Engineers Explain: Specialized Cell Phone Recovery

JTAG example

Almost everyone at some point has had a cellphone that has been broken. Common failures are water damage, physical damage, and manufacturer defects in the hardware or software. Most times people will take their phone to their local cell phone repair shop who will attempt some basic repairs in order to get the phone back in working order, but what happens when they cannot repair the phone because they do not have the skillset, tools, and knowledge? They fail to recover your data. You need a company, like Data Analyzers, that specializes in data recovery from cell phones (even those that are deemed to be non-recoverable by other professionals).

There are a few different recovery techniques we employ based on our initial analysis of the device and the issues its currently experiencing. Some of our cell phone recovery methods are:

ISP (In-System Programming)

Most modern smart phones that contain EMMC (embedded Multi-Media Controller) memory typically have points on the logic board that wires can be soldered to that directly connect to the EMMC chip itself. EMMC memory contains a controller (brains) and the memory in one BGA package.

Positives: This recovery is typically non-destructive to the phone and is considered one of the safest methods of extracting data from a non-working phone. It creates a full bit by bit copy of the EMMC memory. Data transfer is relatively fast but much slower than a chip off.
Drawbacks: Every model of phone has a different physical layout so each phone model requires its own pinout. Sometimes these pinouts are unknown. We develop many pinouts in our laboratory by using donor phones. Another drawback is newer model smart phones are fully encrypting the user data by default rendering this method useless (as of now).

JTAG (Joint Test Action Group)

This technique applies to older “dumb” phones that do not have EMMC memory but contain NAND or NOR memory. We see less and less of these types of phones; therefore, we do not get to JTAG as much as we did in the past. The process of “JTAGGING” a phone is a similar technique to ISP, the main difference being the points on the logic board connect and talk directly to the CPU, not the memory.

Positives: Non-destructive like ISP. Very common protocol for older phones.
Drawbacks: Is not available on modern phones.

Chip Off

A chip off is when the memory chip (EMMC, NAND, NOR) is de-soldered or milled from the phone’s logic board. This is a delicate process that is considered to be destructive to the phone. Once the chip is removed it is read in a chip adapter separately from the phone. If the phone uses EMMC then no further work needs to be done to the data dump other than data extraction. If NAND or NOR was used there is a good chance the data dump will need modifications before user data can be extracted. This is a last resort technique.

Positives: Works on heavily damaged devices such as phone snapped in half or run over. Can bypass a phones screen lock and other security measures (not encryption).
Negatives: Can physically damage the phone. Does not work on the newest phones due to encryption. Requires more experience than ISP or JTAG.

Micro component level repair

Component level repair is becoming more and more a necessity in cell phone recovery, mainly due to factors like encryption. Apple iPhones have been encrypting their data since the 3GS, rendering the above three methods useless for many years. The only way to gain access to a broken iPhone is to repair it to a mostly working state. Newer Android phones also suffer the same fate due to encryption. Micro component level repair means we are examining the device under a microscope to determine the faulty components and either repair or replace them. Some of these components are tiny so it takes precision and patience to perform this level of work.

Miicro Component Level Repair

Positives: Typically repairs a phone to a state that it powers on and fully works as normal. There are common failure points in phones that help expedite this process.
Drawbacks: Can take many hours to locate the defective components and replace them if they are not common failures.

Rooting/Exploits and Forensic Tools

Occasionally, the phone is not physically damaged but the client can still not access their data for various reasons (a common example would be the LG G series phones that are known to have a boot loop issue). Due to manufacturing defects these phones will not fully boot into the OS, rendering the device useless with no way for a user to retrieve their data. Another candidate for this type of recovery: One of our local police departments referred us a client that had the phone of her recently deceased son. The phone had a password lock which was on its last entry attempt before wiping the phone. Using our forensic platform, we were able to disable the password on the phone and gain access.
When a phone is rooted (gain full access) or exploited we are essentially bypassing the phones security to extract the data. We utilize the latest forensic tools, as well as custom tools developed in-house to aid in our cell phone recovery.

Positives: Most exploits don’t alter any data on the phone and the ones that do change very little data. Many newer Android phones are supported.
Negatives: Requires a working phone. If not done properly, a phone can be rendered fully useless or factory reset. New phone updates can patch a known exploit, rendering it useless which requires more research and development.