Upload File

emmc chips. data recovery beyond controller · 2018-10-10 · • data recovery from damaged emmc...

  • Home
  • Documents
  • eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol
37
eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER Rusolut BelkaDay - Belkasoft Digital Forensic Conference 2018 Prague, Czech Republic

Upload: others

Post on 18-Apr-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLERRusolut

BelkaDay - Belkasoft Digital Forensic Conference 2018Prague, Czech Republic

Page 2: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

APPLICATIONS OF EMMC CHIPS

• SMARTPHONES• TABLETS• LAPTOPS• VOICE RECORDERS• CAMERAS• MULTIMEDIA PLAYERS• TV DECODERS• INTERNET OF THINGS

…AND MUCH MORE…

Page 3: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

DIFFERENT WAYS OF IMAGE EXTRACTION FROM DEVICES BASED ON EMMC CHIPS

LOGICAL EXTRACTION

PHYSICAL EXTRACTION

IN-SYSTEM PROGRAMMING (ISP)

eMMC CHIP-OFFDEP

TH O

F A

NA

LYSI

S

LOW

DEEP

eMMC-NAND ACCESS

Image extracted from phone connected via cable

Image extracted from eMMC chip

Image extracted from NAND memory of eMMC chipDEEPEST

STANDARD

NEW

Page 4: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

CLASSIC CHIP-OFF AND DATA EXTRACTION FROM eMMC CHIP

PHYSICAL IMAGE EXTRACTION

CLEANING

UNSOLDERING

Page 5: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

FLASH MEMORY CHIPS

NAND eMMC

AR

EA O

F IN

TER

EST

RAW NAND

CONTROLLER

Page 6: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

EMMC vs RAW NAND CHIP-OFF DATA RECOVERY

NAND eMMC/eMCP

REA

D REA

D

NAND protocol eMMC protocol

Page 7: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

INSIDE EMMC

NA

ND

PR

OTO

CO

L

EMM

C P

RO

TOC

OL

CONTROLLERNAND MEMORY

Page 8: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

EMMC CHIP STRUCTURE

CO

NTR

OLL

ERNAND MEMORY

Page 9: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

WHY CARE ABOUT GETTING DATA VIA NAND FROM EMMC?

• DAMAGED EMMC CHIPS

• FACTORY RESET

• ERASED DATA RECOVERY

Page 10: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

PAGEPAGE

PAGE

BLOCK

BLOCK

BLO

CK

NAND MEMORY ADDRESSING AND R/W OPERATIONS

• READ PAGE

• PROGRAM (WRITE) PAGE

• ERASE BLOCK

PAGE IS A SMALLEST R/W UNIT

BLOCK IS A SMALLEST ERASE UNIT

PAGE SIZE = 0,5 - 16KbBLOCK SIZE = 128Kb – 4Mb

Page 11: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

PAGEPAGE

PAGE

BLOCK

BLOCK

HOW DATA MODIFICATION PROCESS IS SUPPOSED TO WORK IN NAND MEMORY

1. READ PAGES

2. MODIFY DATA

3. ERASE BLOCK

4. PROGRAM (WRITE) PAGESPAGEPAGE

PAGE

2 - MODIFY DATA

CONTROLLER

NAND MEMORYBUFFER INSIDE CONTROLLER

Page 12: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

PAGEPAGE

PAGE

BLOCK

HOW DATA MODIFICATION PROCESS ACTUALLY WORKS IN NAND MEMORY

1. READ PAGES

2. MODIFY DATA

3. PROGRAM (WRITE) PAGES

PAGEPAGE

PAGE

2 - MODIFY DATA

CONTROLLER

NAND MEMORY

PAGEPAGE

PAGE

OLD UNERASED BLOCK STAYS UNTOUCHED FOR SOME TIME UNTIL GARBAGE COLLECTION ALGORITHM ERASE IT. USUALLY IT’S NOT SO FAST PROCESS

BUFFER INSIDE CONTROLLER

Page 13: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

LET’S TRY TO EXTRACT SOME DELETED SMS FROM THOSE “OVERWRITTEN” GARBAGE BLOCKS OF eMMC MEMORY VIA NAND INTERFACE

TO MAKE THINGS WORSE LET’S ERASE EMMC CHIP!

Page 14: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

THERE ARE SEVERAL STEPS…

• GAIN ACCESS TO NAND MEMORY OF eMMC CHIP

• EXTRACT PHYSICAL IMAGE OF NAND CHIP

• DECODE PHYSICAL IMAGE TO READABLE FORM

• CHECK IF THERE ARE STILL BLOCKS WITH “REMNANTS” IN THE DUMP (WE EXPECT TO SEE 0x00 IN THE WHOLE DUMP)

• SCAN DUMP USING SQLITE CARVING ALGORITHM TO FIND DELETED SMS

• ANALYSE RESULTS (WE EXPECT TO FIND NOTHING! USER’S DATA)

Page 15: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

TECHNOLOGICAL PADS - NAND INTERFACE

Page 16: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

NAND PINOUT ANALYSIS

• XRAY PCB LAYOUT ANALYSIS WITH FURTHER WIRE BONDING ANALYSIS OF NAND AND CONTROLLER

• NAND AND CONTROLLER PINOUT ANALYSIS THROUGH PCB LAYER REMOVAL

• CLASSIC “MAN IN THE MIDDLE ATTACK” USING LOGIC ANALYZER CONNECTED BETWEEN CONROLLER AND NAND MEMORY

Page 17: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

EMMC THROUGH XRAY

CONTROLLER

NAND MEMORY

Page 18: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

NAND PINOUT ANALYSIS. XRAY

Page 19: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

DELAYERED EMMC CHIP

Page 20: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

NAND PINOUT ANALYSIS. LOGIC ANALYZER

Page 21: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

NAND PINOUT ANALYSIS. LOGIC ANALYZER

Page 22: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

NAND PINOUT

DATA BUS

CONTROL SIGNALS

Page 23: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

CONNECT CHIP TO ADAPTER

Page 24: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

VISUAL NAND RECONSTRUCOR – THE NEW MODE FOR EMMC-NAND ACCESS

Page 25: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

ADAPTER ASSEMBLY

Page 26: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

RAW NAND PHYSICAL IMAGE EXTRACTION

Page 27: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

ERROR CORRECTION CODES IN FLASH MEMORY

DATA

FROM INTERFACE TO NAND MEMORY

CONTROLLER

01010100…0111

BCH CODER

0 1 0 1 0 1 0 0 … 0 1 1 1 0 1 0 0 …PROTECTED DATA

01010100…01110100

PAR

ITYD

ATA

BUFFER

Page 28: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

DATA SCRAMBLERS OF FLASH CONTROLLERS

+

SEED

0 1 1 0 0 0 1

+ + +

LFSR-BASED GENERATOR

DATA RANDOMIZED DATAFROM INTERFACE TO NAND MEMORY

CONTROLLER

XOR

0xBEEFBEEF 0x5AF810E3

0xE417AE0C

Page 29: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

LOGICAL IMAGE RECONSTRUCTION

Page 30: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

IMAGE AFTER DESCRAMBLING

REMEMBER WE ZEROED THIS DEVICE? WE EXPECT TO SEE 0x00 IN EVERY SECTOR/PAGE. BUT WHAT WE ACTUALLY SEE IS A BIT DIFFERENT:

- AFTER 1ST ERASE CYCLE ~5% OF BLOCKS WEREN’T ERASED- AFTER 2ND ERASE CYCLE ~1% OF BLOCKS WEREN’T ERASED

Page 31: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

SMS CARVING

THE MOST INTERESTING PART. ARE THERE REALLY ANY MESSAGES?

Page 32: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

RAW CARVING RESULTS

Page 33: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

CLEANED UP RESULTS

Page 34: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

OUR THEORY IS PROVED. BUT NOBODY WANTS TO ERASE eMMC CHIP IN REAL LIFE.

WE CAN POSSIBLY GET MORE DATA FROM EVERY eMMC VIA NAND PROTOCOL?!

Page 35: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

Green blocks (A,C,D,F,H,J) – more SMS were found in NAND

memory chip.

Red blocks (B,E,G,I) – less SMS were found in NAND memory

chip due to uncorrectable bit errors caused by threshold

voltage shifts (eMMC controller handles it) during read

operation

SMS RECOVERY FROM 10 SMARTPHONES (SAME MODEL)

Page 36: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

• DATA RECOVERY FROM DAMAGED EMMC CHIPS

• RETRIEVAL OF DELETED TEXT MESSAGES, CHATS , ETC. THROUGH NAND PROTOCOL INCLUDING GARBAGE BLOCKS ON DEEPER LEVEL THAT IS NOT ACCESSIBLE FOR CLASSIC MOBILE FORENSIC TOOLS

• DATA RECOVERY AFTER FACTORY RESET OR OTHER OPERATIONS THAT ERASE DATA

Related links:https://rusolut.com/wp-content/uploads/2018/06/Sheremetov-The-Ultimate-Chip-off-Mobile-Forensics.-Data-Resurrection-from-Dead-eMMC-Chips-June-3-Oleander-B.pdfhttps://www.flashmemorysummit.com/English/Collaterals/Proceedings/2017/20170808_S102A_Sheremetov.pdfhttps://belkasoft.com/ssd-2016-part2

APPLICATIONS OF TECHNOLOGY

https://rusolut.com/wp-content/uploads/2018/06/Sheremetov-The-Ultimate-Chip-off-Mobile-Forensics.-Data-Resurrection-from-Dead-eMMC-Chips-June-3-Oleander-B.pdf
https://www.flashmemorysummit.com/English/Collaterals/Proceedings/2017/20170808_S102A_Sheremetov.pdf
https://belkasoft.com/ssd-2016-part2
Page 37: eMMC CHIPS. DATA RECOVERY BEYOND CONTROLLER · 2018-10-10 · • data recovery from damaged emmc chips • retrieval of deleted text messages, chats , etc. through nand protocol

THANK YOU

www.rusolut.comPolczynska 10, Warsaw, Poland+48 537 202 [email protected]


Samsung eMMC Product family

EMMC - iMechanica

EMMC: Sustainability

EMMC: Student selection

eMMC 5 1 Total Solution Rev 1 3 - Arasan Chip Systems … · DATA!SHEET!!!!! eMMC!5.1!TotalIPSolution!! Including!eMMC5.1!PHY!in40nm,28nmand16nm!FinFET(16FF+)!!!!!eMMC!Spec!Version!5.1!Compliant!

Samsung eMMC Product family - LCSC

FORESEE Industrial eMMC FSEWASLG-xxG Datasheet · Introduction FORESEE eMMC is an embedded storage solution designed in the BGA package. The FORESEE eMMC consists of NAND flash and

Emmc boek vandaag 2011

Samsung EMMC Brochure-0

eMMC Security Features - Zedboardzedboard.org/sites/default/files/documentations/EBU eMMC Security … · eMMC offers write protection to prevent data corruption at power-on and malicious

EMMC promotion

EMMC: Student admission and selection

eMMC NCEMAM6G-08G Specificationkindlehk.com/updatefile/file/20190411083442_47476.pdfFORESEE eMMC is an embedded storage solution designed in the BGA package. The FORESEE eMMC consists

Emmc Steps Daac Lesson3(Rev3)

eMMC NANDriveâ„¢ - Greenliant

eMMC 5.0 Total IP Solution

eMMC FLASH Programming User's Guide

Samsung eMMC Product family · datasheet eMMC Rev. 1.21 KLM8G1GETF-B041 SAMSUNG CONFIDENTIAL KLMAG1JETD-B041 KLMBG2JETD-B041 KLMCG4JETD-B041 INTRODUCTION SAMSUNG eMMC is an embedded

EMMC: Promotion

KINGSTON.COM/EMMC eMMC — the perfect storage …media.kingston.com/pdfs/emmc/eMMC_Product_flyer.pdf · A universal storage solution, ... e•MMC uses MLC NAND so it makes higher

Emmc Nand Mtfc32gjved-3m Wt

EMMC sponsors opportunities

Emmc Steps Daac Lesson5

EMMC Product Flyer

Lindenis Tech. Ltd.files.lindeni.org/lindenis-v536/Documents/... · nwe-emmc-ds 9 ndq2-emmc-d6 9 ndq4-emmc-d5 9 ndq3-emmc-d1 9 ndq7-emmc-d3 9 ndq1-emmc-d2 9 ndq5-emmc-d0 9 ndq0-emmc-d7

EMMC: Cooperation between partners

eMMC NANDrive 85VM Series Product Briefcaxapa.ru/thumbs/831407/606-01.pdf · The eMMC NANDrive™ family of embedded solid state drives (SSDs) integrate Greenliant’s advanced eMMC

EMMC Training for Translators · The European Materials Modelling Council EMMC Training for Translators, Glasgow, 14th June 2018 EMMC Training for Translators: Agenda 11:00 - 13:00

Mastering eMMC Device Programming

eMMC - ChinaFlashMarket center/netco… · eMMC FORESEE eMMC is an embedded storage solution designed in the BGA package. FORESEE eMMC, which equipped with original IDA ( Initial

Samsung eMMC 2013-0

Emmc Steps Daac Lesson2 (Rev0)

FORESEE eMMC NCEMASLD-xxG Datasheet · 1. Introduction FORESEE eMMC is an embedded storage solution designed in the BGA package. The FORESEE eMMC consists of NAND flash and eMMC controller

FLEXXON GLOBAL LIMITED Industrial eMMC 4.5 Specificationwebshop.atlantiksysteme.de/temp/FLEXXONeMMC4.5pSLCSPECV1.2.… · FLEXXON GLOBAL LIMITED Industrial eMMC 4.5 Specification

eMMC/SSD Filesystem Tuning Methodology - … · This document describes methods of file system performance measurement and tuning for eMMC/SSD storage media, ... May 13, 2013 eMMC/SSD