I’m looking for a way to dump raw data from an entire phone or at least the sda block to a PC, using a method other than adb pull.

When I run adb pull /dev/block/sda sdaDump.img, it creates a dump file. To find what I need, I have to search through this raw data using a Hex Editor. If the dump comes from a fully functioning phone, I can usually find what I’m looking for because all the data is still intact.

However, I accidentally wiped the metadata partition on my phone, so the decryption keys/files are gone. Now, because of that, some folders appear empty when checked with TWRP’s File Manager, even though the actual files are still there.

If I create a dump now, the raw data in the file won’t be the same as when the metadata was present, and those folders weren’t showing as empty.

Running adb pull /dev/block/sda sdaDump.img now results in a dump where the Hex Editor shows zeroes (no data) where these files should be.

Is there any alternative method to create a raw data dump of the sda block or entire phone storage, that will capture that data as it is (not empty folders, but the data in them), even if it’s encrypted?

I don’t want to create the raw data dump onto the phone storage and then transfer it to a PC, but something that works like adb pull, in the sense that it pulls the data from the phone directly onto a PC.

Thanks a lot in advance to everyone!

  • TedvdB
    link
    fedilink
    English
    24 months ago

    Why do you still want to extract the encrypted data? Do you still have the encryption key somehow? Else even if you desolder the storage, manage to dump the raw bits, you won’t be able to get anything useful from it.

  • @lurker8008
    link
    English
    14 months ago

    The key here (ha!) is that you wiped the keys so the data should be irrecoverable.

  • @[email protected]
    link
    fedilink
    English
    04 months ago

    The alternative method would be to use professional equipment or send it to a data recovery specialist.

    Did my suggestion to use photorec in your last post not work? How do you even know that the runs of zeroes are where the files you’re looking for are? Encrypted data and uninitialized space look like random data, so any runs of zeroes are either valid data or something explicitly zeroed.