firmware 101
Data Recovery 101: Firmware
April 13, 2015
HOMBRE shows recently-created filesystems, such as the filesystem in this reformatted partition data recovery case, in red text.
What Software does Gillware Use to Recover Data?
May 11, 2015
20150414_161049

Failed Android phone before parts are removed for recovery purposes.

Since their invention, cell phones have evolved drastically. What was once just a means of portable voice communications quickly became so much more. Specifically, the cameras on phones have been one of the more significant innovations, especially for the data recovery industry. That special moment when your child said their first word at the beach is even more special if you have your phone handy to capture it. But what happens when that phone accidentally falls into the water, causing it to no longer function? In the same day you may have captured and lost one of the most important moments in your child’s life. As we continue innovating in our world of mobile devices including tablets, cell phones and other media players, devices fall victim to failure of equipment or environment.

There are many different approaches a recovery lab can take when attempting to access the precious data from these devices. These processes should be performed from simplest to most difficult in order to avoid complete loss of data. We first remove any additional peripherals such as the MicroSD card, which can be examined externally, and the SIM card if applicable. We also examine the battery carefully to be sure the case is not bulging anywhere. As a first step, we test the device to see if it can be powered on or powered by an external source, such as USB or Variable Power Supply with direct connection to battery power inputs. Next, we check to see if the screen displays some sort of splash screen when we press the power button. If nothing is displayed, there is a good chance that there could be internal circuitry issues or problems with the display itself. A good way to rule out internal circuitry issues is to test the data connectivity by USB to a computer. We have found that Linux is often the best operating system on which to perform this test, due to the more informative readouts such as USB power state changes and detection of generic devices. Once we have connectivity with the device, we need to learn about the operating system on the phone.

Typically, failed Android devices are not in a state that allows us to make a binary image very easily. What we are able to do most of the time is copy the data from the current file-system using the MTP or PTP protocols. This creates a mount point of the current used area of the file-system allowing us to view the data currently on the device. When we encounter a device that requires recovery due to physical damages, this is generally all we need to do.

In the event that a deletion has occurred on the device, the recovery becomes significantly more difficult for our engineers. The only way to locate deleted files is to have access to the unallocated portion of the media device. This require us to have binary “disk” access to the phones media storage device. On Android devices, we must have a rooted phone that has access to pseudo or root permissions. Fortunately, Google has something called the Android Development Bridge that allows a computer to talk to the Android device and make major configurations. The most important tool is the shell access which allows us to mount the active file-system to a machine like any other removable media. Rooting a device can be done many different ways. The root is generally done by hobbyists that want to take full advantage of the phone’s potential. However, many of the less popular phones on the market have not yet been rooted yet. We carefully research the current root that is being used on each phone in order to eliminate the risk of complete data loss as much as possible.

The phone's logic board with the heat shielding on it.

The phone’s logic board with the heat shielding on it.

The phone's logic board with the heat shielding removed.

The phone’s logic board with the heat shielding removed.

When physical issues cannot be resolved, the recovery effort can be very costly. The cheapest methods of retrieving data from the device are to repair a failed USB port or attempt to remove corrosion on the board. When those methods do not work, our next step is to try to recover data directly from the flash memory or NAND chip. This can sometimes be done with the JTAG interface, which allows us to try to communicate through pads on the board that are used during manufacturing to program the chip. We need be able to locate the ports on board of the phone, which can often be difficult. But with a little research online, we find information about their pin out and exact location. We also need the USB serial communication device that will be used to connect the phone to the computer. The software will either need to be written by a developer to communicate with the phone, or purchased from a third party. This method can be costly and very difficult. The last option is to do the chip-off option, where we remove the NAND chip from the board and attempt to read it on an external source. This is usually the last choice, because the removal of the chip is generally a one way operation. The chip is taken off by removing the epoxy that surrounds it and then heating up the solder causing it to let loose.

The phone's logic board with the NAND chip removed and the epoxy cleaned off.

The phone’s logic board with the NAND chip removed and the epoxy cleaned off.

After the chip is removed from the phone, the chip will need to be cleaned up to remove remaining solder and residue. When the chip is removed and cleaned, it will need to be placed in a reader or adapter of the exact size and pin out. A lot of the time these will need to be custom made to accommodate the chip. The NAND chips follow the specifications from the ONFI (Open NAND Flash Interface) group, which means that while the pin out will remain the same for the majority of the chips, they will just have different package sizes. Once we have the chip in an adequate adapter or reader, we are able to mount the chip and make a full binary image of the file-system.

 

 

 

Cody-Blog-PicsThe final challenge we face when recovering data from Android devices is presenting the recovered data to the user. Critical files found on phones are stored in formats that cannot be easily examined and presented to end users. Contacts are arguably one of the most important things on a phone. These are stored in SQLITE databases, requiring us to query and export the information needed. Tools are sometimes released on the internet to help with this, but we find that the database changes regularly making the tools outdated. Images and videos often tend to be the focus of the recovery due to the sentimental value of the moments captured. These are far easier to locate and present using data carving techniques.

As smart phones become more and more standard, the value of the data stored on them will continue to increase for their users. From contact information for someone’s entire professional network, to a lifetime of memories captured on camera, data on cell phones is just as important, if not more important, than the data on their other devices. But because of their portable nature, they are susceptible to accidents and prone to other failures as well. Gillware continues to research and develop new data recovery techniques for mobile devices, and our success rates remain high. If you or someone you know has lost data from an Android device, give us a call. Our engineers can help get your data back.

//]]>