Physical extraction from Huawei devices on Kirin chipsets remains one of the most popular extraction methods in forensic solutions. Huawei produces smartphones based on this processor family, as well as under the Honor brand. Huawei models get all the new hardware and are mostly in the top segment of Android smartphones. Honor is a mass-market brand but also produced with very good hardware.
While Huawei’s popularity can mostly be seen in China’s mobile phone market, they are also used in over 170 countries. The second quarter of 2020 marked the first time that Huawei emerged as the market leader in terms of total smartphones shipped, with the Chinese smartphone vendor accounting for 20 percent of the market.
Oxygen Forensic® Detective supports a wide range of Huawei devices. Among them, there are popular models like Huawei P30 Pro, as well as massively distributed models like Honor 9 and Honor 10. The support capability is determined not by the exact device model but rather by the processor and operating system version (Android OS 9 and 10 versions are supported).
Currently, data from devices on the following processors can be extracted: Kirin 659, 710, 710F, 810, 820, 960, 970, 980, 985, 990, and 990 5G.
During the extraction procedure, the vulnerabilities in the processor firmware are exploited. This means that those vulnerabilities cannot be fixed or removed with a firmware update.
The current extraction method in Oxygen Forensic® Detective can even be used with updates installed after the company became aware of the vulnerabilities and took steps to amend them. Additionally, the device connection process prior to extraction became more advanced in 2021.
Huawei Device Encryption
Naturally, all Huawei devices use memory encryption. Huawei implements a file-based encryption (FBE) scheme with the usage of hardware keys. In addition to the encryption of standard user data, many Huawei devices offer the option to create an additional protected space titled PrivateSpace, which is encrypted in the same way as the main data but with a separate set of keys. PrivateSpace is usually used by the phone owner to keep sensitive data there.
For different models, the manufacturer uses 4 different encryption schemes. These schemes are tied to specific processors and differ by the set of hardware keys used.
Due to the FBE encryption scheme, the final result of the extraction is not a full physical encrypted extraction. Instead, it is a decrypted full file system, including both main user and PrivateSpace data, if the latter has been activated by the owner.
It’s important to note that knowledge of the phone lock password is required for successful decryption.
If the password is unknown, it can be brute-forced. The brute-force speed depends on the date of the security update installed on the phone. In most cases, the brute-force can be performed offline or online.
For devices with a security update before 2021, offline brute-forcing is possible at the search speed of about 250 passwords per second on an average office computer. The search speed increases considerably when using a computer with a powerful GPU.
Computers with powerful GPU:
- Intel i7-9700F 3.00GHz CPU configuration with NVIDIA GeForce RTX 2080 Ti (8,000 passwords per second).
- AMD Ryzen 9 5900X CPU configuration with AMD Radeon RX 6900 XT GPU ( 14,000 passwords per second).
It will take one or two minutes to crack a more commonly set passcode consisting of six digits. The password is brute-forced during the import stage with the help of a built-in brute-force module.
For devices with security updates before July 2021 only online brute-force is possible, as one of the keys can be obtained only when the password is known. The password is tried on the connected smartphone at the stage of hardware key extraction by the data extraction module, and the testing speed is about 3 passwords per second. This significantly slows down the password brute-force process, since it would take almost 8 months to find a 6-digit password.
On devices with a more recent update, brute-force is not supported. The password must be disabled on the device in order to make sure the data can be decrypted. If the password is known and PrivateSpace is activated, the password cannot be disabled until PrivateSpace is deleted. This means possible partial data loss.
How to Extract Data from Huawei Devices
The device has to be connected in the Huawei USB COM 1.0 mode, which is also known as the test mode.
To enter Huawei USB COM 1.0 mode:
- Remove the back cover of the device.
- Find the contact point.
- Short it to the device body.
- Connect the device to the PC.
In many cases, to ease access to the contact points, investigators will need to remove some additional parts of the device board. Wiring diagrams vary from model to model.
Putting the device in test mode by shortening the points is not possible for devices with a security patch from July 2021. To connect these devices, investigators must use a special cable, which can be purchased online.
The extraction process consists of the following steps:
- Checking whether the Huawei USB COM 1.0 driver is installed. If it is, the software proceeds to the detection of the connected device.
- Once the device is detected, the vulnerability is exploited.
- Rebooting the device.
- Extraction of physical image.
- Counting of hashes (optional).
- Extracting keys.
- After extracting the keys of the main user, check whether the protected space is activated. If it is, the software proceeds to extract its keys.
- As soon as all keys are extracted, the final extraction window opens, presenting the extraction overview.
If a screen lock password has been set on the device, all the necessary information for password brute-force is extracted along with the keys. Both passwords of the main user space and the secure space can be found.
It should be noted that, although the extraction process requires partial disassembly of the device, it does not violate the integrity of the data itself or the functionality of the device.
Challenges with Huawei Device Extraction
- Some devices with an associated Google account or databases that store basic sections data, such as calls and messages, can be additionally encrypted. So far, we do not support their decryption. Application data is not additionally encrypted in this case.
- In some cases, the password challenge scheme may be different from the ones we know. If the correct password is found by brute-force but has not been implemented yet, investigators can decrypt the device data only if the password is known.
Physical extraction from Huawei devices is one of the most popular extraction methods in Oxygen Forensic® Detective because it supports a wide range of Huawei devices.
Interested in trying this feature but don’t have an Oxygen Forensic® Detective license?
Request a free, fully-equipped, 20-day trial by contacting us here.