February 19,2012 – UPDATE
Recently I was directed to a link that shows a group in the UK that have created a Python script to help us recover the swipe user lock code on the locked Android devices, please see this at the CCL-FORENSICS news page.
This is exactly the process that I was looking at when I was acquiring the user data partitions from the Android devices using the JTAG process. With the RAW data recovered from the device using the JTAG process, the phone can be reassembled and the found user code implemented on the device so the forensic tools can make the acquisitions. Thanks to CCL-FORENSICS, we now have a tool to run against this physical data dump. Thanks for sharing this guys!
Happy JTAG’ing!
**********************************************
I am putting together an introduction JTAG course in time for the 2012 Mobile Forensics World in Myrtle Beach and the full 5 day Advanced JTAG training will be rolling out in August through Teel Tech Training.
Sorry that I have been away for a bit, between family holidays, taking courses and teaching a number of Chipoff Classes these past few months, I have not had the time to post anything to my Blog. I am taking some time off travelling to return to R&D of physical acquisitions of cell phones. I will continue to find more solutions for the BGA chips for the Chipoff process, the classes are now reading chips from various phones like Blackberry, iPhone, HTC, and the core LG/Samsung/Motorola phones. With this R&D kind of on the side plate, I am now focussing on the JTAG process and have had some success with it. I would like to share a bit with everyone so you know that this process is another option for you to get past the dreaded locked Android phones………enjoy!
Besides the challenges of keeping up to date with the iPhone OS updates and Blackberry passcodes, we are faced with the challenge of the Android smart phones that are either passcode or pattern locked. If the android phone has a user lock on it and the USB Debugging is not activated (by default it is turned off), then most Android phones can not be accessed by Law Enforcement to gather evidence. There are tools out there that are working on getting past the user lock code of an Android phone with the USB Debugging deactivated but this is limited to a small number of phones……for now, I have confidence that they will persevere! Here is a quick overview of where I am to date…..keep in mind, this is just in general terms, there is a lot more to this process but this is a Blog just to introduce the process to Investigators who are not aware of it or looking for other options……
The JTAG process requires research into the cell phone that you are working on. This includes looking into what kind of CPU, NAND memory, controller chip and pinouts you will be dealing with. The pinouts are the actual test points that are found on the mainboard that provide a communication path with some items found on the board, in our case, the memory that contains the user data. This research into the phones will also take you to tear down sites as you will have research in order to take the phone apart, and later put it back together to input the passcode to use your forensic tools on it.
Below is the pinout diagram of the HTC Incredible found on the GSM-Forum:
The next step is to be able to hook up the pinouts from the mainboard to the JTAG box that is in turn operated by the Debugging type software. With the above reference, it is fairly easy, but if you can’t find one, then you need to do some probing to determine what function each pinout is related to.
Connecting the pinouts can be challenging, you can either use pin type probes or use your soldering skills (WildPCS Cell Phone Repair course is great for this) to accomplish this. Below is an example how one can make a connection with the JTAG Box:
The phone needs to be powered on at this point, you can either use the USB power or a DC power supply and probe the battery connectors. Now the reading process can begin, using a profile provided by the software you are using or manually configuring the settings using open source processes, activate a read from the Flash memory and get your Physical data dump from the cell phone. Here is what the process looks like:
The result in this case is a physical data dump of the memory from this HTC Incredible that revels the OS and user data. The process can take some time and speed depends on the type of connection (RJ45 or IDE type pin). The results are very rewarding for the work you put in though:
We now have a physical acquisition of the phones flash memory. Because we have bypassed the USB port (shut down by USB Debugging) and found another channel to access the flash memory, this is a solution for Investigators to use while our Forensics Tools seek out a Nintendo type solution. The R&D continues into the JTAG process and I will provide updates as time goes on. My quest now is to seek out the user pass code in this physical data dump, and with that, put the phone back together and access it using this new-found pass code in order to analyze it with my forensic tools. Forensics tools are providing resources to decode this from JTAG dumps if you can locate specific files, for instance, VIAForensics has a solution to use after you have obtained a JTAG dump. Cellebrite also has a solution coming in its new release due out in the next week or so:
This is still in the initial stages but as I said, it is exciting to get the reads from the flash memory after all this work, very rewarding. Even if you don’t get a solution from the Forensic Tools for your phone and the JTAG process is supported, you will have a physical data dump from the flash memory that you can use automated and manual tools/processes to recover your user data, including the deleted items.
The JTAG process will be included in the upcoming Flasher Box training at Teel Technologies in early 2012.
I am very open to sharing ideas and work with any researchers who are pursuing the same techniques, or new ones, found in my Blogs, but please keep in mind, the magic word is “sharing” (-: Feel free to email me with comments, sugestions and feedback: cop.geek@gmail.com
Bob, great stuff, thanks for posting!