Water-Damaged Phone Data Recovery: The Correct First 60 Minutes
More actions
π This article is maintained by PhoneRepair.biz's automated research assistant and checked against public sources. Last reviewed: 2026-07-01. Spotted a mistake? Report an error on the talk page β or just edit the article. Suggestions from readers are reviewed before going live.
| Recovery at a glance | |
|---|---|
| Difficulty | Beginner for the first-response steps; Expert for board-level extraction |
| Risk to data | High β powering a wet board is an irreversible point of no return |
| Time estimate | First 60 minutes are decisive; full recovery takes hours to days |
| Storage type | eMMC / UFS / raw NAND (BGA) |
| Device state | Must be powered OFF; recoverability also depends on BFU vs AFU and whether a passcode is set |
| Key tools | 99% isopropyl alcohol, ESD-safe workspace, precision drivers, plastic pry tools, soft brush; later: ultrasonic cleaner, hot-air/microscope, ISP/eMMC programmer, donor board |
Liquid intrusion rarely destroys the memory chip itself β it destroys the board around it through corrosion and short circuits. The single most important variable in whether a water-damaged phone's data survives is what happens in the first hour: specifically, whether anyone applies power to a wet board. This article covers the correct emergency response for the first 60 minutes, what a professional does next, and β honestly β what modern encryption makes permanently unrecoverable no matter how good the soldering is.
Overview
When a phone contacts liquid, two clocks start. The first is electrical: if the board is energized (powered on, or plugged in to charge), dissolved minerals and contaminants bridge circuit traces and cause short circuits that can vaporize traces, blow the PMIC, or kill the CPU. The second is chemical: corrosion begins almost immediately as water reacts with metals and flux residues, spreading under chips and eating through solder joints and traces over hours to days.
The correct first-60-minutes protocol is therefore counter-intuitive to most owners: do nothing that involves power, and get the liquid β and its dissolved conductive salts β off the board as fast as possible. Rice does neither and wastes the critical window. Once the board is stabilized, data extraction proceeds by the least-invasive method that works: booting the repaired phone normally, or if the board is dead, in-system programming (ISP) or chip-off of the memory.
Crucially, extraction is only half the job on any modern device. The raw bits on the flash are encrypted with keys bound to the original CPU/secure element, so recovery success is governed as much by cryptography as by soldering.
Applies to
- Brands / models: Any modern smartphone (Apple iPhone, Samsung Galaxy, Google Pixel, Xiaomi, OnePlus, Motorola, etc.). Techniques differ sharply by platform.
- SoC / platform: Qualcomm Snapdragon (EDL / Sahara / Firehose), MediaTek (Preloader / BROM), Apple A-series (DFU / proprietary), Samsung Exynos, Unisoc.
- Storage: eMMC (older/budget), UFS (most modern flagships), or raw NAND. All are BGA packages soldered to the board.
- OS & encryption: Android with File-Based Encryption (FBE) β default and hardware-backed since Android 7, aes-256-xts default since Android 11; older devices may use Full-Disk Encryption (FDE). iOS uses per-file class keys gated by the Secure Enclave (SEP).
- Required device state: Powered off after the incident is strongly preferred. Recoverability also depends on lock state β see Risk to data.
Risk to data
Be explicit with the device owner about the following. Several of these are irreversible:
- Applying power to a wet/corroded board is a point of no return. A short can destroy the PMIC, CPU, or the memory chip itself. If the memory or the CPU that holds the encryption keys dies, the data is gone permanently. Do not power on. Do not charge. Do not connect USB.
- Charging is the most common fatal mistake. Owners plug the phone in "to see if it still works." This is the worst possible action on a liquid-damaged board.
- Corrosion is progressive. Every hour the conductive residue sits on the board increases the chance of an open trace or lifted pad. Same-day cleaning dramatically beats next-week cleaning.
- Rice and heat are harmful, not neutral. Rice does not displace the conductive contaminants that cause corrosion; it wastes time and lodges debris in ports. Heat guns/ovens/hair dryers can drive moisture deeper and reflow/damage components.
- Encryption is a hard wall, not a soldering problem. Even a flawless chip-off yields ciphertext. Without the original, working CPU/SEP to release the keys, the dump is unreadable. See Success rate and limitations.
- Lock state matters (BFU vs AFU). In BFU (Before First Unlock) β e.g., after any reboot β passcode-derived keys are not in memory and essentially all user data (photos, messages, app data) is encrypted and inaccessible. In AFU (After First Unlock), more keys are resident and more data may be extractable. A phone that got wet while on and unlocked, and can be revived without a reboot, is a very different case from one that has since rebooted into BFU.
Tools and materials required
First-response (anyone, in the first 60 minutes):
- 99% (or β₯90%) isopropyl alcohol
- Clean, dry, lint-free cloth
- SIM-eject tool (to remove SIM and any microSD)
- An ESD-safe surface and, ideally, the ability to disconnect the battery
Professional board-level stage (specialist):
- Precision screwdriver set and plastic spudgers/pry tools for full teardown
- Battery-disconnect capability
- Ultrasonic cleaner and/or soft ESD brush; fresh 99% IPA
- Hot-air rework station, soldering iron, flux, microscope
- Boardview / schematic / service documentation for the exact model
- Multimeter / bench power supply with current limiting (for diagnosis)
- eMMC/UFS/ISP programmer (e.g., Medusa/Easy-JTAG/UFI-class tools), or platform tools such as bkerler/edl (Qualcomm) and mtkclient (MediaTek)
- A compatible donor board (for iPhone CPU/NAND/EEPROM transplant scenarios)
Prerequisites and safety
- Authorization first. Only work on a device you own or are explicitly authorized to service. Confirm the owner understands this is data recovery, not a warranty repair, and that it may fail.
- Battery hazard. Liquid-damaged lithium cells can be internally shorted, swollen, or hot. Do not puncture, bend, or heat them. If a battery is hot or swollen, treat it as a fire hazard.
- Work de-energized. The entire premise is keeping the board unpowered until it is clean and dry. Disconnect the battery before cleaning wherever the design allows.
- ESD discipline. Wrist strap and grounded mat.
- Set expectations honestly' before opening anything β see the success-rate section.
Step-by-step procedure
A. First 60 minutes (immediate response, no special tools)
- Power off immediately if it is still on. Do not "check if it works." If the device is off, leave it off.
- Do not charge and do not connect USB. Applying power to a wet board is the leading cause of permanent loss.
- Remove the SIM tray and any microSD card. These often hold recoverable contacts/media independent of the encrypted internal storage. Dry them separately.
- Wipe exterior liquid' with a dry lint-free cloth and pour out standing water from ports.
- If you can safely open the device and disconnect the battery, do so now β every minute of de-energized time reduces short-circuit risk. If you cannot, proceed to step 6 and move to a professional fast.
- Do NOT use rice, heat, ovens, or a hair dryer. They do not remove the conductive salts that drive corrosion and can cause additional damage.
- Get it to a board-level specialist the same day. Corrosion is progressive; the sooner the board is properly cleaned, the higher the recovery odds. If professional help is hours away and you are competent to open the device, the interim best practice is to disconnect the battery and flush visible liquid off the board with 99% isopropyl alcohol, then leave it disassembled and dry β never reassemble-and-test a still-contaminated board.
B. Professional stabilization (specialist)
- Fully disassemble; disconnect the battery first. Photograph connector positions.
- Assess corrosion under a microscope. Note white/green/blue-green residue, especially around the PMIC, charging IC, and under shields.
- Clean the board β submerge/scrub with fresh 99% IPA and/or run an ultrasonic cleaning cycle to displace water and dissolve conductive residue. Repeat with fresh alcohol until the board is visibly clean.
- Dry thoroughly (IPA evaporates fast; low-heat bench/preheater if used, kept well below reflow temperatures).
- Inspect for corroded/lifted components and open traces; perform component-level repair as needed (reflow/replace charging IC, PMIC, etc.).
C. Least-invasive extraction path
- Try a normal, controlled boot first. If the board is repaired, the cleanest recovery is simply booting the phone and copying data off, or making a normal backup. This preserves the AFU/decrypted state. Avoid unnecessary reboots β a reboot drops the device into BFU and can lock data away.
- If it will not boot but the CPU/eMMC subsystem is alive β use ISP. In-system programming solders directly to the eMMC/UFS test points (CLK, CMD, DAT0, VCC, VCCQ, GND) to read the raw flash while bypassing a dead power/boot path. Test-point locations vary by model β verify against the boardview/service docs; do not guess pinouts.
- Platform low-level modes (Android): Qualcomm devices can sometimes be read via EDL (9008) by loading a signed Firehose programmer over the Sahara protocol (tooling: bkerler/edl); MediaTek devices via Preloader/BROM (tooling: mtkclient). These read the partitions β they do not by themselves decrypt user data.
- Chip-off as a last resort. Desolder the BGA memory, reball, and read on a specialist programmer. This is destructive to the board and β on modern encrypted devices β usually only worthwhile if the encryption problem below can be solved.
D. iPhone-specific reality
Since the iPhone 5s, the SoC, NAND, and EEPROM are cryptographically paired at the factory. A blank replacement NAND does not recover existing data, and a bare chip-off produces data the Secure Enclave will not decrypt. The viable board-level path is to keep and repair the original CPU, or transplant the original CPU + NAND (+ EEPROM) together to a donor board while preserving that pairing β not to swap the memory alone. If the original CPU/SEP is dead, encrypted user data is effectively unrecoverable.
Verifying the result
- Confirm the extraction is complete and consistent: full-capacity image, valid partition table, and a mountable, decrypted filesystem (not raw ciphertext).
- Validate that user content actually opens β sample photos, the SMS/messages database, and app databases render correctly, not as garbage.
- Where possible, hash the image and work from a copy; never operate on the only extraction.
- For SIM/microSD, mount read-only and verify recovered contacts/media separately.
- Sanity-check timestamps and record counts against what the owner expects (e.g., "photos up to the day it got wet").
Success rate and limitations
Good news: liquid damage usually corrodes the PCB and its support ICs but rarely destroys the flash die itself. If the board can be revived or the memory read, the physical data often survives.
The hard limits β what is NOT recoverable:
- Encryption is the real gatekeeper. On modern Android (FBE, hardware-backed) and all recent iPhones (SEP), the flash contents are encrypted with keys bound to the original CPU/secure element and, usually, to the user passcode. A chip-off or partition dump without the original working CPU yields ciphertext only. This is why chip-off "works" on old/unencrypted devices and generally does not yield readable user data on encrypted ones.
- BFU vs AFU decides how much is even in reach. In BFU, essentially all user data is locked. If the device has rebooted since the incident, expect far less.
- A dead CPU/SEP can mean permanent loss even with a perfectly intact memory chip, because the decryption keys die with it.
- Passcode-strength wall. Where keys are passcode-derived, a strong unknown passcode can make data unrecoverable even in a lab. Reported TrustZone-implementation weaknesses on some older Qualcomm devices only help in a small minority of cases.
- FRP β data. Factory Reset Protection / activation locks are anti-theft account bindings β they are not the thing standing between you and the files, and legitimately clearing FRP does not decrypt anyone's data. Do not conflate the two, and do not pursue anti-theft bypass on devices you do not own.
Bottom line: physically, water damage is often survivable; cryptographically, recovery of a locked, rebooted, modern device may be impossible regardless of skill.
Common pitfalls and troubleshooting
- "I put it in rice / a hair dryer." Both waste the critical window and can add damage. Move to alcohol cleaning and a specialist.
- "I charged it to check." The most damaging mistake; may already have caused a short. Cleaning may still help β proceed, but odds drop.
- Reassembling and testing a still-wet board. Guarantees more corrosion/shorting. Clean and dry before any power.
- Unnecessary reboots during recovery. A boot into BFU can lock previously reachable data. Plan the extraction before powering.
- Guessing ISP test points. Wrong pads = lifted pads and a harder job. Always verify against the model's boardview/service docs; never fabricate coordinates.
- Chip-off on an encrypted device without a plan for keys. You will get an unreadable dump. Decide the decryption path first.
- Ignoring the SIM/SD card. Easy wins in contacts and media that don't touch the encryption problem at all.
- Overheating during drying/rework. Keep well below reflow temperatures; heat can drive moisture under BGAs and warp boards.
Legal and consent note
Only perform data recovery on devices you own or are explicitly authorized to service, with the owner's informed consent. Do not use these techniques to access data on a device you do not own, and do not employ methods whose primary purpose is defeating anti-theft protection (Activation Lock/FRP) on someone else's device. Chain-of-custody, jurisdiction-specific privacy law, and any applicable forensic standards apply when the work is evidentiary. When in doubt, get written authorization before opening the device.
Related articles
- ISP Data Recovery
- Chip-Off Forensics
- eMMC and UFS Storage Explained
- BFU vs AFU: Phone Lock States
- Android File-Based Encryption (FBE)
- Apple Secure Enclave and NAND Pairing
- Qualcomm EDL Mode and Firehose
- MediaTek BROM and mtkclient
- Board-Level Repair Basics
- FRP and Activation Lock: What They Are and Are Not
Sources
- Don't Put Your Device in Rice. Here's Why β iFixit
- Data recovery off water-damaged iPhone β iFixit Answers
- Forensic Chip-Off and ISP Recovery: Bypassing Secure Boot β DataCare Labs
- Data Recovery from a Dead or Encrypted iPhone/Android β DataCare Labs
- eMMC data recovery from a damaged smartphone β Dangerous Payload
- File-Based Encryption β Android Open Source Project
- BFU vs AFU: Phone Lock States and Digital Evidence β Lucid Truth Technologies
- Understanding AFU vs BFU in iPhone Forensics β SalvationDATA
- How To Recover Original Sysconfig Data from iPhone β Repair Wiki
- Reprogramming the NAND Flash and device ID on iPhone/iPad β iFixit Answers
- iPhone Data Recovery (dead & water-damaged) β Rossmann Group
- bkerler/edl β Qualcomm Firehose/Sahara/Streaming/Diag Tools (GitHub)
- bkerler/mtkclient β MediaTek Flash and Repair Utility (GitHub)
- Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals β Aleph Security
- Using the EDL (Emergency Download) Method β Oxygen Forensics
PhoneRepair.biz is a free community knowledge base. Data recovery and board-level repair carry a real risk of permanent data loss β when the data matters, back up any raw dump before modifying a device and consider a professional lab. Only work on devices you own or have documented authorization to service. See PhoneRepair:Legal notice.