Dumping flash from HTC Desire 510

**stj** · 06-27-2017, 10:24 AM

Re: Dumping flash from HTC Desire 510

sd cards are 3.3v - dont blow your flash up

why do you need to dump it?
fastboot can dump the partitions over usb.

**stj** · 06-27-2017, 10:24 AM

Re: Dumping flash from HTC Desire 510

http://www.ebay.co.uk/itm/191899183629

**Spork Schivago** · 06-27-2017, 10:51 AM

Re: Dumping flash from HTC Desire 510

Originally posted by stj

sd cards are 3.3v - dont blow your flash up

why do you need to dump it?
fastboot can dump the partitions over usb.

This adapter I used worked with the 3DS without me needing to modify anything. It's an MicroSD-to-SD adapter.

The phone has a PIN that we're trying to recover. If I used a resistor to drop it down to 2.8V, we should be good though, right?

I could just plug the adapter into my card reader and use DD to dump it, right? I cannot remember how I did it with the 3DS. I remember soldering stuff, but I don't remember if there were special drivers or modules that I needed to install or what. I can't remember if I did it in Windows or Linux. It was a while ago.

**Spork Schivago** · 06-27-2017, 10:52 AM

Re: Dumping flash from HTC Desire 510

Originally posted by stj

http://www.ebay.co.uk/itm/191899183629

I don't think that will work. This is a BGA type chip. I have the pinouts for the eMMC stuff, I don't see why I just can't do it the way I did with the 3DS. Essentially, the same thing, right?

**Spork Schivago** · 06-27-2017, 11:38 AM

Re: Dumping flash from HTC Desire 510

That picture of the PCB isn't the right one. This has a Hynix BGA type flash chip in it. The phone on the back says:

Code:

 HTC0PCV1   FCC ID: NM80PCV100
0PCV100 5VDC == 1A

I'll start searching for the eMMC pinouts for the 0PCV100.

**stj** · 06-27-2017, 11:41 AM

Re: Dumping flash from HTC Desire 510

the ebay unit is a level translator, you use it between your reader & the chip.

can you boot into fastboot?
(volume down + power)

**Spork Schivago** · 06-27-2017, 12:05 PM

Re: Dumping flash from HTC Desire 510

We can reset the phone. We just cannot physically get into the phone. I have it torn apart right now, but I believe we'd be able to get into fast mode. Why, is there away to recover the pin or dump the flash without resetting the phone using fastboot?

The flash is a Sk Hynix h26m31001hpr, if that helps.

From what I've been reading, the programming voltage for this chip is 3.3VDC. So perhaps if I find the pinouts, it'd work? A Sk Hynix model number decoder lists it as an MMC.

https://www.elnec.com/en/device/SK+H...%5BFBGA153%5D/

**Spork Schivago** · 06-27-2017, 12:08 PM

Re: Dumping flash from HTC Desire 510

I believe I've found the JTAG pins and I believe I know what the pinouts for the JTAG pins are (they're not a standard). Other people that are smarter than me figured them out.

I'm not good with JTAG. I have an Olimex ARM-USB-OCD-H jtag device. I wonder if I soldered the 5 or 6 wires onto the pads, if I could use that device and OpenOCD to dump the flash content?

**stj** · 06-27-2017, 12:34 PM

Re: Dumping flash from HTC Desire 510

before it was locked, was ADB / developer-mode enabled?

if it was - you can open a terminal connection to it.

**Spork Schivago** · 06-27-2017, 12:52 PM

Re: Dumping flash from HTC Desire 510

Originally posted by stj

before it was locked, was ADB / developer-mode enabled?

if it was - you can open a terminal connection to it.

No, I already tried that Stj, it wasn't not enabled. That was the first thing I tried.

Then I tried a few known exploits, but they don't seem to work. One was typing a very long pin number and then tapping the camera button on the screen, but the camera button on the screen has been removed.

I really think this is the Desire 510, just a earlier board. I think in the first post of mine, that board is the 0PCV200, whereas this one is the 0PCV100.

Any ideas about the JTAG and OpenOCD? Think I can dump the firmware that way? Thanks.

**stj** · 06-27-2017, 02:45 PM

Re: Dumping flash from HTC Desire 510

no idea.

**Spork Schivago** · 06-27-2017, 08:09 PM

Re: Dumping flash from HTC Desire 510

If I could find a datasheet for the h26m31001hpr, I could just purchase a used version of this board, remove the chip, and figure out the pinouts for certain. I've searched the entire net though and couldn't find a datasheet for it.

I think JTAG is the only option left.

**Spork Schivago** · 06-28-2017, 10:09 AM

Re: Dumping flash from HTC Desire 510

I wonder if that h26m31001hpr FBGA153 uses the same pinout as other FBGA153 eMMC NAND flash chips. What do you think? If so, then I don't need the datasheet, I can just pull up the pinouts for the FBGA153 and find the various pins I need.

**goontron** · 06-28-2017, 11:42 AM

Re: Dumping flash from HTC Desire 510

If you are just after the data: https://www.amazon.com/ALLSOCKET-eMM...s=eMMC+adapter

**Spork Schivago** · 06-28-2017, 03:32 PM

Re: Dumping flash from HTC Desire 510

Originally posted by goontron

If you are just after the data: https://www.amazon.com/ALLSOCKET-eMM...s=eMMC+adapter

That's perfect! That would mean that all the eMMC FBGA153's use the same pinouts. That's awesome though and might be well worth the buy. I'm going to try JTAGging it first and see where that goes. Then I'll see what's cheaper, a replacement used board or that adapter. Right now, until we get the electrical updated, I don't think I can remove the chip without damaging the board. I don't think I'd ever be able to properly re-attach the chip. We're just a few dollars shy of the price we need to get the electrical panels in the house upgraded though.

**goontron** · 06-28-2017, 05:23 PM

Re: Dumping flash from HTC Desire 510

Let me know how it works if you get one, i have an eMMC i need to read myself.

**Spork Schivago** · 06-28-2017, 05:35 PM

Re: Dumping flash from HTC Desire 510

So I went and put the phone back together real quick and did the Power-DOWN. There's an option to boot into fastboot, but instead, I selected the RAM Dump option and am dumping the RAM to a microSD card. I doubt the RAM will contain the PIN because I'm in the Recovery mode or whatever you want to call it, but it's worth a shot. Then I'll try the fastboot.

Once I JTAG this, I'm not sure how I'm going to power the phone on. The JTAG taps are on the wrong side. Some people said they couldn't get the VCC to stay, it kept going low, but I think that was the 200 model board. Not sure about the 100 model board.

Thanks for all the help guys.

**Spork Schivago** · 06-28-2017, 06:05 PM

Re: Dumping flash from HTC Desire 510

Originally posted by goontron

Let me know how it works if you get one, i have an eMMC i need to read myself.

Is yours a cell phone too? No way to find the eMMC pinouts? I have a bunch of pictures that list the various locations on various phones.

Also, I just ran across this when I was researching to see if the passcode would be stored in the RAM dump and if so, how to recover it.

https://www.extremetech.com/computin...in-the-freezer

Some smart people made an open-source program, FROST. I read the article but didn't look into it too much. Not sure if I'd just have to hook a USB cable to phone and use FROST or if FROST would have to be installed, much like that ClockWorkMod or whatever it's called (the mention that in the post as well).

This is what the FROST website says:

Code:

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.

We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.

(source) https://www1.cs.fau.de/frost

To me, I think this means even if we can dump the contents of the flash, because this Desire 510 is running a version of Android higher than 4.0, without something like FROST installed, there won't be much we can do with our recovery attempts.

I love the signature btw.

**goontron** · 06-28-2017, 09:31 PM

Re: Dumping flash from HTC Desire 510

Originally posted by Spork Schivago

Is yours a cell phone too? No way to find the eMMC pinouts? I have a bunch of pictures that list the various locations on various phones..

An early Verizon Motorola Droid...Just the eMMC chip, though. The rest had an unfortunate accident with the serpentine belt of a Ford Triton... To be fair, it did a number on the Triton as well. New cooling fan, belt, and radiator hose were needed after... Along with the original failing idler pulley...

Dumping flash from HTC Desire 510

Dumping flash from HTC Desire 510

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics