Difference between pages "Upcoming events" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Scheduled Training Courses)
 
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
== JTAG Samsung Galaxy S3 (SGH-I747M) ==
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
The Samsung Galaxy S3 is an Android based smartphone.  At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== Getting Started ===
! Title
+
 
! Due Date
+
What you need to dump the NAND:
! Website
+
 
 +
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
 +
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
 +
 
 +
=== NAND Dump Procedure ===
 +
 
 +
# Disassemble the phone down to the PCB.
 +
# Connect the RIFF Box to the PC via USB.
 +
# Connect the RIFF Box to the PCB via the JTAG pins.
 +
# Connect the PCB to the DC power supply.
 +
# Start the "RIFF Box JTAG Manager" software.
 +
# Enable the power on the DC power supply.
 +
# Power the phone via the power button.
 +
# Dump the NAND via the RIFF Box software.
 +
 
 +
Instructions for disassembly can be found on Internet but it can be summarized as follows:
 +
 
 +
* Remove the rear cover and battery.
 +
* Remove the 10 x Phillips screws.
 +
* Remove the rear plate using a case opening tool (guitar pick).
 +
 
 +
{| border="1" cellpadding="2"
 
|-
 
|-
|DFRWS 2007 File Carving Challenge
+
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
|Jul 09, 2007
+
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
|http://www.dfrws.org/2007/challenge/submission.html
+
 
|-
 
|-
|American Academy of Forensic Sciences 2008 Annual Meeting
+
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
|Aug 01, 2007
+
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
|http://www.aafs.org/abstracts/your_online_presentation_submiss.htm
+
 
|-
 
|-
|Digital Forensic Forum Prague 2007
 
|Aug 31, 2007
 
|http://www.dff-prague.com/News/article/sid=17.html
 
 
|}
 
|}
  
== Conferences ==
+
* Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
{| border="1" cellpadding="2"
! Title
+
! Date/Location
+
! Website
+
 
|-
 
|-
|Computer Security Institute NetSec '07
+
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
|Jun 11-13, Scottsdale, AZ
+
|http://www.gocsi.com/netsec/
+
 
|-
 
|-
|2007 USENIX Annual Technical Conference
+
|}
|Jun 17-22, Santa Clara, CA
+
 
|http://www.usenix.org/events/
+
* The JTAG pinouts are as follows.
 +
 
 +
{| border="1" cellpadding="2"
 
|-
 
|-
|Third Government Forum of Incident Response and Security Teams Conference
+
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
|Jun 25-29, Orlando, FL
+
|http://www.us-cert.gov/GFIRST/index.html
+
 
|-
 
|-
|First International Workshop on Cyber-Fraud
+
|}
|Jul 01-06, San Jose, CA
+
 
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
|-
+
 
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
{| border="1" cellpadding="2"
|Jul 12-13, Lucerne, Switzerland
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|-
+
|BlackHat Briefings
+
|Jul 28-Aug 02, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|DefCon
+
|Aug 03-05, Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
|Sep 26-28, Milwaukee, WI
+
|http://www.byteoutofcrime.org
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Global Conference on Economic and High-Tech Crime (NW3C Membership Required)
+
|Oct 24-26, Crystal City, VA
+
|https://conference.nw3c.org/index.cfm
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
 
|-
 
|-
|DoD Cyber Crime Conference 2008
+
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
|Jan 13-18 2008, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
 
|-
 
|-
|AAFS Annual Meeting
 
|Feb 18-23 2008, Washington, DC
 
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
 
 
|}
 
|}
  
== On-going / Continuous Training ==
+
* Connect the PCB battery terminal connections to the DC power supply.  The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3).  You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
{| border="1" cellpadding="2"
! Title
+
! Date/Location or Venue
+
! Website
+
|-
+
|Basic Computer Examiner Course
+
|Computer Forensic Training Online
+
|http://www.cftco.com
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
 
|-
 
|-
|Evidence Recovery for the Windows XP&trade; operating system
+
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
 
|-
 
|-
 
|}
 
|}
  
== Scheduled Training Courses ==
+
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.
! Title
+
 
! Date/Location
+
{| border="1" cellpadding="2"
! Website
+
! Limitation
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Jun 18-21, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|AccessData Windows Forensics
+
|Jun 19-21, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Jul 09-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Jul 09-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Windows Data Forensics
+
|Jul 16-18, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jul 16-27, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Jul 17-19, Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Jul 23-26, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|AccessData Windows Forensics
+
|Jul 24-26, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Network Forensics and Investigations Workshop
+
|Jul 25-27, Washington, DC
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jul 31-Aug 02, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Paraben Corporation - Wireless Forensics
+
|Aug 01-03, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SARC Steganography Examiner Training
+
|Aug 04-05, Fairfax, VA (RCFG/GMU Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|SMART for Linux
+
|Aug 06-09, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Aug 06-08, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|X-Ways Forensics
+
|Aug 06-08, Seattle, WA
+
|http://www.x-ways.net/training/seattle.html
+
|-
+
|Forensics Tools and Techniques
+
|Aug 08-10, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|File Systems Revealed
+
|Aug 09-10, Seattle, WA
+
|http://www.x-ways.net/training/seattle.html
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Aug 09-10, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Corporation - Cellular/GPS Signal Analysis
+
|Aug 13-14, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Aug 14-24, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Aug 13-15, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Network Forensics and Investigations Workshop
+
|Aug 13-15, Los Angeles, CA
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|Macintosh Forensic Survival Course
+
|Aug 13-17, Fredricksburg, VA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16 , Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|Paraben Corporation - Cellular/GPS Signal Analysis
+
|Aug 30-31, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Sep 04-07, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|AccessData BootCamp
+
|Sep 04-06, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Corporation - Advanced Cell Phone Forensics
+
|Sep 10-12, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - E-Discovery: E-mail & Mobile E-mail Devices
+
|Sep 10-14, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Paraben Corporation - Advanced SIM Card Forensics
+
|Sep 13-14, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Corporation - Network Incident Response
+
|Sep 17-21, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - Cellular/GPS Signal Analysis
+
|Sep 20-21, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - Advanced Cell Phone Forensics
+
|Sep 24-26, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Introduction to Cyber Crime
+
|Sep 24-26, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Sep 26-28, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Corporation - Advanced SIM Card Forensics
+
|Sep 27-28, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Oct 29-30, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Corporation - Wireless Forensics
+
|Oct 01-03, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Corporation - Cellular/GPS Signal Analysis
+
|Oct 04-05, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Oct 8-11, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Oct 8-11, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - Advanced Cell Phone Forensics
+
|Oct 15-17, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - Advanced SIM Card Forensics
+
|Oct 18-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Corporation - E-Discovery: E-mail & Mobile E-mail Devices
+
|Oct 15-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|X-Ways Forensics
+
|Oct 22-24, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|Paraben Corporation - Handheld Forensic Course
+
|Nov 05-08, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Nov 05-07, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Nov 07-09, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Nov 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Dec 03-05, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Dec 05-07, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Corporation - Advanced Cell Phone Forensics
+
|Dec 17-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
 
|-
 
|-
|Paraben Corporation - Advanced SIM Card Forensics
+
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
|Dec 20-21, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
 
|-
 
|-
 
|}
 
|}
 +
 +
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB.  After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
 +
 +
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.  If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
 +
 +
* Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.
 +
 +
== References ==
 +
 +
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 +
* http://forensics.spreitzenbarth.de/2012/02/
 +
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html

Latest revision as of 17:50, 23 January 2014

Contents

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.

  • Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.

References