I have a 16GB microSDHC card that apparently was nuked by the phone (a friend's phone, not sure which, but I can find out): while taking pictures, it suddenly could no longer access/recognize the card. I was with her when it happened. We immediately switched off the phone, and didn't try to format the card or anything.
Using an SD-CardReader and Ubuntu, the device could still be recognized, and the complete 16GB could be read via dd without errors. However, 99% of the dd-dump were just zerobytes, although the card previously contained several GB of data. Only a very small fraction still contained data, and these fragments were scattered throughout the 16GB.
For example, the card originally contained a FAT32 file system. However, now the boot sector and partition table were zeroed out, as well as the first FAT copy, and most of the data. Curiously, the 2nd FAT copy was intact, as well as the root directory. I found (only) three partial JPGs in the dd-dump, and the interesting thing is the Exif-data from these JPGs suggests they were taken just before the card crashed.
So my questions are as follows:
- Instead of using dd, which relies on the Linux usb mass storage drivers recognizing (and interpreting) the device, is there some other way to access even lower levels of information of the flash card (i.e., truly reading out the chip contents, instead of what usb_storage sees? Some form of FTL, JFFS etc.?)?
- Was the data truly erased, or just tagged as "dirty" somewhere? It would be physically impossible for a phone to really overwrite 16GB of memory within seconds. So maybe there is a way to read out the real data ? Or is this generally only possible by dismantling the card and directly accessing the NAND(?)-device via specialized hardware?
I'd appreciate any pointers whatsoever – as my friend isn't really using computers beside her phone, she never bothered to ever copy any images from it to a safer place, so several hundred photos of friends&family would be lost :-/
Best Answer
There is no standard or "built-in" way to tell an SD card to give you the raw NAND data.
This is speculation, but the microcontroller in SD cards probably implements some sort of Physical-Block-Address to Logical-Block-Address mapping, in order to do wear leveling. This PBA to LBA table is probably stored on NAND just like the actual data, is relatively small, probably keeps track of free blocks, and could indeed be overwritten in seconds.
If you desolder the NAND or solder external wires to it, find out what type of NAND it is, and rig some sort of interface to your PC you can dump the raw contents. You are facing a difficult reverse engineering task even after doing this as the format of the data is probably unique to the microcontroller on the SD card, and I couldn't imagine where you'd even begin to look for that information.
You may find this interesting, but probably not very useful. It seems that that SD cards have the equivalent of SCSI "Vendor Specific Commands" that are used to update firmware on the SD microcontroller. So theoretically it would be possible to upload a custom or modified SD microcontroller firmware that responds differently to read/write requests. Still, you'd only get to the same point described above. I don't know of any SD microcontroller custom firmwares or projects that actually exist.