Overview
I always thought JTAG was hard, then I tried it, and realized it was actually very easy (most of the time). Pretty much anyone can learn to do this in 8 hours of soldering practice. Really, it's dead simple. Don't let anyone fool you by trying to convince you it's not.
I said, most of the time, because there are going to be instances where the following may happen and prevent some people from being able to JTAG a phone:
- Phone not supported by popular tools - Let's face it. For the majority of analysts if the tool doesn't work, they don't work. That's just life so we might as well accept that fact and list it first. Sooner or later you will get a phone that isn't supported and you likely wont be able to analyze it. The barrier of entry to write support for non supported chips is going to be too difficult for most people. That's fine. That's life. Analyze the other 95%+ of phones that come through your door and outsource the remaining 5%.
- JTAG taps are unknown and you need to figure them out on your own. This can take time and more skills. Again, see first bullet (outsource the 5%).
- Micro Controller (MCU) does not support JTAG requiring ISP/ICSP or Chip-off. This may or may not be possible in your environment. I would suggest additional training for Chip-off. Also, for ISP you will be soldering some crazy small wires. It's very doable, you will just need practice (eBay).
- Encryption - Think new iPhones and new Samsung devices. This quite possibly spells the end of JTAG.
NOTE: I do not do this in my day job. I purchased damaged phones off Ebay and played around with them. This is even more proof that anyone can learn how to do this.
What is JTAG?
First, let's define what JTAG is so we can better understand it going forward.
Joint Test Action Group (JTAG) is the group of companies that came together in 1985 to define a standard for boundary-scan testing of integrated circuits.
In 1990, the specification resulted in IEEE 1149.1, Standard Test Access Port and Boundary Scan Architecture. It's main purpose is to allow engineers to perform debugging and diagnostics of the system/device.
JTAG Interface Signals
UPDATED 10/02/2016 - Removed this section. This senr.io write up explains JTAG much better. No reason to repeat it.
Tools for JTAGing Phones
I use the following tools and have NO issues with JTAGing phones. You can buy better equipment if you want, but below is proof you do not need the best equipment.
I will assume you already have forensic software to process the data we will dump from the phone. If not, you can get a lot of good content with X-Ways, Net Analysis, Bulk Extractor, Carving Tools and Autopsy before diving into some of the more expensive commercial mobile forensic solutions (IEF, Cellebrite, Encase, etc.) But again, I will assume you have this already and if you're in Law Enforcement you likely already have at least Cellebrite and something like Encase.
- RIFF Box - $150
- Z3X Easy JTAG box - $250
- Hakko FX888D solder Iron - $98
- AmScope SE400-Z Stereo Microscope - $185
- Multimeter - I use Extech EX330 - $50
- Bench Power Supply - Tekpower - $75
- Flux - $10 - $12
- Solder - $25 - $35 (Lasts a long time) - Smaller the better.
- 20, 30 and 40 AWG Magnetic wire - $10 - $15
- Other wire as necessary (smaller the better) - $10 - $15 - Adjust the size as necessary.
- Alligator Clip Test Leads - $6 - $12
- Hakko CHP 3-SA Stainless Steel Non-Magnetic Precision Tweezers - $5
- Cell Phone Repair Tools $15 - $50
- Faber-Castell Perfection Eraser Pencil with Brush - $5 - Used to clean JTAG taps before soldering
- A Tooth Brush - $1 - Cleaning PCB/Taps
- Rubbing Alcohol - $2 - Cleaning PCB/Taps
- Kapton Tape - $10 - $15 - For those without steady hands, this can help cover surrounding components from getting solder on them.
- Hakko FA400-04 Fume Extractor - $68 - Or make one with a CPU fan and a Carbon filter for $20
- JPIN JTAG Molex Flex Kit - $60
- Hakko T18-BR02 - T18 Series Soldering Tip - $5
- Kohree 110V LED Digital 858D SMD Hot Air Rework Station Solder - $60 - Not needed for JTAG, but nice to have on your desk in case any JTAG taps are covered in epoxy
Total: For < $1,400 you can JTAG most phones from what research I have done. If you are in law enforcement and not doing this you are missing out. It is very simple.
There is another tool called, JTAGulator - $159 - that can help brute force JTAG tap layouts. This tool can be useful when you do not know what the layout of the taps are.
It's not necessary as most of the popular phones are supported and documented. I have used it and it worked on some phones, but not on others. It seems to be hit or miss. The Z3X also has a JTAG tap identification tool built into it so I recommend starting with the Z3X before shelling out another $159 for the JTAGulator.
If you do not want to invest in gear, but want something JTAG'd I can help you. Just ask.
Nokia Lumia 521
I decided on this phone after someone posted on the SANS mailing list asking how to acquire data from it.
I purchased two phones off Ebay. $15 each + shipping for a grand total of $40.69. The condition of the phone doesn't matter for JTAG if it powers on. So if you can confirm power (multi-meter), the broken screen doesn't matter and that will save you some money buying test phones.
Phone Research
- Phone Scoop - Nokia Lumina 521
- Internal Photos Per FCC ID
- GSM Forum via Google Search
- Google Image Search: "Nokia Lumia 521 JTAG" - Looking for JTAG pinout images
What we know
- 1 GHz Qualcomm Snapdragon S4 MSM8270
- Windows Version 8
- 8GB
- Labeled JTAG Pinouts
- JTAG Box Support
JTAG Box Verification
As we can see here the ZX3 supports the Nokia Lumina 521.
And here were can see the JTAG pinouts provided by the Z3X JTAG box.
Phone Disassembly
Now that we have confirmed that at least one of our tools supports our Nokia Lumina 521 let's move forward with phone disassembly.
Prep and Clean the Taps
First our Taps are under a heat shield. I use my SMD re-work station (hot air) to remove the shield. Be careful not to burn up the board. Use a swiping motion when using the rework hot air gun as not to apply direct heat to the board for too long.
In this step we want to make sure our JTAG taps are clean. I do this by scratching away the layer to expose the copper taps. If we leave the layer of coating (not sure the name) it will not attract the solder and you will not be able to solder it.
After scratching them off I cleaned them with a Q-tip and some alcohol. After you do this blow on the board to dry the alcohol (happens quickly).
Soldering our JTAG Taps
These are some shots under my Microscope. It's too small without the microscope so I do all of the soldering this way. Some people will use medical glasses (think Dentist). I like the Microscope.
Here are some completed taps that I have applied solder to. At this stage I need to scratch off a few more taps, and then solder them as well.
Wiring the Phone
After all of the solder was placed on the taps I moved forward with wiring up the phone per the wiring diagram above.
I have connected it to the Z3X JTAG box. The device in the middle between the phone and the Z3X is a custom connector I created via OSH Park. It's just an easy medium that allows me to interface with the JTAG box more easily. If you want the schematics let me know and I can send it. It's about $4 - $5 per device in parts. It is not necessary. The Z3X and Riff box will come with a small PCB to interface with.
Dumping Phone Contents
Here is a copy/paste from the console log.
CPU IDCODE: 0x4F1F0F0F
Mfg: 0x787
Part: 0xf1f0
CPU Manufacturer: Samsung
CPU Name: ARM7GEN
JTAG device: MSM8227
CPU IDCODE: 0x207D00E1
Mfg.: 0x070
Part: 0x07d0
CPU Manufacturer: QUALCOMM
CPU Name: MSM8227
EMMC 0:
ID: 0x004A0090
Name: H8G2d
Size: 7.2 G
Blocks: 15155200
EMMC 1
ID: 0x004A0090
Name: H8G2d
Size: 2.0 M
Blocks: 4096
eMMC Flash Device(s) found:
Device ID: 0x0090004a
The dump is being read from EMMC address 0x000000000000 -> 0x000200000000 and being saved to the following location:
C:\Users\sysforensics\Desktop\NOKIA_LUMIA_521_0x00000000_0x200000000.bin
The dumping process can take 2+ days with an 8GB phone. It's not something you can turn around to your department in an afternoon.
Now that we have the dump here:
NOKIA_LUMIA_521_0x00000000_0x200000000.bin
Let's begin analysis.
Analysis
You will have a single bin file. Simply load it up in your analysis tool of choice and have at it. In this example I loaded it up in X-Ways and started carving for photos.
Analysis Results
There were a few boob pictures, multiple selfie pictures, some porn, family birthday party and my favorite a selfie with the couple smoking a joint and holding a bag of pot.
Yes.... Some people really are that stupid.
Finding Help
So you read the blog and you are still stuck. Here are a few sites that have some good information.
- GSM Hosting Forum
- Google and Google Images
- Baidu (Chinese Google)
- Unlock Forum
- GSM India
- Phone Scoop
- FCC ID Search
- The RIFF and Z23 Box themselves - They have pictures of JTAG taps, etc.
- I'm sure you have internal police mailing lists. Ask around for supported devices.
Summary
I hope you learned how to JTAG. Assuming the phones are supported by the tools it's dead simple. Don't let the solder iron and wires scare you away. You really can do this. If you can't, or don't want to let me know. I would be happy to help.