I was tasked with the issue of getting contact data from a broken Android phone (in this case Xiaocai X9). The touchscreen was functioning erratically, the display was blank, adb/developer debug was not enabled.
I've tried for some time to enable debug by dragging randomly on the screen, making a screenshot (hold down volume key + power) and trying again but gave up after an hour or so.
So: broken touch, broken LCD, no adb.
I remembered that the phone had a custom recovery installed (TWRP or CWM) so I booted it into recovery where I had a root shell. Each phone has it's own sequence for getting into recovery so you'll need to research that first. Usually you need to power it off then keep pressed a couple of buttons for a few seconds (power + volume up or similar).
The first task would be to make a full backup of all the partitions for later recovery. To do this first you need to connect the phone to the computer and run adb ('adb usb') to connect to it. Then run 'adb shell' to get a root prompt. It might be necessary to run 'su' while in shell, but in recovery that's usually not required.
First I tried to see if any partition was already mounted.
~ # mount
mount
rootfs on / type rootfs (rw)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
/dev/block/mmcblk0p6 on /cache type ext4 (rw,nodev,noatime,nodiratime,data=ordered)
After a bit of hunting I found out that most data is contained into /dev/block partitions:
~ # ls /dev/block
ls /dev/block
loop0 loop4 mmcblk0 mmcblk0p2 mmcblk0p6
loop1 loop5 mmcblk0boot0 mmcblk0p3 mmcblk0p7
loop2 loop6 mmcblk0boot1 mmcblk0p4 mmcblk0p8
loop3 loop7 mmcblk0p1 mmcblk0p5 platform
I made a temporary folder for the purpose of mounting each partition and dumping its contents.
~ # mkdir /tmp2
mkdir /tmp2
I've tried for some time to enable debug by dragging randomly on the screen, making a screenshot (hold down volume key + power) and trying again but gave up after an hour or so.
So: broken touch, broken LCD, no adb.
I remembered that the phone had a custom recovery installed (TWRP or CWM) so I booted it into recovery where I had a root shell. Each phone has it's own sequence for getting into recovery so you'll need to research that first. Usually you need to power it off then keep pressed a couple of buttons for a few seconds (power + volume up or similar).
The first task would be to make a full backup of all the partitions for later recovery. To do this first you need to connect the phone to the computer and run adb ('adb usb') to connect to it. Then run 'adb shell' to get a root prompt. It might be necessary to run 'su' while in shell, but in recovery that's usually not required.
First I tried to see if any partition was already mounted.
~ # mount
mount
rootfs on / type rootfs (rw)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
/dev/block/mmcblk0p6 on /cache type ext4 (rw,nodev,noatime,nodiratime,data=ordered)
After a bit of hunting I found out that most data is contained into /dev/block partitions:
~ # ls /dev/block
ls /dev/block
loop0 loop4 mmcblk0 mmcblk0p2 mmcblk0p6
loop1 loop5 mmcblk0boot0 mmcblk0p3 mmcblk0p7
loop2 loop6 mmcblk0boot1 mmcblk0p4 mmcblk0p8
loop3 loop7 mmcblk0p1 mmcblk0p5 platform
I made a temporary folder for the purpose of mounting each partition and dumping its contents.
~ # mkdir /tmp2
mkdir /tmp2
Another way to get the device blocks for the internal flash:
~ # ls -l /dev/block/platform/
ls -l /dev/block/platform/
drwxr-xr-x 3 root root 280 Jan 5 22:55 mtk-msdc.0
~ # ls -l /dev/block/platform/mtk-msdc.0
ls -l /dev/block/platform/mtk-msdc.0
drwxr-xr-x 2 root root 200 Jan 5 22:55 by-num
lrwxrwxrwx 1 root root 18 Jan 5 22:55 mmcblk0 -> /dev/block/mmcblk0
lrwxrwxrwx 1 root root 23 Jan 5 22:55 mmcblk0boot0 -> /dev/block/mmcblk0boot0
lrwxrwxrwx 1 root root 23 Jan 5 22:55 mmcblk0boot1 -> /dev/block/mmcblk0boot1
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p1 -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p2 -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p3 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p4 -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p5 -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p6 -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p7 -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 Jan 5 22:55 mmcblk0p8 -> /dev/block/mmcblk0p8
Then I proceeded to mount each partition:
mount -t ext4 /dev/block/mmcblk0p7 /tmp2
To dump the data I used TotalCommander with the adb plugin, it makes things so much easier. I copied each partition to their folder and name them with the best guess. Not all partitions can be mounted or have meaningful data. I was left with these candidates:
There are several methods to find out which file contains contacts. One of them is to search in all the file contents with a known contact name. The other is to search for all files with 'contacts' in name:
The data is usually stored in SQLite databases on Android, after a quick search for a compatible program I installed DB Browser for SQLite.
Contact data and log entries were found in the file
mmcblk0p7 data\data\com.android.providers.contacts\databases\contacts2.db
Inside the SQLite browser program click on the 'Browse data' tab and choose a table or view from the dropdown.
Another good candidate is
mmcblk0p7 data\data\com.google.android.gms\databases\icing_contacts.db
;choose the 'contacts' table.
SMSs can be found in
mmcblk0p7 data\data\com.android.providers.telephony\databases\mmssms.db
;choose the 'sms' table.
WiFi passwords: mmcblk0p7 data\misc\wifi\wpa_supplicant.conf
Note that some systems encrypt the passwords so there might be nothing useful there except the SSID names.
In addition, you can recover photos from the internal storage, pictures received via Viber or Whatsapp, downloaded files, etc. There will be stored most of the times on the internal SDCard, in my case it was the mmcblk0p8 partition.
The apk files can be retrieved from the data partition, the app folder or from the root/factory partition's (in this case mmcblk0p5) app folder.
Obviously you can do a lot of forensics on the data as the cache is also preserved, browser history and login data but these will require advanced decryption and reverse-engineering skills. Probably you'll need to write your own tools for that, I haven't tried it and it's beyond the scope of this article.
Comments
Post a Comment
Due to spammers, comments sometimes will go into a moderation queue. Apologies to real users.