Huawei Extraction With Oxygen Forensic Detective

Keith: Hey, this is Keith Lockhart, Director of Training at Oxygen Forensics. In this webinar, we’re going to have a look at Huawei devices, and specifically those that have a Kirin family chipset. So it’s very timely that the company had a blog recently that showed the test points for all the Huawei devices, as this is a test point operation to short the phone into a specific mode where we can do that extraction.

We’re going to want to take a look at the system on chip of Kirin, and the process of identifying those test points; working the extraction; and then the most important part is brute forcing offline the password — the secure screen password — because we’ll need that to decrypt the log after we extract it.

So that’s kind of our goal, as we look through these points; we’re going to go through the process, and I’m just going to set up a screen here where we can look at my Honor 10, and work through things and see how they turn out for us.

So I think we’re up to 134 devices at this point, with 659s, 710s, 710F, 810, 960, 970, 980, 990, and 9905G chipsets. But most importantly here, I’m turning on my Honor. And look to see that there is a PIN here. And the lock code is 123456. The whole purpose of that demonstration is to know we have one, because that is going to be imperative when it comes to demonstrating the whole, let’s offline attack that password. We’ve got to have it. That’s our key metadata, we’ve got to get in to decrypt our blob after we extract it. So that’s super important.

So this is a test point operation, which means we have to get into the phone for sure. I’ve cheated, I’ve already taken my fantastic heat gun and extricated the back of the phone. I’ve also cheated to the effect of removed some of the chassis holder pieces, I’ve already extracted the camera. Things that are going to help me get to this a little more easily. I’m surprised I didn’t have a rubber band around it.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


However, for our exercise, not only are we going to use our blog, which shows the test point we’ll need to short; I want to have the extractor open so we can navigate to this specific phone in the list. Again, this is the Honor 10, and we’ll bring up the device manager so we can see when the phone is shorted appropriately and we insert the USB cable while it’s being shorted, it is recognized in device manager as that comm port we’ll need it to be for our extraction.

So I’m going to navigate to my phone in the list inside extractor, but first we’re going to use the blog article to find that test point for the Honor 10: which point we should be shorting to get the phone into calm mode. So if I scroll down here, I can find… there it is. Now that’s the point. And it’s kind of right under where the camera would have been and the ribbon cable for the camera. So give the phone a turn, to kind of line things up, and a little bit of zoom. We can see that here’s the test point and the blog, and there’s the test point on the phone, right? And we can do a little couple of other comparisons to say, yeah, that looks like that, that cover looks the same. There’s a screw hole there. I mean, we got the right device and the right point.

I mean, I guess you could say that if you’re not sparking up some points, you’re not really trying. I can’t say that I haven’t hit this point with the wrong thing and seen a spark, but we just want to validate we’ve got the right thing, or I’m going to have to get some tweezers out and hit that point with another metal slot and get the USB cable plugged in at the same time while I’m Affecting the short so we can watch the device manager pull up that comm port that allows to extract.

So the phone’s upside down: better for the camera. There’s my USB cable. Now I’m going to get crazy and grab some tweezers. And actually, let me zoom out just a little bit here so we can see the test point short and the cable plug at the same time, because it is the magic that requires the most intricate effort. Okay.

Now let me scroll over in the list and find my phone and extractor. And we’re going to take a look at the directions for the device as extracted, how it was performed then. So it’s a two phase process, right? First we’re going to extract the data or the physical image, and then we’re going to go back after the keys and the metadata for that. And then we have to bust that password — that screen password — we saw earlier.

So, typical Oxygen fashion, got to check the box, you read the instructions, just in case you didn’t. All right. So we’ve got extractor now waiting on the phone to get into comm mode. So here’s me, tweezers in hand, cable in hand, let’s put one tweezer point on that test point and one on the frame somewhere else while I plug in… and without hearing the windows doo-doo you can watch the device manager anyway, recognize the device and come up in our Huawei comm mode. That’s what we want to see.

Okay. So on top of that, if we look down at extractor, it has also now moved on to reading the bootloader of the device. This is also what we want to see. However, this will take a second. So I’m going to go ahead and talk through and fast-forward.

[inaudible while fast-forwarding]

So, anyway, we’re just about done with the boot load process. Perfect. Okay. So now from a reconnection standpoint we’ve done what we’ve done from the bootloader. We’re going to do our fix. We’re going to restart the phone and we’re ready to extract.

There we go. So I’m just going to change the extraction location, and we’ll extract. And once again, we’ll go crazy for a long zoom to get to the end of that extraction process, because that is where the super cool — I mean, it’s all super cool — but that’s where the super, super cool stuff starts.

And go.

Okay. So if you could just disregard this ridiculous piece of reality right here, I could brag something about not only do we do what we do, we’ve increased the extraction process by 50 times with our new super cool extractor technology. You know, the beauty of Camtasia, I can extract it 50 times speed right here. Really cool. And this time I won’t do the chipmunk voice. But this will get us to the end. And the end is where after the extracted blob, the encrypted extract of the blob is sitting there, we’re literally done with the phone. I mean, we can not hook up and move on because we’re going to turn around and go back in there and determine key metadata that will help us solve our algorithm to break the password and go to town.

So this begins the search for the ingredients for our potion, essentially, as we go searching the key metadata for those keys to the kingdom, to decrypt our blob, we find that, and then comes the even super cooler part where we engage Passware to do our brute force attack on that screen lock code I showed you in the beginning.

So look, you can configure different dictionaries in Passware to run with multiple engines and go fast. We could start the thing right here. We could put a password in if we knew it, or we could modify the dictionaries we want to use for that attack. I happen to know it’s a PIN that’s four to nine digits. So I’m just going to select that and cheat, but you saw it when we started the video, literally this will happen so fast that the program doesn’t even register the fact that made an attack, but it will find it. And then I have to pause and focus on this exact frame to talk about its importance.

So at this point it knows the PIN, it’s finished. And it would have come up with this and that little window, but I’m bringing it to our attention because, folks, these are the keys to the kingdom that we just did offline, that you didn’t have to ship away for someone to do for you. So we are taking a Huawei device with one of those chips in the Kirin family, doing an extraction, turning around with our secret sauce, finding the data from the key structure we need, incorporating the password we can break, and extracting the keys to the crypto blob. That, my friends, is a new option for your toolbox.

Okay. Let’s review.

Remember this is a Kirin family exploit. So 659, 710, 710F, 810, 960, 970, 980, 990, and the 5G variant of 990, are the family of chip set we’re 134 devices into supporting right now. It is a test point operation. So the timeliness of the Oxygen blog showing all the test points just kind of let this fall right into place behind it.

And it was an operation where if you recall, in the beginning of the video, we have a PIN code on this phone. This is file-based encryption. We need that PIN code in conjunction with several other things to get what we want. We can brute force that PIN code with password in your detective suite already. That is the key.

So this just leaves me with my final graphic.

Listen, if you’ve got the phone and it’s not locked, get after it. I mean, you’re ready to go. If it is locked, do you have the code? Yes or no? Well, if you do have the code, enter it in the box and get after it. If you don’t have the code, so what? Get after it! You’ve got a process now where you don’t need external help. We want you to succeed in house, get that password gone. Get that brute force attack against that PIN. Go on and get after it.

Okay. I hope that’s been helpful. Keep on learning. We’ll speak to you later.

Leave a Comment