Difference between pages "JTAG LG E960 (Nexus 4)" and "Libsmraw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Adding pictures for using the JTAG Molex adapter set to connect to the device.)
 
 
Line 1: Line 1:
== JTAG LG Nexus 4 ==
+
{{Infobox_Software |
 +
  name = libsmraw |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [https://code.google.com/p/libsmraw/ code.google.com/p/libsmraw/] |
 +
}}
  
The LG Nexus 4 is an Android based smartphone. At the time of this writing (2013Nov28), I am unaware of any method other than JTAG to acquire a physical image of the NAND on a locked LG Nexus 4.
+
The '''libsmraw''' package contains a library and applications to read and write (split) RAW storage media bitstream copies.
 +
Libsmraw contains supports for multiple (split) RAW naming schemes.
  
For the purpose of this document, a LG Nexus 4 was disassembled, read via JTAG, reassembled.
+
== History ==
  
=== Getting Started ===
+
Libsmraw was created by [[Joachim Metz]] in 2010, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.
  
What you need to dump the NAND:
+
== Tools ==
 +
The '''libsmraw''' package contains the following tools:
 +
* '''smrawmount''', which FUSE mounts (split) RAW image files.
  
# A RIFF Box [http://www.riffbox.org/|RIFF Box]
+
The '''libsmraw''' package also contains the following bindings:
# Soldering skills and fine tip soldering iron (a JTAG jig is available for this device).
+
* '''pysmraw''', bindings for Python.
# Optional: JTAG Molex Adapter Set by MOORC.
+
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply].
+
  
=== NAND Dump Procedure ===
+
== Examples ==  
  
# Disassemble the phone down to the PCB.
+
FUSE mounting a split RAW image (libsmraw 20110916 or later)
# Connect the RIFF JTAG Box to the PC via USB.
+
<pre>
# Connect the RIFF JTAG Box to the PCB via the JTAG pins.
+
smrawmount image.raw.000 mount_point
# Connect the PCB to the DC power supply.
+
</pre>
# Start the "RIFF BOX JTAG" software.
+
# Enable the power on the DC power supply.
+
# Power the phone via the power button.
+
# Dump the NAND via the RIFF Box software.
+
  
Instructions for disassembly can be found on Internet and are summarized as follows:
+
Or:
 +
<pre>
 +
smrawmount image.raw.??? mount_point
 +
</pre>
  
* Using a Torx-5 (T5) screw driver remove the 2 screws from the bottom of the phone.
+
== Also See ==
* Use a pry tool (guitar pick) to remove the back cover.
+
[[Raw_Image_Format | RAW Image format]]
  
{| border="1" cellpadding="2"
+
== External Links ==
|-
+
| [[File:1-Nexus4-Phone.jpg |500px ]]
+
| [[File:2-Nexus4-Phone1.jpg |445px]]
+
|-
+
| [[File:3-Nexus4-RemoveScrews.jpg |450px]]
+
| [[File:4-Nexus4-RemoveBackCover.jpg |450px]]
+
|-
+
|}
+
  
* Using a Philips (PH00) screw driver, remove the 9 screws securing the plastic shield on the backside of the phone as well as the 2 screws securing the battery connector.
+
* [https://code.google.com/p/libsmraw/ Project site]
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:5-Nexus4-RemoveScrews.jpg | 1000px]]
+
|-
+
|}
+
 
+
* Once the plastic shield has been removed, you can see the JTAG connection port located next to the power button. This JTAG port has a Molex connector installed and as such it is possible to use a JTAG jig to connect to the device.  However, on this phone I soldered 0.040 gauge magnet wire directly to the Molex pins as I did not have a JTAG jig available.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:6-Nexus4-JtagPort.jpg | 500px]]
+
|-
+
| [[File:7-Nexus4-JtagPortMap.jpg |500px ]]
+
| [[File:8-Nexus4-JtagPortSoldered.jpg |500px]]
+
|-
+
|}
+
 
+
''Alternatively, if you have the JTAG Molex adapter set, you can use the JTAG Molex adapter to connect the phone directly to the RIFF box sans soldering as follows.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8.1-Nexus4-JtagPort-JTAG-molex-adapter.jpg |500px ]]
+
| [[File:8.2-Nexus4-JtagPort-JTAG-molex-adapter.jpg |500px]]
+
|-
+
|}
+
 
+
'''NOTE:''' Initially we attempted to read the phone using power supplied via the phone's battery and the USB port.  The results were inconsistent with the phone disconnecting throughout the read which resulted in read failures.  We opted to use a DC power supply which provided a much more stable connection to the device.
+
 
+
* The battery on the Nexus 4 uses a blade style connector.  In order to connect to the power supply, we used a pair of Pomona Micro Grabbers attached to an RJ45 cable inserted into an RJ45 receptacle that was connected to our DC power supply.  See the picture for more detail.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-Nexus4-MicroGrabber.jpg |500px ]]
+
| [[File:10-Nexus4-MicroGrabber.jpg |500px]]
+
|-
+
|}
+
 
+
* Connect the PCB battery terminal connections to the DC power supply.  The positive (+) connection is the outermost pin 1 and the negative (-) connection is pin 3.  You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.  During the JTAG procedure the phone will draw about 0.4A.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:11-Nexus4-Reading.jpg |1000px ]]
+
|-
+
|}
+
 
+
* Now we can start the RIFF JTAG software, configure it for the LG E960, and connect the phone to the RIFF box.  See the picture for more detail.
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:12-Nexus4-RIFFBox.jpg |1000px ]]
+
|-
+
|}
+
 
+
* Apply power from the DC power supply to the phone and turn the phone on using the button on the side of the PCB.  After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading.  If not, the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
+
 
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.
+

Revision as of 08:45, 21 June 2014

libsmraw
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libsmraw/

The libsmraw package contains a library and applications to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.

History

Libsmraw was created by Joachim Metz in 2010, while working for Hoffmann Investigations. Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.

Tools

The libsmraw package contains the following tools:

  • smrawmount, which FUSE mounts (split) RAW image files.

The libsmraw package also contains the following bindings:

  • pysmraw, bindings for Python.

Examples

FUSE mounting a split RAW image (libsmraw 20110916 or later)

smrawmount image.raw.000 mount_point

Or:

smrawmount image.raw.??? mount_point

Also See

RAW Image format

External Links