Difference between pages "Chip-Off BlackBerry Curve 9315" and "Windows SuperFetch Format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(MEMO file)
 
Line 1: Line 1:
The hardware used in the BlackBerry 9315's and 9320's are almost identical. The following link describes the differences between the models. http://worldwide.blackberry.com/blackberrycurve/9220-9310-9320/specifications.jsp
+
{{expand}}
  
== Tear Down ==
+
== MEMO file ==
 +
Th MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
<ol start="1">
+
=== File header ===
<li>Remove the back panel.</li>
+
The file header is 84 bytes of size and consists of:
</ol>
+
{| class="wikitable"
 
+
{| border="1" cellpadding="2"
+
 
|-
 
|-
| [[File:1-bb9320-BackPanelRemoved.jpg| 300px ]]
+
! Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|}
+
| 0
 
+
| 4
<ol start="2">
+
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
<li>Remove the SIM and SD Memory Card.</li>
+
| Signature
</ol>
+
 
+
<ol start="3">
+
<li>Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
 
|-
 
|-
| [[File:2-bb9320-ScrewRemoval.jpg| 300px ]]
+
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
  
<ol start="4">
+
=== Compressed blocks ===
<li>Remove the screen protector using a shim, guitar pick, or prying tool.</li>
+
The file header is followed by compressed blocks:
</ol>
+
{| class="wikitable"
 
+
{| border="1" cellpadding="2"
+
 
|-
 
|-
| [[File:3-bb9320-ScreenRemoval.jpg| 300px ]]
+
! Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
|}
+
| 0
 
+
| 4
<ol start="5">
+
|
<li>Remove 2 torx-5 screws.</li>
+
| Compressed data size
</ol>
+
 
+
{| border="1" cellpadding="2"
+
 
|-
 
|-
| [[File:4-bb9320-ScrewRemoval.jpg| 300px ]]
+
| 4
 +
| ...
 +
|
 +
| Compressed data
 
|-
 
|-
 
|}
 
|}
  
<ol start="6">
+
== See Also ==
<li>Use the shim to detach the outer bezel/keyboard from the device.</li>
+
* [[SuperFetch]]
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:5-bb9320-TopPlate.jpg| 300px ]]
+
| [[File:5-1-bb9320-TopPlate.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="7">
+
<li>Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:6-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="8">
+
<li>Peel off the vendor sticker.</li>
+
</ol>
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:7-bb9320-VendorPlate.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="9">
+
<li>Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.</li>
+
</ol>
+
 
+
<ol start="10">
+
<li>Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="11">
+
<li>Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-bb9320-ScreenRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="12">
+
<li>The tear down is now complete</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-1-bb9320-TearDownComplete.jpg| 300px ]]
+
|-
+
|}
+
 
+
eMMC Removal
+
 
+
<ol start="1">
+
<li>The eMMC is located beneath the heat shield directly above the Micro SD card slot.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:10-bb9320-EMMC-Location.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="2">
+
<li>Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:11-bb9320-HeatShield.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="3">
+
<li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:12-bb9320-HeatShield.jpg| 300px ]]
+
| [[File:13-bb9320-HeatShieldRemoved.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="4">
+
<li>Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:14-bb9320-EMMC-Removed.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="5">
+
<li>Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:15-bb9320-EMMC-Cleanup.jpg| 300px ]]
+
| [[File:16-bb9320-EMMC-Clean.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="6">
+
== External Links ==
<li>The eMMC is now ready to read using the appropriate adapter/programmer and software.</li>
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
</ol>
+
  
At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter and using the "eNAND_H9DP4GG4JJACGR-4EM/459MB" device settings. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).
+
[[Category:File Formats]]

Revision as of 12:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links