Physical Extraction (EDL Hack)

Physical Extraction (EDL Hack)

There is a way of extracting physical images from phones with Qualcomm chipsets without root access (rooting the phone). 
This exploit method does not work on all Qualcomm-equipped devices.

MOBILedit Forensic Express has implemented this feature and will guide you through the process as shown on the screenshots below:

1. On the main screen click on "Hack phone"
2. Choose "Get physical dump from phone using EDL"


3. Select the type of connection and way how to switch the phone to EDL mode, then click "Next"


The best option is to select the connected phone with Automatically send adb command if it is supported. 
If you have the phone in the EDL mode already, select the direct connection. 
Use the "Manual reboot to EDL" option only if you have to hold the button combination to reboot the phone into EDL.

4. The screen below will display


5. The screen with the list of programmers will display.
The MOBILedit Forensic Express will auto detect the best EDL programmer for connected phone. Now simply click "Next".


You can use your own downloaded programmer, by clicking on "Custom programmer".

6. MOBILedit Forensic Express will continue with loading the programmer into connected device.


7. You will then be asked to select a location on your disk, where the physical image will be stored. Please note that the physical image is as large as the full phone´s storage.
8. The extraction will start right after. 


9. You can see the physical image being extracted on this screen. This may take a while depending on the amount of data stored in your device. 


After the extraction has finished, you will be able to find the IMG file at the destination location you have chosen. 

List of supported devices


Google Nexus 5 (Button combination: Volume UP + Volume Down + Power. When display goes off, release Power. After few seconds release remaining buttons)
Google Nexus 5X (with EDL cable)
LG G3 S
LG G4
Nokia 6
Nokia 5 (with EDL cable)
Nexus 6
Nexus 6P
Moto G4 Plus
OnePlus 5
OnePlus 3T
OnePlus 3
OnePlus 2
OnePlus X
OnePlus One
ZTE Axon 7
ZUK Z1
ZUK Z2
Xiaomi Note 5A
Xiaomi Note 5 Prime
Xiaomi Note 4
Xiaomi Note 3
Xiaomi Note 2
Xiaomi Mix
Xiaomi Mix 2
Xiaomi Mi 6
Xiaomi Mi 5s
Xiaomi Mi 5s Plus
Xiaomi Mi 5x
Xiaomi Mi 5
Xiaomi Mi 3
Xiaomi Mi A1
Xiaomi Mi Max2
Xiaomi Redmi Note 3
Xiaomi Redmi Note 4G (with EDL cable)
Xiaomi Redmi 5A
Xiaomi Redmi 4A

With release of the MIUI 8.0 was the EDL access with using the adb command "adb reboot edl' suspended.
For some cases might also work adb command "fastboot oem edl" for this you will need an unlocked bootloader.

Additional information sources


Test points for the Xiaomi devices:  http://en.miui.com/thread-638042-1-1.html 

Additional articles about EDL and advanced methods:





    • Related Articles

    • Physical extraction

      MOBILedit Forensic Express can perform physical extraction to create a bit-by-bit image of the data in the phone. Please note: physical acquisition and analysis is available only in the unlimited phone license; the single-phone license does not ...
    • Physical Extraction (MTK Hack)

      There is a way of extracting physical image from phones with MediaTek chipsets without root access (rooting the phone).  This exploit method does not work on all MTK-equipped devices, but sometimes it is the only way of acquiring the physical image ...
    • Physical Extraction (LG Hack)

      The "LG Hack" feature works on all LG smartphones with the new version of LG LAF protocol (this is a service download mode similar to Samsung Odin download mode) One of the first devices to feature this version was the first LG G flagship. Every LG ...
    • Rooting a device (Dirty cow)

      If you have a device that has an Android version up to 7 then you can try to root your device with a Dirty cow exploit. This is a temporary root and will be gone once you will restart your device 1.       Click on "Hack phone" and choose "Root using ...
    • Data - data extraction log

      Following tab displays information about ongoing extraction: if you select the Data Extraction Log option in the Specific selection, you will get a brief resume of the extraction tab in your report as well: