Can You Read iPhone Data Off the Memory Chip?

What does it take to recover iPhone data? 

Can you just read the data from the memory chip?

Many of our incoming requests ask us to fix their phone if we can, but if not possible then *JUST* get the data.  If only it were that easy!  

The sad answer to "Can we just read the data from the memory chip?" Is Yes,'s gibberish.

We all know that there must be some sort of memory chip on the iPhone, and indeed there is!  The flash memory storage chip, or NAND chip, is about the size of your thumbnail.  The NAND acts like the hard drive of the phone and contains all of the user data.   It isn't a huge deal to desolder the NAND chip and there are many inexpensive NAND readers out there that you can plug the chip into and read it.   But then what?

Your data is stored on the NAND as gibberish--it's encrypted.  And this actually makes good sense! 

Our phones have become our miniature handheld brains.  They contain all of the important details of our lives.  Our photos, calendar, bank information and browser history are all written to the NAND flash memory.   What would data security look like if it really were as simple as just reading those details directly off the NAND in plain text?  What would it take to simply grab your phone, unscrew the logic board, pop off your NAND chip and read it?  It would take about 15 minutes and total equipment costs that come in under the price of a nice vacation.  Not having encryption of the stored data isn't that far from not having a passcode at all.

In order to keep our data secure, Apple engineers have developed pretty amazing security architecture on your iPhone that you can read about in glorious details in the public Apple security document here. 

Your data is stored on the NAND in an encrypted form using the Advanced Encryption Standard (AES).  This is the exact same cryptographic magic that is deemed robust enough by the NSA to encode US top secret government transmissions. 

The time it would take for modern supercomputers working at top speed to break the encryption would exceed several human lifetimes.   It is widely accepted within the cryptography community that the AES encryption is secure.      For this reason, there is no "just" get the data from the NAND flash memory.   We can read it, but your mom's special guacamole recipe that you saved is gibberish without the native decryption process. 

You Have to Get the iPhone to Boot and Decrypt the Data Naturally.

If you wonder, how does the data get decrypted and presented natively as you effortlessly flick from saved picture to saved picture on your phone? 
The answer is a remarkable dance.  It starts with unique keys tattooed within the hardware chips themselves.  These silicon fingerprints can't be read directly by software or firmware.  The Unique ID marries YOUR CPU to YOUR NAND so that neither can simply be swapped.  Stemming from these immutable electrical keys and built-in AES engines are an array of software checks, double-checks, and verifications.  There are keys generated just to unlock other keys, fail-safes, protections, and isolation of secure processes that will make your head spin. 

The nutshell is that the ONLY path to meaningful data for iPhones is making them dance the dance.

We have to make the phone work again *enough* to boot into the iOS and accept your passcode.  This is the method that ALL data recovery companies use to attempt to get your data.  If the phone can't be fixed to boot into the iOS, then the data is not recoverable.  Reading ones and zeros from the NAND only results in a big pile of ones and zeros.

Let's talk about the Data Dealbreakers.

With the goal of getting the phone to work again, you'd be amazed how many phones can be recovered through experienced diagnosis, and competent motherboard microsurgery to correct hardware problems.  However, to avoid the data dealbreakers, the phone must have:

1.) A working CPU

Let's look at the hardware side. From the Apple security document: "When an iOS device is turned on, its application processor immediately executes code from read-only memory known as Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted."   Let's put that in our own words.  Every iPhone's CPU chip is unique.  The processor itself has a special unique key burned into the silicon die of the chip during manufacture.  A CPU can't be replaced because we can't duplicate that randomly generated unique code.  This makes the CPU one of the data recovery dealbreakers---Your native CPU MUST BE FUNCTIONAL in order for your data to be decrypted.  The CPU itself is heavily protected from water, but it is very susceptible to electrical damage.   One of the most difficult parts of our job is telling families that their chance at data recovery was ruined because someone put too much heat on their CPU resulting in electrical death from bridged solder ball connections under it.  In some models, like the iPhone 7/7p, the CPU is also very susceptible to drop damage.

2.) An undamaged NAND flash memory chip / No Permanent Software corruption. 

Like the CPU, the NAND is impervious to water.  However, it can get physical damage from drop or bend.  We can correct loss of physical connection between the NAND and it's partner CPU, but we can't correct software corruption.  While most phones are recoverable, the ones that are not are generally in this category.  The structure of the data must be intact and readable.  Phones with dealbreakers in this category are often ones that are autobooting to DFU or recovery mode out of the blue, failed in the middle of an update,, can't pass an update despite no hardware problem etc.  The immense pressure of the iPhone design teams to prioritize security over all else generate the side effect of data loss whenever anything goes wrong at the software level. 

Through experience, diagnostics, and extreme microsurgery, we can identify and correct almost any hardware problem as long as the unique chips (NAND, CPU, EEPROM) are intact and functional.  However, some phones have uncurable software corruption.  For example, a phone that is living with a water damaged battery can accrue battery data errors in the NAND flash memory that ultimately results in an inability of the system to communicate with the NAND--much as if error messages simply consumed all the available space.   In cases like this, the problem is WITHIN the user data partition.  We know that simply erasing the user data in those cases will lead to a fully functional phone after the initial hardware faults are corrected.  These problems are less common, but when they do occur the data is not recoverable with today's technology.  

3.) An intact EEPROM chip.

The tiny rice-sized EEPROM chip is just as important as the big CPU for data recovery.  This little chip has a big job---it creates virtual walls that prevent access to user data after "anti-replay" events such as passcode change.   In short---the unique little EEPROM dude has gotta be there.  We have solved phones that can't boot into the iOS because of water damage corrosion eating away one of the 0.2 mm solder balls that connect the EEPROM chip to the logic board by desoldering, reballing, and reinstalling the EEPROM.  Similarly, we have solved phones that had flexion-damage that separated the CPU's connection to the EEPROM by drilling into the CPU itself and soldering thin neurons made of delicate wire to the die of the CPU to restore the connection.  But we have also seen phones with prior repair attempts that have carelessly smashed, or simply discarded the oh-so-important EEPROM.

4.) The correct passcode.

Once the damaged logic board has had enough surgery to boot into the iOS, the software-side of data protection all hinges on the passcode.  WE REQUIRE THE CORRECT PASSCODE for data recovery.  Many of us that routinely use biometrics like fingerprint sensor and FaceID to unlock our phones forget that these are just convenience tools to save you the trouble of entering that passcode.  But in a data recovery situation, the biometrics won't work.


Fingerprint can't help you get into a locked phone for data recovery.

The device will not allow you to use biometrics if any of the following situations exist.  You will have to enter the correct passcode to unlock the device.  By the time a device is in need of data recovery, one of the following almost always will exist.

 •The device has just been turned on or restarted.
•The device hasn’t been unlocked for more than 48 hours.
•The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and a biometric hasn’t unlocked the device in the last 4 hours.
•The device has received a remote lock command.
•After five unsuccessful biometric match attempts.
•After initiating power off/Emergency SOS.



What about phones that are Disabled after too many passcode attempts?

In the past, disabled phones were considered "unrecoverable" but today there are a few limited options.  

If a phone has connected to a computer in the past, the trust certificate stored on that computer *may* allow the device to give you one more crack at the passcode.  Force the phone to recovery mode, and attempt to update the software (not restore) in iTunes.  When the phone passes update, you may be prompted to enter the passcode again.

If that doesn't work, then you may want to reach out to your local law enforcement agency.  The recently developed GrayKey device---contractually limited to criminal cases only can circumvent the software lock on a disabled phone.   The territory of passcode circumvention is tough to navigate.  Do we want others to have the peace of mind and closure that can be gained from access to our passcode locked phones when we are no longer around, or do we value personal privacy more?  As painful as it is to so many families, we REQUIRE the correct passcode and have not invested in passcode circumvention tools.

What is the chance that I can get my pictures back?

The answer is 'it depends'   For water damaged phones that have no prior repair attempt, our success rate is close to 100%.   When a phone has already had previous repair attempts the chance of success goes down.    Phones with no drop or bend that are auto-booting to recovery or DFU mode and failing software updates have only a slim chance that their problem is anything other than an incurable software corruption that does not have a repairable hardware component failure.  Our favorite problems are sudden onset "phone just died", stopped working while on charger, and "phone got hot" all point to our favorite problems--curable hardware defects!

Got a case you want to run by us?

Give us a call, we always love to talk data recovery.  585 397 4174
Or better yet, Check out the details of our iPhone Data Recovery Service

Broken Phone or iPad
Copyright © iPad Rehab 2020 - All rights reserved
Website Design by Scriptable Solutions