First to clarify root
and data
:
- Root directory
/
of Android devices is a read-only pseudo (temporary) filesystem (rootfs
) that lives in RAM and is vanished when device is powered off. When device is powered on, it's again extracted from initramfs
that lives in boot
partition along with kernel.
On newer devices with system-as-root, system
partition is mounted at root /
.
/data
directory is a mountpoint, where largest partition, usually named userdata
is mounted. This partition contains all user apps, their data (settings, databases, caches, temporary files etc.), system apps' data and all other configurations we make through Settings
. /data/media/0
is the directory that we see as /sdcard
or /storage/emulated/0
through emulation.
... there was a file in the /data directory which I need. Is it possible to create an image (.img or something similar) of the root directory ...
If a file is deleted from /data
, you need to create a dump of data
partition, not that of root directory.
You can do that in multiple ways described below. All require root access.
But first of all, see this answer to make sure your data is recoverable.
In short, recovery is more or less possible only if (1):
- Your deleted data hasn't been
TRIM
med or discard
ed.
- And you haven't done a factory reset on encrypted
/data
partition.
What you should do immediately:
- Switch off phone to make sure the deleted data isn't overwritten.
- Don't install data recovery apps on device, it can do more harm than good.
- Mount the filesystem (if required) in recovery mode (or on PC) only with
ro,nodiscard
options.
FINDING BLOCK DEVICE:
In order to access the userdata
partition, you need to find its block device. If you have root access, you can do so from mounted partitions:
~# mount | grep 'on /data'
/dev/block/mmcblk0p... on /data type f2fs (rw,nosuid,nodev,...)
On Qualcomm devices, it's located at /dev/block/bootdevice/by-name/userdata
(symlink). For MediaTek (MTK
) and other SoCs, the path is slightly different. You can find all block devices or by-name
directory using find
command:
~# find /dev -type b
~# find /dev -type d -name 'by-name'
Or by hit and trial:
~# ls -d /dev/*/by-name
~# ls -d /dev/*/*/by-name
~# ls -d /dev/*/*/*/by-name
Note:
CREATING PARTITION DUMP:
DISK DUMP (dd
)
Once the block device is known, you can use the dd
command from:
- ADB shell (OS or custom recovery)
- A terminal emulator app like Termux
Since the userdata
partition is the largest partition (all other partitions are hardly using 5GB out of total storage), you can't dump it to your internal memory. An external SD card with larger capacity is needed.
To create the dump:
~# dd if=/dev/block/bootdevice/by-name/userdata of=/path/to/ext_sdcard/data.img
ADB
If you don't want to use an external SD card, you can also dump the partition directly to PC. First you need a working adb
setup, running as root. Then it can be used in multiple ways:
~$ adb exec-out dd if=/dev/block/bootdevice/by-name/userdata > data.img
* Make sure your adb
binary (on Windows or Linux) supports exec-out.
But you may end up with corrupted data when writing a whole large-sized partition to STDOUT
of terminal because there are issues with line break types (CR
and LF
). Also STDOUT
or STDERR
from the programs involved could possibly be added to the file if not directed to /dev/null
. Even a single wrong byte may render filesystems un-mountable. See this question for reference.
To avoid unwanted characters, use stty raw
and/or dos2unix
:
~$ adb shell 'stty raw && dd if=/dev/block/bootdevice/by-name/userdata' > data.img
But the most straightforward way is:
~$ adb pull /dev/block/bootdevice/by-name/userdata data.img
See this answer for more details.
STREAM OVER TCP
To avoid the terminal-related complications described above or if for some reason adbd
cannot be run as root, it's also possible to create a minimal TCP server for data transfer. Forward the port from phone to PC and run a netcat
TCP server in listening mode:
~$ adb reverse tcp:1024 tcp:1024
~$ nc -v -l -p 1024 </dev/null | pv -ab >data.img
On phone:
~# cat /dev/block/bootdevice/by-name/userdata | busybox nc 127.0.0.1 1024
USB TETHERING (RNDIS)
To avoid using ADB at all, USB tethering can be used to provide network connectivity:
~# cd /sys/class/android_usb/android0
~# echo -n 0 >enable
~# echo -n rndis,adb >functions
~# echo -n 1 >enable
* You may also change other files like {
iSerial,iProduct,iManufacturer
}
and f_rndis/{
ethaddr,manufacturer,wceis,rndis_transports,max_pkt_per_xfer
}
in the above directory if required.
* On new devices you might need to use /config
interfaces instead of /sys
. Some relevant hints here.
Add IP address:
~# busybox ip rule add lookup main
~# busybox ip address add 192.168.1.1/30 dev rndis0
~# busybox ip link set rndis0 up
On PC add IP manually (there's no DHCP server):
~$ sudo ip address add 192.168.1.2/30 dev usb0
~$ nc -v -l -p 1024 </dev/null | pv -ab >data.img
On phone:
~# busybox nc 192.168.1.2 1024 </dev/block/bootdevice/by-name/userdata
In the same way it's also possible to use rclone rcat
to transfer the dump over WebDAV or FTP or SFTP. See How to stream an encrypted backup of the entire device to remote host?
USB MASS STORAGE (UMS)
This method is useful if you don't want to create a dump of the partition, but instead access partition directly on PC. See my answer to Why can't I see Android storage as a partition on PC? for methods on how to enable UMS thorough /sys
or /config
interfaces.
Once done, userdata
will appear as a partition on Linux PC just as we connect a USB drive. If /dev/sda
is the hard disk drive, usually /dev/sdb
will be the userdata
partition. You can find that by using blkid
command:
~# blkid | grep userdata
/dev/sdb: PARTLABEL="userdata" PARTUUID="..."
You can run recovery programs directly on the block device or mount the filesystem (if needed) or may also create a dump.
HOW TO RECOVER DATA?
There are basically two ways to recover deleted data as mentioned in this answer: carving method and through the filesystem.
Recovery tools mostly don't need mounting filesystems but if it's required, it needs to be done on Linux PC because Windows doesn't support ext4
or f2fs
natively, hence the tools aren't easily available AFAIK.
If anyone has been able to successfully make block/journal level access to Linux/Android filesystem for data recovery on Windows through Ext3Fsd or any other driver, let me know so that I can update the answer.
On Linux you can use tools like extundelete to recover data using filesystem journal:
~# extundelete --restore-all data.img
Or to recover data directly with UMS:
~# extundelete --restore-all /dev/sdb
Since you have done a factory reset which erases the filesystem, consider carving method using tools like TestDisk or scalpel
:
~# testdisk data.img
In the same way you can use any other data recovery tools. See the ArchWiki on File Recovery for more details.
RELATED: