±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 6
Overall: 27213
Visitors: 45

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

JTAG & CHip offs

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

JTAG & CHip offs

Post Posted: Sun Jan 20, 2013 12:09 am

I've been reading useful information on (Chip Offs and JTAGS) and i was wondering what it takes to add these technologies to an existing forensic lab.

is there any JTAG tool that you'de recommend that supports a majority number of phones?

or i'de have to purchase a lot of separate JTAGS depending on the phone i'de like to examine on?

For CHIP-OFF - good vendors?

Please share with me your experience, any useful documents, vendors, urls .. ??  

CopyRight
Senior Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Sun Jan 20, 2013 2:00 am

Chip off will cost a lot - you need equipment to take the chips off, equipment to read the chips, and the training that goes along with it


Google the NFI memory toolkit.  

randomaccess
Senior Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Mon Jan 21, 2013 3:36 am

We can assist with the supply & setup of a complete chip removal solution. We also provide training on chip removal.

If you'd like some more information then please mail me via our enquiries e-mail on our website.

John Barwood
Forensic Telecomunication Services
www.forensicts.co.uk  

ixam
Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Mon Jan 21, 2013 10:09 pm

You do not need a lot of money to do either chip-off or JTAG.

The process is not brain surgery, but does require practice, and some electronics understanding.

For JTAG, take a look at OpenOCD and any of the UART solutions that works with it. I use the Bus Pirate by Dangerous Prototypes - $30.

So for Maybe $50, you can get a JTAG kit going. It is not push button, but it works, and is well documented. I have JTAGed with such setup many embeded systems like cell phones, tablets, elevators, security systems, and such.

For chip-off, you will need soldering kit, the right EZ Schmartboard, the chip docs, and some code to talk to the chip. If you are specializing on NAND, take a look at the ONFi site for reference - important pin out details can help in hacking together your proto board.

I have done most non-monolithic flash drives in such fashion.

The resulting data is different for JTAG and chip-off. You will have to understand each, and work your way back up sometimes from the physical layer to the file system. Not always fun or easy, but rewarding.

Training, or watching someone else doing this does come handy.  

jhup
Senior Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Tue Jan 22, 2013 4:04 am

- jhup
You do not need a lot of money to do either chip-off or JTAG.

The process is not brain surgery, but does require practice, and some electronics understanding.

For JTAG, take a look at OpenOCD and any of the UART solutions that works with it. I use the Bus Pirate by Dangerous Prototypes - $30.

So for Maybe $50, you can get a JTAG kit going. It is not push button, but it works, and is well documented. I have JTAGed with such setup many embeded systems like cell phones, tablets, elevators, security systems, and such.

Training, or watching someone else doing this does come handy.


Interesting, do you know of any freely available paper explaining how to use such libraries/tools for dumping android devices?

i've seen riff box used for many jtag on samsung handsents, it's not "expansive" and there is a software which does the trick provided with the box, but i'm interested in understanding how it can be done "manually" Smile  

Rampage
Senior Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Tue Jan 22, 2013 8:18 am

I included the link to OpenOCD. That is the best place to start. There are books and papers out there but both are crazy expensive.

JTAG is a higher level "language" of sorts besides a physical layer standard. There is a limited command set that each IC has to have, and there are additional commands unique to the IC.

If you plan to JTAG, learn about JTAG in as much detail as you can. There are many places online you can pick up pieces parts and figure out how it works.

Read the BSDL library file on your chip to understand what commands it can do, and how each pin will respond. You can also review the datasheet for the IC at several places for further information. Most of the embedded devices, including cell phones use an ARM cored processor, so reading up on ARM is a plus.

JTAG is really just one of the more popular serial bus solutions (besides SPI and I2C). It uses wires TDI, TDO, TCK, TMS, and sometimes TRST. Data out on falling edge of TCK, and data read on rising edge.

Think of RS232 on steroids (in a very distant fashion). Early JTAG was not through "riff boxes", simply wired directly to the LPT. That can still be done in a pinch (pins 1, 2, 14, 16, and 17). I would start there, if you want to do things "manually". Caveat - voltage does matter. Embedded systems have various voltage levels for their signaling, not just TTL. 1.8, 2.5, 3.3V. I rarely see 5V nowadays.  

jhup
Senior Member
 
 
  

Re: JTAG & CHip offs

Post Posted: Wed Jan 23, 2013 6:54 pm

Both of these processes are cheap to do.

Don't go spend 10's of thousands of dollars on equipment for the Chipoff, you can get the UP48 programmer with the starter universal adapter for just under 2,000. This will get you going with the chips found on regular flip, brick and slider phones under the 120 pin BGA style. Once you get into the 137 pin and higher, then you will need special adapters that run between 500 and 1500 each. They support a large number of the phones out there including the newer chips like the eMMC, NoviNAND, etc styles. NO need to reball these chips with this kit, just clean and have the pins expose allowing connection with the adapter pogo pins. Once you are comfortable with using this kit, then move into the move advanced tools like Xeltek, Dataio, Dataman, etc that are more expensive but will provide you support for those hard to find adapters. Equipment to do the removing and cleaning of the chip, 400-600 bucks, NO need for the big expensive re-work station that cost 2,000 plus, it can be done with simple cost effective equipment from your local electronics store.

JTAG is the same, the flasher box units are the way to start, RIFF, ORT, Medusa and GPG JTAG that run around 200 dollars. Once you get familiar with them and how they work, then move up to the ones that provide more support but can be more expensive. The flasher box ones are what we refer to as Nintendo Type tools where you push one or two buttons to get the dump. You may find that the Flasher Box style ones will get you by a lot of the phones you are seeing in your lab. With the boxes come accessories like JIGS, cables, adapters, universal kits, etc. The best way to communicate with your phone is by soldering the wires to the TAPS instead of using JIGS. Requires some training and practice but it is the most dependable method.

PM me for more information on equipment and upcoming training in the UK for both processes. You may also refer to my Blog for more information at copgeek018.wordpress.com, a bit dated as I have been busy but updates are coming soon.  

sideshow018
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next