emmc chips. data recovery beyond controller · 2018-10-10 · • data recovery from damaged emmc...
TRANSCRIPT
![Page 1: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/1.jpg)
eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLERRusolut
BelkaDay - Belkasoft Digital Forensic Conference 2018Prague, Czech Republic
![Page 2: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/2.jpg)
APPLICATIONS OF EMMC CHIPS
• SMARTPHONES• TABLETS• LAPTOPS• VOICE RECORDERS• CAMERAS• MULTIMEDIA PLAYERS• TV DECODERS• INTERNET OF THINGS
…AND MUCH MORE…
![Page 3: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/3.jpg)
DIFFERENT WAYS OF IMAGE EXTRACTION FROM DEVICES BASED ON EMMC CHIPS
LOGICAL EXTRACTION
PHYSICAL EXTRACTION
IN-SYSTEM PROGRAMMING (ISP)
eMMC CHIP-OFFDEP
TH O
F A
NA
LYSI
S
LOW
DEEP
eMMC-NAND ACCESS
Image extracted from phone connected via cable
Image extracted from eMMC chip
Image extracted from NAND memory of eMMC chipDEEPEST
STANDARD
NEW
![Page 4: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/4.jpg)
CLASSIC CHIP-OFF AND DATA EXTRACTION FROM eMMC CHIP
PHYSICAL IMAGE EXTRACTION
CLEANING
UNSOLDERING
![Page 5: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/5.jpg)
FLASH MEMORY CHIPS
NAND eMMC
AR
EA O
F IN
TER
EST
RAW NAND
CONTROLLER
![Page 6: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/6.jpg)
EMMC vs RAW NAND CHIP-OFF DATA RECOVERY
NAND eMMC/eMCP
REA
D REA
D
NAND protocol eMMC protocol
![Page 7: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/7.jpg)
INSIDE EMMC
NA
ND
PR
OTO
CO
L
EMM
C P
RO
TOC
OL
CONTROLLERNAND MEMORY
![Page 8: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/8.jpg)
EMMC CHIP STRUCTURE
CO
NTR
OLL
ERNAND MEMORY
![Page 9: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/9.jpg)
WHY CARE ABOUT GETTING DATA VIA NAND FROM EMMC?
• DAMAGED EMMC CHIPS
• FACTORY RESET
• ERASED DATA RECOVERY
![Page 10: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/10.jpg)
PAGEPAGE
PAGE
BLOCK
BLOCK
BLO
CK
NAND MEMORY ADDRESSING AND R/W OPERATIONS
• READ PAGE
• PROGRAM (WRITE) PAGE
• ERASE BLOCK
PAGE IS A SMALLEST R/W UNIT
BLOCK IS A SMALLEST ERASE UNIT
PAGE SIZE = 0,5 - 16KbBLOCK SIZE = 128Kb – 4Mb
![Page 11: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/11.jpg)
PAGEPAGE
PAGE
BLOCK
BLOCK
HOW DATA MODIFICATION PROCESS IS SUPPOSED TO WORK IN NAND MEMORY
1. READ PAGES
2. MODIFY DATA
3. ERASE BLOCK
4. PROGRAM (WRITE) PAGESPAGEPAGE
PAGE
2 - MODIFY DATA
CONTROLLER
NAND MEMORYBUFFER INSIDE CONTROLLER
![Page 12: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/12.jpg)
PAGEPAGE
PAGE
BLOCK
HOW DATA MODIFICATION PROCESS ACTUALLY WORKS IN NAND MEMORY
1. READ PAGES
2. MODIFY DATA
3. PROGRAM (WRITE) PAGES
PAGEPAGE
PAGE
2 - MODIFY DATA
CONTROLLER
NAND MEMORY
PAGEPAGE
PAGE
OLD UNERASED BLOCK STAYS UNTOUCHED FOR SOME TIME UNTIL GARBAGE COLLECTION ALGORITHM ERASE IT. USUALLY IT’S NOT SO FAST PROCESS
BUFFER INSIDE CONTROLLER
![Page 13: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/13.jpg)
LET’S TRY TO EXTRACT SOME DELETED SMS FROM THOSE “OVERWRITTEN” GARBAGE BLOCKS OF eMMC MEMORY VIA NAND INTERFACE
TO MAKE THINGS WORSE LET’S ERASE EMMC CHIP!
![Page 14: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/14.jpg)
THERE ARE SEVERAL STEPS…
• GAIN ACCESS TO NAND MEMORY OF eMMC CHIP
• EXTRACT PHYSICAL IMAGE OF NAND CHIP
• DECODE PHYSICAL IMAGE TO READABLE FORM
• CHECK IF THERE ARE STILL BLOCKS WITH “REMNANTS” IN THE DUMP (WE EXPECT TO SEE 0x00 IN THE WHOLE DUMP)
• SCAN DUMP USING SQLITE CARVING ALGORITHM TO FIND DELETED SMS
• ANALYSE RESULTS (WE EXPECT TO FIND NOTHING! USER’S DATA)
![Page 15: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/15.jpg)
TECHNOLOGICAL PADS - NAND INTERFACE
![Page 16: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/16.jpg)
NAND PINOUT ANALYSIS
• XRAY PCB LAYOUT ANALYSIS WITH FURTHER WIRE BONDING ANALYSIS OF NAND AND CONTROLLER
• NAND AND CONTROLLER PINOUT ANALYSIS THROUGH PCB LAYER REMOVAL
• CLASSIC “MAN IN THE MIDDLE ATTACK” USING LOGIC ANALYZER CONNECTED BETWEEN CONROLLER AND NAND MEMORY
![Page 17: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/17.jpg)
EMMC THROUGH XRAY
CONTROLLER
NAND MEMORY
![Page 18: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/18.jpg)
NAND PINOUT ANALYSIS. XRAY
![Page 19: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/19.jpg)
DELAYERED EMMC CHIP
![Page 20: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/20.jpg)
NAND PINOUT ANALYSIS. LOGIC ANALYZER
![Page 21: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/21.jpg)
NAND PINOUT ANALYSIS. LOGIC ANALYZER
![Page 22: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/22.jpg)
NAND PINOUT
DATA BUS
CONTROL SIGNALS
![Page 23: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/23.jpg)
CONNECT CHIP TO ADAPTER
![Page 24: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/24.jpg)
VISUAL NAND RECONSTRUCOR – THE NEW MODE FOR EMMC-NAND ACCESS
![Page 25: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/25.jpg)
ADAPTER ASSEMBLY
![Page 26: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/26.jpg)
RAW NAND PHYSICAL IMAGE EXTRACTION
![Page 27: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/27.jpg)
ERROR CORRECTION CODES IN FLASH MEMORY
DATA
FROM INTERFACE TO NAND MEMORY
CONTROLLER
01010100…0111
BCH CODER
0 1 0 1 0 1 0 0 … 0 1 1 1 0 1 0 0 …PROTECTED DATA
01010100…01110100
PAR
ITYD
ATA
BUFFER
![Page 28: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/28.jpg)
DATA SCRAMBLERS OF FLASH CONTROLLERS
+
SEED
0 1 1 0 0 0 1
+ + +
LFSR-BASED GENERATOR
DATA RANDOMIZED DATAFROM INTERFACE TO NAND MEMORY
CONTROLLER
XOR
0xBEEFBEEF 0x5AF810E3
0xE417AE0C
![Page 29: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/29.jpg)
LOGICAL IMAGE RECONSTRUCTION
![Page 30: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/30.jpg)
IMAGE AFTER DESCRAMBLING
REMEMBER WE ZEROED THIS DEVICE? WE EXPECT TO SEE 0x00 IN EVERY SECTOR/PAGE. BUT WHAT WE ACTUALLY SEE IS A BIT DIFFERENT:
- AFTER 1ST ERASE CYCLE ~5% OF BLOCKS WEREN’T ERASED- AFTER 2ND ERASE CYCLE ~1% OF BLOCKS WEREN’T ERASED
![Page 31: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/31.jpg)
SMS CARVING
THE MOST INTERESTING PART. ARE THERE REALLY ANY MESSAGES?
![Page 32: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/32.jpg)
RAW CARVING RESULTS
![Page 33: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/33.jpg)
CLEANED UP RESULTS
![Page 34: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/34.jpg)
OUR THEORY IS PROVED. BUT NOBODY WANTS TO ERASE eMMC CHIP IN REAL LIFE.
WE CAN POSSIBLY GET MORE DATA FROM EVERY eMMC VIA NAND PROTOCOL?!
![Page 35: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/35.jpg)
Green blocks (A,C,D,F,H,J) – more SMS were found in NAND
memory chip.
Red blocks (B,E,G,I) – less SMS were found in NAND memory
chip due to uncorrectable bit errors caused by threshold
voltage shifts (eMMC controller handles it) during read
operation
SMS RECOVERY FROM 10 SMARTPHONES (SAME MODEL)
![Page 36: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol](https://reader033.vdocument.in/reader033/viewer/2022042122/5e9d3a6f987351714504d16c/html5/thumbnails/36.jpg)
• DATA RECOVERY FROM DAMAGED EMMC CHIPS
• RETRIEVAL OF DELETED TEXT MESSAGES, CHATS , ETC. THROUGH NAND PROTOCOL INCLUDING GARBAGE BLOCKS ON DEEPER LEVEL THAT IS NOT ACCESSIBLE FOR CLASSIC MOBILE FORENSIC TOOLS
• DATA RECOVERY AFTER FACTORY RESET OR OTHER OPERATIONS THAT ERASE DATA
Related links:https://rusolut.com/wp-content/uploads/2018/06/Sheremetov-The-Ultimate-Chip-off-Mobile-Forensics.-Data-Resurrection-from-Dead-eMMC-Chips-June-3-Oleander-B.pdfhttps://www.flashmemorysummit.com/English/Collaterals/Proceedings/2017/20170808_S102A_Sheremetov.pdfhttps://belkasoft.com/ssd-2016-part2
APPLICATIONS OF TECHNOLOGY