Samsung mobile phone - DR after reset

[maddin]

Hello,

I have a Samsung phone which get resetted to factory defaults.

I was using KingRoot + BusyBox to be able to image the whole internal memory with dd. Then I tryed to recover lost files from the image but there where no files. When I inspect that image with an hexeditor i see that over 85% are filled with 0x00 or 0xFF.

I had in the past luck with that method on an Android 2.x phone....

Does phones whipe the internal memory newadays when they get resetted? Or do the controller only deliver 0x00 / 0xFF because that space is not in use?

Would a Chip-Off make sence in that case? It's a eMMC Memory in that phone and I would have an eMMC to SD Adapter here but I am not sure if that make any sence...

[einstein9]

Hello,

I have a Samsung phone which get resetted to factory defaults.

I was using KingRoot + BusyBox to be able to image the whole internal memory with dd. Then I tryed to recover lost files from the image but there where no files. When I inspect that image with an hexeditor i see that over 85% are filled with 0x00 or 0xFF.

I had in the past luck with that method on an Android 2.x phone....

Does phones whipe the internal memory newadays when they get resetted? Or do the controller only deliver 0x00 / 0xFF because that space is not in use?

Would a Chip-Off make sence in that case? It's a eMMC Memory in that phone and I would have an eMMC to SD Adapter here but I am not sure if that make any sence...

new phones are By Default Encrypted, Factory Reset means Generating new Encryption key which means again Data Gone

I got to know from some people that chip-off & trying to restore the "Old Key" (in some cases) >> Did work..... Maybe but not as a rule for the rest

to cut it short : When you hear Factory Reset (IOS/Android) then just don`t bother

[maddin]

new phones are By Default Encrypted, Factory Reset means Generating new Encryption key which means again Data Gone

I got to know from some people that chip-off & trying to restore the "Old Key" (in some cases) >> Did work..... Maybe but not as a rule for the rest

... Sorry forget to tell the model - it's an older S3 but i don't know when Samsung started with encryption.

And if the encyption-key got changed i would get at least some garbage-data in the dump or not?

[arvika]

Only chip-off method will give you chance to recover something, when mobile phone do not encrypt the data. Of course need read directly from nand memory, not by SD/eMMC interface. What is the model of eMMC?

[maddin]

Only chip-off method will give you chance to recover something, when mobile phone do not encrypt the data. Of course need read directly from nand memory, not by SD/eMMC interface. What is the model of eMMC?

It should be a BGA 153 or BGA 169 - don't have the phone with me or opend yet...

The only adapter I have right not is one of them:
https://www.amazon.de/ALLSOCKET-eMMC153 ... 2C170&th=1

On some other phone with a broken display it did the trick a while ago but I am not sure if the i9300 encrypts the memory or whipe the data while resetting. I where thinking a technique to gather a forensic image would also get deleted files. By the way i was using that method: https://dfir.science/2017/04/Imaging-An ... nd-dd.html

PS.: I know installing Software on the Chip is not a good idea but the owner ask me to try a non destructive technique first.

[arvika]

On this mobo could be this chip: http://odzyskiwanie-danych.com.pl/image ... arvika.jpg
Because it was released on Android 4, data should be not crypted.
We have pinout for nand.
Do not instal any software on phone, it is usless, and dangerous for data (overwritten). Adapter you linked does not help for this case.

[maddin]

Adapter you linked does not help for this case.

... and which adapter would help?

[melvin]

Adapter you linked does not help for this case.

... and which adapter would help?

This adapter is using memory's controller. You need to connect directly via NAND protocol. So you need to find a pinout or check Rusolut eMMC-NAND Reconstructor.

[maddin]

Adapter you linked does not help for this case.

... and which adapter would help?

This adapter is using memory's controller. You need to connect directly via NAND protocol. So you need to find a pinout or check Rusolut eMMC-NAND Reconstructor.

Ok thanks - that helped. I found a PDF from Rusolut. So after deleting or a factory reset the Controller inside the eMMC delivers a 0x00 for not allocated memory. But with bypassing the eMMC-controller with VNR you are able to get the data directly via NAND-protocol. Now I get what you mean!

[arvika]

Yes, exactly. Controller "cheats" the user. But this method works only for old mobile phones. All new one is crypted so this method will not work.

[Sasha Sheremetov]

This phone with a chance of 95% is not encrypted.
We did bunch of tests of eMMC-NAND Reconstructor on the chips from S3 and got loads of data after factory reset (usually it's either Samsung or Toshiba chips both very likely supported).
In my experience S3 is among the phones that leaves a richest amount of data after reset
Of course you won't be able to get videos, but plenty of text data and some JPEGs too.

[einstein9]

@ Sasha Sheremetov

I think the time/work for this case vs output results later will not be much btw, sometimes end up with dead phone.


@ maddin

You can try it and post here the results later (just to know how good/bad it was)

good luck