Difference between pages "Blackberry Forensics" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
== JTAG Samsung Galaxy S3 (SGH-I747M) ==
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
  
[[Image:Image1.jpg]]
+
The Samsung Galaxy S3 is an Android based smartphone.  At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
  
[[Image:Image2.jpg]]
+
=== Getting Started ===
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
What you need to dump the NAND:
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
 +
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
=== NAND Dump Procedure ===
  
1. Open Blackberry’s Desktop Manager<br/>
+
# Disassemble the phone down to the PCB.
2. Click “Options” then “Connection Settings” <br/>
+
# Connect the RIFF Box to the PC via USB.
[[Image:4.JPG]]<br/>
+
# Connect the RIFF Box to the PCB via the JTAG pins.
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
# Connect the PCB to the DC power supply.
[[Image:1.JPG]]<br/>
+
# Start the "RIFF Box JTAG Manager" software.
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
# Enable the power on the DC power supply.
6.      Click "OK" to return to the main menu<br/>
+
# Power the phone via the power button.
7. Double click “Backup and Restore”<br/>
+
# Dump the NAND via the RIFF Box software.
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
  
== Opening Blackberry Backup Files (.ipd) ==
+
Instructions for disassembly can be found on Internet but it can be summarized as follows:
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
+
<br>Or
+
<br>Download Trial Version
+
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
+
  
== Blackberry Simulator ==
+
* Remove the rear cover and battery.
 +
* Remove the 10 x Phillips screws.
 +
* Remove the rear plate using a case opening tool (guitar pick).
  
This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
 +
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
 +
|-
 +
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
 +
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
 +
|-
 +
|}
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]Blackberry website. Click ''Next''.
+
* Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
  
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
 +
|-
 +
|}
  
3. Enter your proper user credentials and click ''Next'' to continue.
+
* The JTAG pinouts are as follows.
  
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
 +
|-
 +
|}
  
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
  
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
{| border="1" cellpadding="2"
* - If you disagree at any of these point you will not be able to continue to the download.
+
|-
 +
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
 +
|-
 +
|}
  
7. Extract the files to a folder that can easily be accessed (I used the desktop).
+
* Connect the PCB battery terminal connections to the DC power supply.  The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3).  You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
  
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
 +
|-
 +
|}
  
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to Blackberry Desktop Manager.
+
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box.  See the picture below for more detail.
  
[[Image:Image3.jpg]]
+
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz".  This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read.  Leave this setting at "Sample at MAX" unless you experience this problem.
  
== Acquisition with Paraben's Device Seizure ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
 +
|-
 +
|}
  
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the dataThe only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCBAfter powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
  
1. Create a new case in Device Seizure with File | New.
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
  
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
+
* Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.
  
3. You are now ready to acquire the phone.  Go to Tools | Data Acquisition.
+
== References ==
  
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).
+
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 
+
* http://forensics.spreitzenbarth.de/2012/02/
5. Leave supported models at the default selection of autodetect.
+
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html
 
+
6. Connection type should be set to USB.
+
 
+
7. For data type selection select Memory Image.
+
 
+
NOT COMPLETE YET
+
 
+
== Blackberry Protocol ==
+
http://www.off.net/cassis/protocol-description.html
+
 
+
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+

Latest revision as of 17:50, 23 January 2014

Contents

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.

  • Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.

References