HTC M9 - dump memory over direct eMMC (ISP) and data extraction

Today we would like to describe whole procedure how to extract data from HTC M9 (OPJA100) by direct eMMC method and further data decoding by MOBILedit Forensic Express. You can click in the pictures to see them in full size.

Prerequisites

  • Flash Box supporting ISP exam - The Easy JTAG
  • Microscope
  • Micro Solder, solder paste, 0.1mm copper wire
  • MOBILedit Forensic Express

What is the ISP

In-System Programming (ISP) allows communication to take place with a target chip without the need to remove it. The main advantage of this method is the possibility to communicate with a target chip eMMC or eMCP bypassing the CPU. It brings higher speed for data extraction compared with JTAG but it requires great soldering skills.

Just like JTAG, there are specific contacts that will be of interest to the examiner. But unlike JTAG, the contacts are directly off the chip BGAs and do not go through the processor.

  • DATA0
  • CMD
  • CLK
  • VCC - Supply Voltage for Core (3,3V)
  • VCCQ - Supply Voltage for I/O (1,8 - 3,3V)
  • GND

 

The hardware work

1. Disassembly the phone. There are many videos on the YouTube how to disassembly the HTC M9.

 

  

2. Disconnect the battery

 

3. Prepare ISP pinout for HTC M9 - you can find on the easyJtag support

 

4. Remove the shield plate on motherboard with cutting nipper (Hot air gun is not recommended here because the shield plate is hard to remove and high temperature might cause damage to components nearby).  Be careful - there are many electrical components and if you use too much power you can rip them from the PCB.

 

 

5. Solder all contacts for ISP according to pinout description. The soldering paste is very useful in this step because it helps easily solder 0.1mm copper wire to small soldering pads.

 

 

 

6. Connect all soldered wires to direct eMMC adapter

 

 

Software work

 

7. Connect the Z3X EasyJtag box and the power supply (miniUSB) to the direct eMMC adapter

 

8. Run EasyJTAG plus SW

9. Set communication and power parameters according to the picture and click the button "Check eMMC inEasyJTAG Port"

 

10. You should see all parameters of the eMMC chip now, including information about the memory health.

In this example the memory is dead- According to HYNIX (manufacturer of memory chips for HTC M9) documentation on that chips - TYPE B is MLC Cells Health Status exceeded its maximum estimated device life time - it means that device used all reserved backup cells for bad block relocation. The phone boots only into the recovery and all data are imprisoned in the eMMC.

 

11. Now you are able to make a eMMC memory DUMP (Read eMMC button) - it will take more than 14 hours although the ISP is faster than JTAG (approx 600 Kb/s).

 

The data analysis

12. You can import the extracted data to  MobileEdit ForensicExpress and make a full extraction including app analysis, deleted data extraction etc.

 

13. Fill all necessary fields and select required format of the output file.

 

14. Enjoy extracted data

Jakub Kriz

         Exhibitions

Visit us around the world
 

  MOBILedit Cloud

     Manage your account
Cart (0)