JTAGing Mobile Phones

Overview

I always thought JTAG was hard, then I tried it, and realized it was actually very easy (most of the time). Pretty much anyone can learn to do this in 8 hours of soldering practice. Really, it's dead simple. Don't let anyone fool you by trying to convince you it's not.

I said, most of the time, because there are going to be instances where the following may happen and prevent some people from being able to JTAG a phone:

  1. Phone not supported by popular tools - Let's face it. For the majority of analysts if the tool doesn't work, they don't work. That's just life so we might as well accept that fact and list it first. Sooner or later you will get a phone that isn't supported and you likely wont be able to analyze it. The barrier of entry to write support for non supported chips is going to be too difficult for most people. That's fine. That's life. Analyze the other 95%+ of phones that come through your door and outsource the remaining 5%.
  2. JTAG taps are unknown and you need to figure them out on your own. This can take time and more skills. Again, see first bullet (outsource the 5%).
  3. Micro Controller (MCU) does not support JTAG requiring ISP/ICSP or Chip-off. This may or may not be possible in your environment. I would suggest additional training for Chip-off. Also, for ISP you will be soldering some crazy small wires. It's very doable, you will just need practice (eBay).
  4. Encryption - Think new iPhones and new Samsung devices. This quite possibly spells the end of JTAG.
NOTE: I do not do this in my day job.  I purchased damaged phones off Ebay and played around with them. This is even more proof that anyone can learn how to do this.  

What is JTAG?

First, let's define what JTAG is so we can better understand it going forward.

Joint Test Action Group (JTAG) is the group of companies that came together in 1985 to define a standard for boundary-scan testing of integrated circuits.

In 1990, the specification resulted in IEEE 1149.1, Standard Test Access Port and Boundary Scan Architecture. It's main purpose is to allow engineers to perform debugging and diagnostics of the system/device.

JTAG Interface Signals

UPDATED 10/02/2016 - Removed this section. This senr.io write up explains JTAG much better. No reason to repeat it.


Tools for JTAGing Phones

I use the following tools and have NO issues with JTAGing phones. You can buy better equipment if you want, but below is proof you do not need the best equipment.

I will assume you already have forensic software to process the data we will dump from the phone. If not, you can get a lot of good content with X-Ways, Net Analysis, Bulk Extractor, Carving Tools and Autopsy before diving into some of the more expensive commercial mobile forensic solutions (IEF, Cellebrite, Encase, etc.) But again, I will assume you have this already and if you're in Law Enforcement you likely already have at least Cellebrite and something like Encase.

Total: For < $1,400 you can JTAG most phones from what research I have done. If you are in law enforcement and not doing this you are missing out. It is very simple.

There is another tool called, JTAGulator - $159 - that can help brute force JTAG tap layouts. This tool can be useful when you do not know what the layout of the taps are.

It's not necessary as most of the popular phones are supported and documented. I have used it and it worked on some phones, but not on others. It seems to be hit or miss. The Z3X also has a JTAG tap identification tool built into it so I recommend starting with the Z3X before shelling out another $159 for the JTAGulator.

If you do not want to invest in gear, but want something JTAG'd I can help you. Just ask.


Nokia Lumia 521

I decided on this phone after someone posted on the SANS mailing list asking how to acquire data from it.

I purchased two phones off Ebay. $15 each + shipping for a grand total of $40.69. The condition of the phone doesn't matter for JTAG if it powers on. So if you can confirm power (multi-meter), the broken screen doesn't matter and that will save you some money buying test phones.

Phone Research
What we know
  • 1 GHz Qualcomm Snapdragon S4 MSM8270
  • Windows Version 8
  • 8GB
  • Labeled JTAG Pinouts
  • JTAG Box Support
JTAG Box Verification

As we can see here the ZX3 supports the Nokia Lumina 521.

ZX3 Support

And here were can see the JTAG pinouts provided by the Z3X JTAG box.

JTAG Taps

Phone Disassembly

Now that we have confirmed that at least one of our tools supports our Nokia Lumina 521 let's move forward with phone disassembly.

Phone

Phone2

Prep and Clean the Taps

First our Taps are under a heat shield. I use my SMD re-work station (hot air) to remove the shield. Be careful not to burn up the board. Use a swiping motion when using the rework hot air gun as not to apply direct heat to the board for too long.

Rework

In this step we want to make sure our JTAG taps are clean. I do this by scratching away the layer to expose the copper taps. If we leave the layer of coating (not sure the name) it will not attract the solder and you will not be able to solder it.

Tap Scratch

After scratching them off I cleaned them with a Q-tip and some alcohol. After you do this blow on the board to dry the alcohol (happens quickly).

Q-Tip

Soldering our JTAG Taps

These are some shots under my Microscope. It's too small without the microscope so I do all of the soldering this way. Some people will use medical glasses (think Dentist). I like the Microscope.

Solder1

Here are some completed taps that I have applied solder to. At this stage I need to scratch off a few more taps, and then solder them as well.

Solder2

Wiring the Phone

After all of the solder was placed on the taps I moved forward with wiring up the phone per the wiring diagram above.

I have connected it to the Z3X JTAG box. The device in the middle between the phone and the Z3X is a custom connector I created via OSH Park. It's just an easy medium that allows me to interface with the JTAG box more easily. If you want the schematics let me know and I can send it. It's about $4 - $5 per device in parts. It is not necessary. The Z3X and Riff box will come with a small PCB to interface with.

JTAGed

Dumping Phone Contents

Z3X_Log

Here is a copy/paste from the console log.

CPU IDCODE: 0x4F1F0F0F  
Mfg: 0x787  
Part: 0xf1f0  
CPU Manufacturer: Samsung  
CPU Name: ARM7GEN  
JTAG device: MSM8227  
CPU IDCODE: 0x207D00E1  
Mfg.: 0x070  
Part: 0x07d0  
CPU Manufacturer: QUALCOMM  
CPU Name: MSM8227  
EMMC 0:  
ID: 0x004A0090  
Name: H8G2d  
Size: 7.2 G  
Blocks: 15155200

EMMC 1  
ID: 0x004A0090  
Name: H8G2d  
Size: 2.0 M  
Blocks: 4096  
eMMC Flash Device(s) found:  
Device ID: 0x0090004a  

The dump is being read from EMMC address 0x000000000000 -> 0x000200000000 and being saved to the following location:

C:\Users\sysforensics\Desktop\NOKIA_LUMIA_521_0x00000000_0x200000000.bin  

The dumping process can take 2+ days with an 8GB phone. It's not something you can turn around to your department in an afternoon.

Now that we have the dump here:

NOKIA_LUMIA_521_0x00000000_0x200000000.bin  

Let's begin analysis.

Analysis

You will have a single bin file. Simply load it up in your analysis tool of choice and have at it. In this example I loaded it up in X-Ways and started carving for photos.

X-Ways

Analysis Results

There were a few boob pictures, multiple selfie pictures, some porn, family birthday party and my favorite a selfie with the couple smoking a joint and holding a bag of pot.

Yes.... Some people really are that stupid.


Finding Help

So you read the blog and you are still stuck. Here are a few sites that have some good information.

Summary

I hope you learned how to JTAG. Assuming the phones are supported by the tools it's dead simple. Don't let the solder iron and wires scare you away. You really can do this. If you can't, or don't want to let me know. I would be happy to help.