveal the details by crawling their application folders and by checking their database files.

Based on the owner’s request I focused only on some data:

• Contacts
  • Format: SQLite database
  • Path: /data/com.android.providers.contacts/databases/contacts2.db
• Text messages
  • Format: SQLite database
  • Path: /data/com.google.android.gms/databases/icing_mmssms.db
• Downloaded files
  • Format: simple files
  • Path: /media/0/Download
• Pictures and videos
  • Format: simple files
  • Path: /media/0/DCIM
• Viber pictures and videos
  • Format: simple files
  • Path: /media/0/viber/media

With a rooted spare device it could be possible e.g. to replace the database files on the new device to the recovered ones to let the phone parse and show the data for further processing, however standard users will not be able to do this. For me, it was easier to go after the direct recovery, instead of playing with another phone. Picture and multimedia files do not need special care as those just had to be saved without any post processing, but in case of other data stored in SQLite databases the extract should take care about the given database structure and the generated output should be something which could be read by humans or could be processed by other tools.

I found a “dump-contacts2db” script on GitHub which was good to parse the contact database and export the items to a common vCard format. This is something which a user can later import to several applications and sync back to the new phone.

For the text messages I did not find anything useful, so I quickly checked the corresponding data structure in the SQLite database:

CREATE TABLE mmssms(
_id INTEGER NOT NULL,
msg_type TEXT NOT NULL,
uri TEXT NOT NULL,
type INTEGER,
thread_id INTEGER,
address TEXT,
date INTEGER,
subject TEXT,
body TEXT,
score INTEGER,
content_type TEXT,
media_uri TEXT,
read INTEGER DEFAULT 0,
UNIQUE(_id,msg_type) ON CONFLICT REPLACE);

It was not too complex, so in 2 minutes I made a quick and dirty but working script to extract the text threads to CSV files:

#!/bin/bash

for thread in $(sqlite3 icing_mmssms.db 'select distinct thread_id from mmssms'); do
  address=`sqlite3 icing_mmssms.db 'select distinct address from mmssms where thread_id = '"$thread" | sed 's/[^0-9]*//g'`
  sqlite3 -csv icing_mmssms.db 'SELECT datetime(date/1000, "unixepoch","localtime"), address, msg_type, body from mmssms where thread_id = '"$thread"' order by date' > sms_with_${address}_thread_${thread}.csv
done

All done, this was the last step to recover every requested file and info from the phone. I did not spend too much time on the recovery itself and the whole process was also fun for me, especially by knowing the fact that others have failed before me.

Challenge accomplished 🙂