NAND Flash Recovery

[GhandiInstinct]

Real quick -

I have a Moto Z9. The messages by default are saved to the phones NAND. The drafts were cleared during a SIM switch and the data was important.

Most companies can't do such recovery cause its a new frontier.

Here's what I have so far as to the possibilities -

Re-Balling the NAND chip and doing a reverse engineer on the file system. The details of this are sketchy as to how it actually works.

A CG2 Flex file backup has no way of being read by data structures available to the end user. This backup could contain HEX that translates into the draft messages.

Any input or advice or any direction as to where I can find reliable data recovery for NAND flash?

I tried finding contact info for the guy that wrote this: http://www.ssddfj.org/papers/S..._1_Breeuwsma_et_al.pdf.

But no dice..

Thanks.

 

[Modelworks]

I have never done NAND recovery, but I have a lot of experience with Flash based memory controllers. The way the sequence works is that there are two ways to erase data. The first is simply to erase every bit in memory, it is very slow and usually not done . The second is to use the bulk erase option. Bulk erase works by tricking the memory controller into thinking the data is gone by setting config bits in the controller itself. If they used bulk erase the data is still there. The problem is that you need direct access to the memory without going through the controller. Most on board memory in phones has the controller either in the processor for the system or in the flash itself. If the memory is separate without an internal controller then you can remove the chip , connect it to any micro and read back the contents. Grab the data sheet for the flash and it will tell you the protocol for the flash.

The problem has been that to save space and simplify design newer flash has a controller built in so the flash can be communicated with by just 2-3 wires. The only hope then is that the controller has a command that will allow you to get the data back.

The place to start is with the datasheets for the parts inside the phone.

 

[GhandiInstinct]

Originally posted by: Modelworks
I have never done NAND recovery, but I have a lot of experience with Flash based memory controllers. The way the sequence works is that there are two ways to erase data. The first is simply to erase every bit in memory, it is very slow and usually not done . The second is to use the bulk erase option. Bulk erase works by tricking the memory controller into thinking the data is gone by setting config bits in the controller itself. If they used bulk erase the data is still there. The problem is that you need direct access to the memory without going through the controller. Most on board memory in phones has the controller either in the processor for the system or in the flash itself. If the memory is separate without an internal controller then you can remove the chip , connect it to any micro and read back the contents. Grab the data sheet for the flash and it will tell you the protocol for the flash.

The problem has been that to save space and simplify design newer flash has a controller built in so the flash can be communicated with by just 2-3 wires. The only hope then is that the controller has a command that will allow you to get the data back.

The place to start is with the datasheets for the parts inside the phone.

Amazing information. Could not find this googling haha. So here's the thing, I have one source that says he can do what you're talking about. Re-balling the flash chip onto a reader and reverse engineering the file system. He's 19, he jailbroke the iphone was in the news etc...but he's asking for more than $600-$1000 for it. I know eprovided.com does stuff like this but they won't go into detail on how they'll handle the procedure.

Suffice to say most companies will scam me and possibly break my phone and I'll lose it forever.

Who do I trust to do this? I haven't gotten anything helpful back from Motorola because they outsource their customer support and the support has no technical knowledge nor the wherewithal to forward technical questions to the right departments.

Should I open the phone itself and look for numbers pertaining to data sheets? How would you start?

 

[Modelworks]

Originally posted by: GhandiInstinct
[
Should I open the phone itself and look for numbers pertaining to data sheets? How would you start?

That is the best place to start. Open the phone and start writing down numbers off all the chips then start downloading data sheets to see how the system is designed.

Once you have that you can decide what to do next.

 

[Russwinters]

Flash recovery basically works like this:


The controller that was used is 99% of the problem. If you don't know the controller, then you don't have anything at all.


Basically you need to remove each chip, use a device similiar to an EEPROM programmer to dump the raw data onto your PC, do this for every chip. Once you have all of the raw data scanned in you need to use software that can emulate the controller for those chips.


Soft-center and Ace labs both make tools for this, but they don't come cheap.

 

[GhandiInstinct]

Originally posted by: Russwinters
Flash recovery basically works like this:


The controller that was used is 99% of the problem. If you don't know the controller, then you don't have anything at all.


Basically you need to remove each chip, use a device similiar to an EEPROM programmer to dump the raw data onto your PC, do this for every chip. Once you have all of the raw data scanned in you need to use software that can emulate the controller for those chips.


Soft-center and Ace labs both make tools for this, but they don't come cheap.

Good to know. I'm trying to figure out what's the controller part when I open up the cell phone.

Do you know the website for Soft-center and Ace Labs? I couldn't find one just googling.

And do you by chance know the name of the software to read the raw data and how to scan it?