Difference between pages "JTAG LG E960 (Nexus 4)" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Adding pictures for using the JTAG Molex adapter set to connect to the device.)
 
(Deflate/Inflate)
 
Line 1: Line 1:
== JTAG LG Nexus 4 ==
+
{{Expand}}
  
The LG Nexus 4 is an Android based smartphone.  At the time of this writing (2013Nov28), I am unaware of any method other than JTAG to acquire a physical image of the NAND on a locked LG Nexus 4.
+
== LZ-based ==
  
For the purpose of this document, a LG Nexus 4 was disassembled, read via JTAG, reassembled.
+
=== Deflate/Inflate ===
 +
Used in:
 +
* [[Gzip|gzip]]
  
=== Getting Started ===
+
=== LZNT1 ===
 +
Used in:
 +
* [[NTFS]]
 +
* [[Windows SuperFetch Format]]
  
What you need to dump the NAND:
+
=== LZXPRESS ===
 +
Used in:
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
  
# A RIFF Box [http://www.riffbox.org/|RIFF Box]
+
=== LZXPRESS Huffman ===
# Soldering skills and fine tip soldering iron (a JTAG jig is available for this device).
+
Used in:
# Optional: JTAG Molex Adapter Set by MOORC.
+
* [[Windows SuperFetch Format]]
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply].
+
  
=== NAND Dump Procedure ===
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
 +
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
  
# Disassemble the phone down to the PCB.
+
=== Deflate/Inflate ===
# Connect the RIFF JTAG Box to the PC via USB.
+
* [http://en.wikipedia.org/wiki/DEFLATE Wikipedia: DEFLATE]
# Connect the RIFF JTAG Box to the PCB via the JTAG pins.
+
* [https://tools.ietf.org/html/rfc1950 IETF: RFC1950 - ZLIB Compressed Data Format Specification]
# Connect the PCB to the DC power supply.
+
* [https://tools.ietf.org/html/rfc1951 IETF: RFC1951 - DEFLATE Compressed Data Format Specification]
# Start the "RIFF BOX JTAG" software.
+
# Enable the power on the DC power supply.
+
# Power the phone via the power button.
+
# Dump the NAND via the RIFF Box software.
+
  
Instructions for disassembly can be found on Internet and are summarized as follows:
+
=== LZ1 ===
 
+
* [http://andyh.org/LZ1.html LZ1]
* Using a Torx-5 (T5) screw driver remove the 2 screws from the bottom of the phone.
+
* Use a pry tool (guitar pick) to remove the back cover.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:1-Nexus4-Phone.jpg |500px ]]
+
| [[File:2-Nexus4-Phone1.jpg |445px]]
+
|-
+
| [[File:3-Nexus4-RemoveScrews.jpg |450px]]
+
| [[File:4-Nexus4-RemoveBackCover.jpg |450px]]
+
|-
+
|}
+
 
+
* Using a Philips (PH00) screw driver, remove the 9 screws securing the plastic shield on the backside of the phone as well as the 2 screws securing the battery connector.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:5-Nexus4-RemoveScrews.jpg | 1000px]]
+
|-
+
|}
+
 
+
* Once the plastic shield has been removed, you can see the JTAG connection port located next to the power button.  This JTAG port has a Molex connector installed and as such it is possible to use a JTAG jig to connect to the device.  However, on this phone I soldered 0.040 gauge magnet wire directly to the Molex pins as I did not have a JTAG jig available.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:6-Nexus4-JtagPort.jpg | 500px]]
+
|-
+
| [[File:7-Nexus4-JtagPortMap.jpg |500px ]]
+
| [[File:8-Nexus4-JtagPortSoldered.jpg |500px]]
+
|-
+
|}
+
 
+
''Alternatively, if you have the JTAG Molex adapter set, you can use the JTAG Molex adapter to connect the phone directly to the RIFF box sans soldering as follows.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8.1-Nexus4-JtagPort-JTAG-molex-adapter.jpg |500px ]]
+
| [[File:8.2-Nexus4-JtagPort-JTAG-molex-adapter.jpg |500px]]
+
|-
+
|}
+
 
+
'''NOTE:''' Initially we attempted to read the phone using power supplied via the phone's battery and the USB port.  The results were inconsistent with the phone disconnecting throughout the read which resulted in read failures.  We opted to use a DC power supply which provided a much more stable connection to the device.
+
 
+
* The battery on the Nexus 4 uses a blade style connector.  In order to connect to the power supply, we used a pair of Pomona Micro Grabbers attached to an RJ45 cable inserted into an RJ45 receptacle that was connected to our DC power supply.  See the picture for more detail.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-Nexus4-MicroGrabber.jpg |500px ]]
+
| [[File:10-Nexus4-MicroGrabber.jpg |500px]]
+
|-
+
|}
+
 
+
* Connect the PCB battery terminal connections to the DC power supply.  The positive (+) connection is the outermost pin 1 and the negative (-) connection is pin 3.  You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.  During the JTAG procedure the phone will draw about 0.4A.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:11-Nexus4-Reading.jpg |1000px ]]
+
|-
+
|}
+
 
+
* Now we can start the RIFF JTAG software, configure it for the LG E960, and connect the phone to the RIFF box.  See the picture for more detail.
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:12-Nexus4-RIFFBox.jpg |1000px ]]
+
|-
+
|}
+
 
+
* Apply power from the DC power supply to the phone and turn the phone on using the button on the side of the PCB.  After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading.  If not, the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
+
 
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.
+

Revision as of 09:56, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

Deflate/Inflate

Used in:

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

Deflate/Inflate

LZ1