Notifications
Clear all

JTAG & CHip offs

11 Posts
7 Users
0 Likes
1,941 Views
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

I've been reading useful information on (Chip Offs and JTAGS) and i was wondering what it takes to add these technologies to an existing forensic lab.

is there any JTAG tool that you'de recommend that supports a majority number of phones?

or i'de have to purchase a lot of separate JTAGS depending on the phone i'de like to examine on?

For CHIP-OFF - good vendors?

Please share with me your experience, any useful documents, vendors, urls .. ??

 
Posted : 20/01/2013 10:09 am
(@randomaccess)
Posts: 385
Reputable Member
 

Chip off will cost a lot - you need equipment to take the chips off, equipment to read the chips, and the training that goes along with it

Google the NFI memory toolkit.

 
Posted : 20/01/2013 12:00 pm
 ixam
(@ixam)
Posts: 21
Eminent Member
 

We can assist with the supply & setup of a complete chip removal solution. We also provide training on chip removal.

If you'd like some more information then please mail me via our enquiries e-mail on our website.

John Barwood
Forensic Telecomunication Services
www.forensicts.co.uk

 
Posted : 21/01/2013 1:36 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You do not need a lot of money to do either chip-off or JTAG.

The process is not brain surgery, but does require practice, and some electronics understanding.

For JTAG, take a look at OpenOCD and any of the UART solutions that works with it. I use the Bus Pirate by Dangerous Prototypes - $30.

So for Maybe $50, you can get a JTAG kit going. It is not push button, but it works, and is well documented. I have JTAGed with such setup many embeded systems like cell phones, tablets, elevators, security systems, and such.

For chip-off, you will need soldering kit, the right EZ Schmartboard, the chip docs, and some code to talk to the chip. If you are specializing on NAND, take a look at the ONFi site for reference - important pin out details can help in hacking together your proto board.

I have done most non-monolithic flash drives in such fashion.

The resulting data is different for JTAG and chip-off. You will have to understand each, and work your way back up sometimes from the physical layer to the file system. Not always fun or easy, but rewarding.

Training, or watching someone else doing this does come handy.

 
Posted : 22/01/2013 8:09 am
(@rampage)
Posts: 354
Reputable Member
 

You do not need a lot of money to do either chip-off or JTAG.

The process is not brain surgery, but does require practice, and some electronics understanding.

For JTAG, take a look at OpenOCD and any of the UART solutions that works with it. I use the Bus Pirate by Dangerous Prototypes - $30.

So for Maybe $50, you can get a JTAG kit going. It is not push button, but it works, and is well documented. I have JTAGed with such setup many embeded systems like cell phones, tablets, elevators, security systems, and such.

Training, or watching someone else doing this does come handy.

Interesting, do you know of any freely available paper explaining how to use such libraries/tools for dumping android devices?

i've seen riff box used for many jtag on samsung handsents, it's not "expansive" and there is a software which does the trick provided with the box, but i'm interested in understanding how it can be done "manually" )

 
Posted : 22/01/2013 2:04 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I included the link to OpenOCD. That is the best place to start. There are books and papers out there but both are crazy expensive.

JTAG is a higher level "language" of sorts besides a physical layer standard. There is a limited command set that each IC has to have, and there are additional commands unique to the IC.

If you plan to JTAG, learn about JTAG in as much detail as you can. There are many places online you can pick up pieces parts and figure out how it works.

Read the BSDL library file on your chip to understand what commands it can do, and how each pin will respond. You can also review the datasheet for the IC at several places for further information. Most of the embedded devices, including cell phones use an ARM cored processor, so reading up on ARM is a plus.

JTAG is really just one of the more popular serial bus solutions (besides SPI and I2C). It uses wires TDI, TDO, TCK, TMS, and sometimes TRST. Data out on falling edge of TCK, and data read on rising edge.

Think of RS232 on steroids (in a very distant fashion). Early JTAG was not through "riff boxes", simply wired directly to the LPT. That can still be done in a pinch (pins 1, 2, 14, 16, and 17). I would start there, if you want to do things "manually". Caveat - voltage does matter. Embedded systems have various voltage levels for their signaling, not just TTL. 1.8, 2.5, 3.3V. I rarely see 5V nowadays.

 
Posted : 22/01/2013 6:18 pm
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

Both of these processes are cheap to do.

Don't go spend 10's of thousands of dollars on equipment for the Chipoff, you can get the UP48 programmer with the starter universal adapter for just under 2,000. This will get you going with the chips found on regular flip, brick and slider phones under the 120 pin BGA style. Once you get into the 137 pin and higher, then you will need special adapters that run between 500 and 1500 each. They support a large number of the phones out there including the newer chips like the eMMC, NoviNAND, etc styles. NO need to reball these chips with this kit, just clean and have the pins expose allowing connection with the adapter pogo pins. Once you are comfortable with using this kit, then move into the move advanced tools like Xeltek, Dataio, Dataman, etc that are more expensive but will provide you support for those hard to find adapters. Equipment to do the removing and cleaning of the chip, 400-600 bucks, NO need for the big expensive re-work station that cost 2,000 plus, it can be done with simple cost effective equipment from your local electronics store.

JTAG is the same, the flasher box units are the way to start, RIFF, ORT, Medusa and GPG JTAG that run around 200 dollars. Once you get familiar with them and how they work, then move up to the ones that provide more support but can be more expensive. The flasher box ones are what we refer to as Nintendo Type tools where you push one or two buttons to get the dump. You may find that the Flasher Box style ones will get you by a lot of the phones you are seeing in your lab. With the boxes come accessories like JIGS, cables, adapters, universal kits, etc. The best way to communicate with your phone is by soldering the wires to the TAPS instead of using JIGS. Requires some training and practice but it is the most dependable method.

PM me for more information on equipment and upcoming training in the UK for both processes. You may also refer to my Blog for more information at copgeek018.wordpress.com, a bit dated as I have been busy but updates are coming soon.

 
Posted : 24/01/2013 4:54 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would like to underline that the two things fall into two very different categories (IMHO).

The JTAG is essentially "software" and the "hardware side" of it is minimal, little less than being able to open the device is needed.

The chip-off is at the same time "hardware" AND "software", but the kind of experience/knowledge you need is more belonging to "hardware" (or at least this part is essential to avoid making a disaster).

What I mean is that if I had to hire two guys (with no specific experience with JTAG or chip-off) I would choose them preferably

  • for the JTAG someone with previous programming experience
  • for the chip-off someone with some previous experience as an electronics repairman

And yes I do know quite a few brilliant and experienced, capable electronic engineers, with a higher level of education, that simply don't know which side of a soldering iron is the handle 😯 (and this DOES make a difference when it is on wink ).

jaclaz

 
Posted : 24/01/2013 4:01 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

mrgreen

There are different problems with each, in my experience.

With JTAG/SPI/I2C, finding the test points is the hardest part. Minor headache is interpreting the resulting data dumps.

With chip-off the concern are untangling the "translation" layers and sometimes encryption of the dump, minor problem is getting the pin-out for unknown chips.

But, no disagreement with you or Bob.

By the way, I almost made it to your class in DE, Bob, but I think my boss just nixed it

(

 
Posted : 25/01/2013 3:17 am
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

So i can use a J-TAG box to take a dump of a locked phone and then use Xtract (XRY) to interpret the results and find out the code? what other useful things i can extract from the dump?

 
Posted : 09/02/2013 9:50 am
Page 1 / 2
Share: