Waking the Dead: Exploring the Capabilities and Security of Smartphone Recovery Modes
Have you ever tried to revive a “bricked” phone? Depending on the platform, manufacturer, and device model, the process can range from “just press a button” to “it’s easier to throw it away.” Before you start, you need to consider the availability of flashing tools, whether firmware images are publicly accessible, the complexity of the procedure, and the risk of permanently damaging your device. In this article, we’ll look at the specifics of firmware recovery on various devices.
Apple iTunes: DFU and Recovery Modes
Let’s start with how firmware recovery works on Apple smartphones and tablets. The process in the Apple ecosystem is straightforward, well-documented, and user-friendly. The same can be said for Windows Mobile smartphones, though Microsoft’s results can be less predictable.
iOS devices have two main recovery modes: Recovery Mode and DFU (Device Firmware Update) Mode.
- Recovery Mode is higher-level, well-documented, and designed for end users. It loads iBoot, which controls the flashing process. In this mode, you can either completely reinstall the firmware (wiping user data) or just overwrite the system partition (useful for removing jailbreak traces so the device can receive OTA updates). iBoot can be updated by Apple.
- DFU Mode is low-level, similar to EDL (Emergency Download Mode) on Android. No part of iOS loads; only code hardwired into the chipset runs, which checks the digital signature of the firmware image and writes data if it matches. DFU works even if the storage is completely blank. However, this code cannot be updated—if a vulnerability is found, it can’t be patched. This is what happened with the iPhone 4, allowing data extraction regardless of lock code, and even running custom Android builds on a hacked iPhone 4.
Apple recommends using Recovery Mode if:
- iTunes doesn’t recognize your device or says it’s in recovery mode;
- The Apple logo has been on the screen for several minutes with no progress bar;
- You see the “Connect to iTunes” screen.
But Recovery Mode can also help if:
- The phone is locked and you don’t know the passcode. Recovery Mode lets you erase the passcode (but you’ll need the Apple ID password to activate the phone; this can be reset if you have access to the linked email or phone number, but not the lock code itself);
- The phone is in USB Restricted Mode, blocking USB communication. Recovery Mode lets you get basic device info and reset to factory settings;
- The phone is locked after too many incorrect passcode attempts (often by a child). The “Connect to iTunes” message is misleading—if the device is in USB Restricted Mode, you need Recovery Mode, not just iTunes;
- The device can’t install OTA updates or has been jailbroken. Recovery (without data loss) can remove jailbreak traces. In severe cases, a full factory reset via Recovery may be needed for stability.
To enter Recovery Mode:
- iPhone 8 and newer: Quickly press and release Volume Up, then Volume Down, then press and hold the Side button until the “Connect to iTunes” screen appears.
- iPhone 7/7 Plus: Press and hold the Side and Volume Down buttons together until the “Connect to iTunes” screen appears.
- iPhone 6s and earlier, iPad, iPod touch: Press and hold the Home and Top (or Side) buttons together until the “Connect to iTunes” screen appears.
DFU Mode is not officially documented by Apple. Each device has its own button sequence, and timing is critical—hold a button too long or too short, and the device will just reboot instead of entering DFU. Detailed steps for each model can be found in guides like “Everything about iOS DFU and Recovery Modes.”
In DFU Mode, the screen stays black. To check if you’re in the right mode, launch iTunes—if it says a device in recovery mode is detected, you’re set. iTunes will then offer to restore or update the device. “Update” tries to reinstall iOS without erasing data; “Restore” wipes everything. iTunes will automatically download the needed firmware from Apple, but you can use a downloaded IPSW file by holding Shift while clicking “Update” or “Restore.” The same IPSW file is used for both Recovery and DFU modes.
However, you can’t install just any iOS version—even with the right IPSW. Apple controls which firmware versions can be installed, usually only allowing the latest version. After a new iOS release, there’s a short window (about two weeks) when you can install the previous version. Once Apple stops signing it, only the latest version can be installed.
If your device had a beta iOS version and you want to revert to the release, you can install the previous version if it’s still signed. There’s no anti-rollback protection; if Apple signs the firmware, it will install (downgrading erases user data; upgrading or reinstalling the same version may not).
You can also downgrade to any iOS version if you saved SHSH blobs when that version was still signed. If you know about this, you probably know more about Recovery Mode than the author!
Can you do all this without iTunes? Some third-party (mostly Chinese) programs can do things iTunes can’t (like uploading a music folder directly). Some, like iPhone Manager, can flash firmware in Recovery Mode. However, you’ll still need the drivers that come with iTunes. These apps either include their own (sometimes unauthorized) drivers or download them after installation. In most cases, there’s little reason to use these apps over iTunes for firmware recovery.
Android: A Mixed Bag
Firmware recovery on Android smartphones is… diverse. This isn’t just because of the many modes and protocols, but also the different approaches by manufacturers. Few OEMs publish official firmware images, and finding images for emergency modes is even rarer. Here are the main methods:
Full OTA Packages for Stock Recovery
Unlike incremental OTA updates, a full OTA package updates the system to the latest version regardless of what was previously installed. Not all manufacturers offer full OTA packages, and they’re not available for all models. The advantages are simplicity, no need to unlock the bootloader, and data is preserved. The downside: you need a working phone that can boot into stock Recovery. If Recovery is corrupted, this method won’t work. Some third-party tools can download full OTA packages from manufacturer servers for popular models.
Fastboot Packages for Unlocked Bootloaders
These are usually flashed with a full factory reset, but sometimes you can keep your data. The benefit is full control over which partitions are flashed (e.g., to remove root access, you might just flash a clean kernel or system partition). The downside: most devices require an unlocked bootloader for Fastboot flashing (with rare exceptions, like the BlackBerry Priv). Not all manufacturers allow bootloader unlocking, and some impose harsh conditions—voiding warranty or destroying DRM keys. So, relatively few devices support Fastboot recovery.
Fastboot operates at the bootloader level, before the kernel loads. In a “soft brick” state, Fastboot is more likely to work than Recovery. However, flashing an incompatible bootloader can “hard brick” the device, requiring EDL mode for recovery. Few manufacturers provide Fastboot images.
Deep Flash Modes from Chipset Manufacturers
Chipset makers provide reference protocols for firmware recovery. Qualcomm devices use EDL (Emergency Download Mode, aka 9008 mode). MediaTek devices use their own protocol, accessible via SP Flash Tool. These protocols run code hardwired into the chipset, so they don’t need data from the device’s storage—allowing recovery even if Fastboot isn’t available.
Flashing via EDL requires special packages and files for the flashing tool, specifying memory addresses for data. On Qualcomm devices with reference designs, you can usually enter EDL by turning off the phone, holding a volume button, and connecting to a PC. The device should appear as Qualcomm HS-USB 9008 in Device Manager. If not, you may need to install the right driver.
On newer devices, EDL may require shorting specific USB contacts or using a special “EDL cable” (deep flash cable). On the latest devices, EDL may require access to the motherboard, meaning you’ll have to disassemble the phone.
Fun fact: EDL mode works the same way on Alcatel Idol 4s/4 Pro phones running Windows 10 Mobile as on their Android counterparts. Android flashing tools also work for Windows models.
Manufacturer-Specific Flashing Tools
Some manufacturers provide their own flashing tools, using EDL or proprietary protocols. Samsung, LG, Sony, Xiaomi, and others have such tools (sometimes requiring different versions for different models). These tools may have a firmware recovery mode, depending on the manufacturer and model. Usually, the tool will either switch the device to the right mode automatically or provide instructions.
What Does Your Manufacturer Support?
There’s no universal standard for Android firmware recovery. Even full OTA images may or may not be published, let alone low-level files.
- Google Pixel: Fastboot and full OTA images are available for flashing via Recovery without unlocking the bootloader. However, this may not be enough—if the bootloader is locked and the device won’t boot, you may be stuck. Google does not publish EDL images.
- Samsung: Odin (official, for service centers) and Heimdall (open source) use Samsung’s proprietary Odin protocol, supported on all devices regardless of chipset. Odin works at a higher level than EDL. If the bootloader is damaged, Odin may not help. Some Samsung phones (e.g., Galaxy S8 on Exynos) allow bootloader unlocking via a simple setting, with no data wipe.
- OnePlus: Publishes Fastboot images (for unlocked devices) and Recovery images (for region switching or updates without unlocking). EDL tools are also available, enabling exploitation of certain vulnerabilities.
- Motorola: Some models have full OTA images for updates without unlocking. Official Fastboot images are not provided, but can sometimes be found unofficially.
- LG: Has its own recovery mode, independent of chipset. The proprietary protocol works over EDL and allows two-way communication. Full OTA images are available for stock Recovery. Fastboot images are rare. EDL images (for LG UP) can be found and allow region switching and flashing between carrier and generic firmware.
- Xiaomi: Publishes images for stock Recovery (full OTA) and Fastboot (for unlocked devices). Older devices can be flashed via EDL with an EDL cable. Newer devices with regional firmware locks require special permission from Xiaomi to enter EDL mode.
- Sony Xperia: Offers both official and third-party recovery tools, usually without needing to unlock the bootloader. Some models allow region switching, which can restore features (e.g., fingerprint sensor on North American Xperia XZ Premium). Unlocking the bootloader destroys DRM keys, preventing full factory restoration.
- Many Chinese phones (especially with MTK chips): Support SP Flash Tool, and firmware images are easy to find on forums.
Windows 10 Mobile
In theory, firmware recovery on Windows 10 Mobile devices is straightforward. In practice, it’s often needed more than you’d like. Most Windows 10 Mobile phones are made by Microsoft and use Qualcomm processors. The Microsoft Windows Device Recovery Tool (WDRT) uses the standard Qualcomm 9008 EDL protocol, theoretically allowing a full factory restore.
WDRT flashes the device to its original factory firmware, not the latest version. Microsoft doesn’t control firmware versions, and there’s no anti-rollback protection, which can sometimes bypass Find My Phone theft protection (available only on US models).
The process is simple: connect the device, select the model, let the app download and flash the firmware. However, WDRT works reliably only for Microsoft-made devices that shipped with Windows 10. Attempts to recover older models (like Nokia 930) can result in a completely dead device. Sometimes, the recovery image lacks the correct cellular firmware, breaking phone functionality. In such cases, manually updating to the latest Windows 10 Mobile build is the only fix.
For the Alcatel Idol 4s (Open Market, Snapdragon 820), WDRT downloads the firmware but refuses to install it due to a model ID mismatch. Users on XDA developed a workaround:
- Use WDRT to download the factory firmware.
- Follow WDRT’s instructions to enter EDL mode (disconnect, power off, wait 10–15 seconds, reconnect while holding a volume button).
- WDRT will refuse to flash; follow the XDA guide to manually flash the firmware using
emmcdl.exeand the required files.
Imagine if an iPhone required this kind of “ritual” to reflash!
Bonus: BlackBerry 10
BlackBerry 10, based on QNX, powered a range of devices from the Q10 to the Passport. Firmware could be restored or updated using “autoloaders”—executable files containing everything needed for flashing, including the OS and radio firmware. The autoloader automatically puts the device into EDL mode and flashes the software—no need for extra tools or button sequences. Only properly signed files can be flashed, making the process secure. You can also build custom autoloaders from different components or install .BAR apps via Sachesi (again, only signed files are accepted).
Modern BlackBerry phones are Android-based and made by third parties. Their “autoloaders” are just Fastboot file packages.
Security of Recovery Modes
Let’s look at the security of your data and its accessibility via various recovery modes.
Apple iOS
iPhone is the simplest case. Both Recovery and DFU modes provide extremely limited access to device contents. In DFU, you can only get:
- Device model (e.g., iPhone7,2, iPhone10,6)
- ECID / Unique Chip ID
- Serial number (only in Recovery Mode)
- IMEI (not available in DFU; sometimes in Recovery)
- Mode indicator (RECOVERY or DFU)
Example DFU data:
Device Model: iPhone8,1 Model: n71map ECID: XXXXXXXXXXXXXXXX Serial Number: N/A IMEI: N/A MODE: DFU
Example Recovery data:
Device Model: iPhone8,1 Model: n71map ECID: XXXXXXXXXXXXXXXX Serial Number: XXXXXXXXXXX IMEI: XXXXXXXXXXXXXXX MODE: Recovery
That’s it—no access to the encrypted data partition.