Difference between pages "Tools:Visualization" and "JTAG LG P930 (Nitro HD)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
Although not strictly for forensic purposes, '''visualization tools''' such as the ones discussed here can be very useful for visualizing large data sets. As forensic practitioners need to process more and more data, it is likely that some of the techniques implemented by these tools will need to be adopted.
+
== JTAG LG P930 (Nitro HD) ==
  
==Programming Languages and Developer Toolkits==
+
The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.
If you are building forensic tools, you probably want to start with one of these:
+
; Java and Swing
+
: Advantage: Portable and lots of good documentation out there.
+
: Disadvantage: Programs are a bit verbose, and only offers about 1/2 the performance of C
+
  
; Python with tkinter
+
For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.
: Advantage: Portable
+
: Disadvantage: Python is one of the slowest modern languages around.
+
  
; Python with wxWidgets
+
=== Getting Started ===
: Advantage: Portable and a better development environment than tkiner
+
: Disadvantage: wxWidgets is not installed by default, so you'll need to get it installed. Not as well documented as Tkinter
+
  
; [http://processing.org processing.org]
+
What you need to extract the lock from the device:
: Advantage: Programming language specifically developed for visualization; compiles to java byte code
+
: Disadvantage: Very oddball
+
  
; JavaFX - Java's version of Flash
+
# A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
 +
# Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
 +
# PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').
  
; Flash
+
=== NAND Dump Procedure ===
  
== Open Source ==
+
# Disassemble the phone down to the PCB.
===Graph Drawing Applications===
+
# Connect the Octoplus JTAG Box to the PC via USB.
* [http://www.graphviz.org/ Graphviz] - Originally developed by the [http://public.research.att.com/areas/visualization/ AT&T Information Visualization Gorup], designed for drawing connected graphs of nodes and edges. Neato is a similar system but does layout based on a spring model. Can produce output as [[PostScript]], [[PNG]], [[GIF]], or as an annotated graph file with the locations of all of the objects — ideal for drawing in a GUI. Runs from the command line on [[Unix]], [[Windows]] and [[Mac]], although there is also a [http://www.pixelglow.com/graphviz/ MacOS GUI version].
+
# Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
* [http://graphexploration.cond.org/ Guess: The Graph Exploration System] - Originally developed at HP, this is a large Jython/Java-based system that you can use for building your own applications. Distributed under GPL.
+
# Connect the PCB to the DC power supply.
* [http://sourceforge.net/projects/ivc/ InfoVis Cyberinfrastructure] - Another graph drawing system written in Java.
+
# Start the "Octoplus JTAG" software.
* [http://jung.sourceforge.net/ Java Universal Network/Graph Framework (JUNG)] - Graphing, [[data mining]], [[social network]] analysis, and other stuff.
+
# Power the PCB.
* [http://www.andrew.cmu.edu/user/krack/krackplot.shtml Krackplot] - "KrackPlot is a program for network visualization designed for social network analysts."
+
# Dump the NAND.
* [http://bioinformatics.icmb.utexas.edu/lgl/ Large Graph Layout (LGL)] - A bioinformatics system from University of Texas. They really mean Large.
+
* [http://www.sfu.ca/~richards/Multinet/Pages/multinet.htm MultiNet] - A data analysis package for drawing conventional data and graph data.
+
* [http://www.analytictech.com/netdraw.htm NetDraw] - "a free program written by Steve Borgatti for visualizing both 1-mode and 2-mode social network data."
+
* [http://web.mit.edu/bshi/Public/nv2d/ NetVis 2D] - Another graph visualization and layout tool written in Java.
+
* [http://www.opendx.org/ OpenDX] - Based on [[IBM]]'s Visualization Data Explorer, runs on [[Unix]]/X11/Motif.
+
* [http://vlado.fmf.uni-lj.si/pub/networks/pajek/ Pajek] - Windows program for drawing large networks.
+
* [http://sourceforge.net/projects/sonia/ Social Network Image Animator (SoNIA)] - Originally developed at Stanford. Written in Java. Makes movies.
+
* [http://www.informatik.uni-bremen.de/uDrawGraph/en/uDrawGraph/uDrawGraph.html uDrawGraph]
+
* [http://wilma.sourceforge.net/ WilmaScope] - Real-time animations of dynamic graph structures. Written in Java. Sophisticated force model with strings and attraction.
+
* [http://www.caida.org/tools/visualization/walrus/ Walrus] - A 3-d graph network exploration tool. Employs 3D hyperbolic displays and layout based on a user-supplied spanning tree.
+
=== Visualization Toolkits and Libraries ===
+
====C/C++====
+
* [http://public.kitware.com/VTK/ The Visualization Toolkit] - C++ multi-platform with interfaces available for Tcl/Tk, Java and Python. Professional support provided by [http://www.kitware.com/ Kitware].
+
* [http://kdirstat.sourceforge.net/ KDirStat], an open source implementation of [http://www.cs.umd.edu/hcil/treemap-history/index.shtml Treemaps] written in C. (Treemaps are a visualization technique developed at the University of Maryland for visualizing large amounts of multi-dimensional data.)  You can find a copy of it in [http://www.derlien.com/ Disk Inventory X] and
+
====Java====
+
* [http://csbi.sourceforge.net/index.html Graph Interface Library (GINY)] - Java
+
* [http://hypergraph.sourceforge.net/ HyperGraph] - Hyperbolic trees, in Java. Check out the home page. Try clicking on the logo...
+
* [http://ivtk.sourceforge.net/ InfoViz Toolkit] - Java, originally developed at [[INRA]].
+
* [https://jdigraph.dev.java.net/ Jdigrah] - Java Directed Graphs.
+
* [http://jgrapht.sourceforge.net/ JGraphT] - A Java visualization kit designed to be simple and extensible.  
+
* [http://prefuse.sourceforge.net/ Perfuse] - A Java-based toolkit for building interactive information visualization applications
+
* [http://www.ssec.wisc.edu/~billh/visad.html#intro VisAD] - A Java component library for interactive and collaborative visualization.
+
* [http://www.softwaresecretweapons.com/jspwiki/Wiki.jsp?page=LinguineMaps Linguine Maps] - An open-source Java-based system for visualizing software call maps.
+
* [http://zvtm.sourceforge.net/index.html Zoomable Visual Transformation Machine] - Java. Originally started at Xerox Research Europe.
+
  
====Unclassified====
+
Instructions for disassembly can be found on Internet but it can be summarised as follows:
* [http://www.gravisto.org/ Gravisto: Graph Visualization Toolkit] - An editor and toolkit for developing graph visualization algorithms.
+
* [http://www.gnu.frb.br:8080/rox Rox Graph Theory Framework] - An open-source plug-in framework for graph theory visualization.
+
* [http://touchgraph.sourceforge.net/ TouchGraph] - Library for building graph-based interfaces.
+
  
 +
# Remove the rear cover and battery.
 +
# Remove the 9 x Phillips screws.
 +
# Split the phone case using a case opening tool (guitar pick).
  
== Geographical Drawing Programs ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-front.png | 400px ]]
 +
| [[ File:lg-p930-nitro-hd-back.png | 400px ]]
 +
|-
 +
|}
  
* [http://openmap.bbn.com/ OpenMap] -- From [[BBN]].
+
Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.
  
== Commercial Tools ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-disassembled-1.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-2.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-3.png | 350px ]]
 +
|-
 +
|}
  
* [http://www.aisee.com/ aiSee Graph Layout Software] - Supports 15 layout algorithms, recursive graph nesting, and easy printing. Runs on [[Windows]], [[Linux]], [[Solaris]], [[NetBSD]], and [[MacOS]]. 30-day trial and free registered versions available. Academic pricing available.
+
With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.
*  [http://www.geomantics.com/ Geomantics] - Geographical, Visualization and Graphics software. Runs on [[Windows]].
+
* [http://www.kylebank.com/ Graphis 2D and 3D graphing software] - Runs on [[Windows]]. Free 30-day evaluation copy available.
+
* [http://www.openviz.com/ OpenViz] and [http://www.powerviz.com/ PowerViz] - Both from Advanced Visual Systems, super high-end visualization toolkits. $$$$
+
* [http://www.tomsawyer.com/ Tom Sawyer Software] Analysis, Visualizaiton, and Layout programs. - Heavy support for drawing graphs. Beautiful gallery. ActiveX, Java, C++ and .NET editions.
+
* [http://www.netminer.com/ NetMiner] - "One of the most comprehensive and usable software tools for Social Network Analysis in the world." Runs on Windows, with a Linux version under development. $35 for "Express" student version, $250 for "Professional" student version, $950 for "Normal" "Professional" version.
+
* [http://www.analytictech.com/ucinet.htm UCINET] - A comprehensive package for the analysis of social network data as well as other 1-mode and 2-mode data.
+
  
= Other Resources =
+
 
==Journals and Conferences==
+
{| border="1" cellpadding="2"
* [http://www.palgrave-journals.com/ivs/index.html Information Visualization Journal]
+
|-
* [http://rw4.cs.uni-sb.de/~diehl/softvis/seminar/index.php?goto=seminar ACM Symposium on Software Visualization]
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-1.png | 350px ]]
==Link Farms==
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-2.png | 350px ]]
* [http://www-static.cc.gatech.edu/gvu/ii/resources/infovis.html GVU's Information Visualization Resources link farm]
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-3.png | 350px ]]
* [http://directory.google.com/Top/Science/Math/Combinatorics/Software/Graph_Drawing/ Google Directory of Graph Drawing Software]
+
|-
* [http://directory.fsf.org/science/visual/ GNU Free Software directory of scientific visualization software]
+
|}
* [http://www.manageability.org/blog/stuff/open-source-graph-network-visualization-in-java/view Open Source Graph Network Visualization in Java]
+
 
* [http://www.insna.org/INSNA/soft_inf.html INSNA's web page of Computer Programs for Social Network Analysis]
+
Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.
==Research Groups==
+
 
===Berkeley===
+
 
* [http://bailando.sims.berkeley.edu/infovis.html Bailando Visualization]
+
{| border="1" cellpadding="2"
* [http://vis.berkeley.edu/ Berkeley Visualization Lab]
+
|-
===Brown===
+
| [[ File:octoplus-settings.png | 600px ]]
* [http://www.cs.brown.edu/people/rt/gd.html Roberto Tamassia's resources on Graph Drawing]
+
|-
===Stanford===
+
|}
* [http://window.stanford.edu/projects/rivet/ Rivet Project] (Visualization complex systems)
+
 
===UNM===
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.
* [http://www.msi.umn.edu/user_support/scivis/scivis-list.html Scientific Visualization at the Supercomputing Institute]
+
 
 +
If you receive errors that the PCB could not be connected to, try the following:
 +
 
 +
* Confirm that the PCB is receiving power from the DC power supply. If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A. If the PCB is pulling more current, it is likely already booted and the read may fail.
 +
* Power off the PCB, power it back on, and immediately connect then start the JTAG read.
 +
* Check all of your PCB to JTAG connections under a microscope.  Inspect for shorts or incorrect connections.
 +
* Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.
 +
 
 +
==== Notes ====
 +
 
 +
This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range. We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF. This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.
 +
 
 +
== References ==
 +
 
 +
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 +
* http://forensics.spreitzenbarth.de/2012/02/
 +
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html

Latest revision as of 09:32, 18 August 2013

JTAG LG P930 (Nitro HD)

The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.

For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.

Getting Started

What you need to extract the lock from the device:

  1. A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
  2. Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
  4. PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the Octoplus JTAG Box to the PC via USB.
  3. Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "Octoplus JTAG" software.
  6. Power the PCB.
  7. Dump the NAND.

Instructions for disassembly can be found on Internet but it can be summarised as follows:

  1. Remove the rear cover and battery.
  2. Remove the 9 x Phillips screws.
  3. Split the phone case using a case opening tool (guitar pick).
Lg-p930-nitro-hd-front.png Lg-p930-nitro-hd-back.png

Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.

Lg-p930-nitro-hd-disassembled-1.png Lg-p930-nitro-hd-disassembled-2.png Lg-p930-nitro-hd-disassembled-3.png

With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.


Lg-p930-nitro-hd-connected-via-jtag-1.png Lg-p930-nitro-hd-connected-via-jtag-2.png Lg-p930-nitro-hd-connected-via-jtag-3.png

Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.


Octoplus-settings.png

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.

If you receive errors that the PCB could not be connected to, try the following:

  • Confirm that the PCB is receiving power from the DC power supply. If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A. If the PCB is pulling more current, it is likely already booted and the read may fail.
  • Power off the PCB, power it back on, and immediately connect then start the JTAG read.
  • Check all of your PCB to JTAG connections under a microscope. Inspect for shorts or incorrect connections.
  • Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.

Notes

This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range. We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF. This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.

References