Difference between pages "RAR" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
RAR Archives ('''R'''oshal '''AR'''chive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
+
= JTAG Samsung Galaxy S3 (SGH-I747M) =
  
==Format==
+
The Samsung Galaxy S3 is an Android based smartphone.  At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
The file has the magic number of:
+
<pre>0x 52 61 72 21 1A 07 00</pre>
+
Which is a break down of the following to describe an Archive Header:
+
:* 0x6152 - HEAD_CRC
+
:* 0x72 - HEAD_TYPE
+
:* 0x1A21 - HEAD_FLAGS
+
:* 0x0007 - HEAD_SIZE
+
  
----
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
===RAR File Format===
+
  
Each Block has the following fields:
+
== Getting Started ==
{| class="wikitable"
+
|+ Block Fields
+
! Name
+
! Size (bytes)
+
! Description
+
|-
+
| HEAD_CRC
+
| 2
+
| CRC of total block or block part
+
|-
+
| HEAD_TYPE
+
| 1
+
| Block type
+
|-
+
| HEAD_FLAGS
+
| 2
+
| Block flags
+
|-
+
| HEAD_SIZE
+
| 2
+
| Block size
+
|-
+
| ADD_SIZE
+
| 4
+
| Optional field - added block size
+
|}
+
  
The field ADD_SIZE present only if (HEAD_FLAGS & 0x8000) != 0.
+
What you need to dump the NAND:
  
 +
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
 +
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
  
Total block size is HEAD_SIZE if (HEAD_FLAGS & 0x8000) == 0 and HEAD_SIZE+ADD_SIZE if the field ADD_SIZE is present - when (HEAD_FLAGS & 0x8000) != 0.
+
== NAND Dump Procedure ==
  
 +
# Disassemble the phone down to the PCB.
 +
# Connect the RIFF Box to the PC via USB.
 +
# Connect the RIFF Box to the PCB via the JTAG pins.
 +
# Connect the PCB to the DC power supply.
 +
# Start the "RIFF Box JTAG Manager" software.
 +
# Enable the power on the DC power supply.
 +
# Power the phone via the power button.
 +
# Dump the NAND via the RIFF Box software.
  
In each block the followings bits in HEAD_FLAGS have the same meaning:
+
Instructions for disassembly can be found on Internet but it can be summarized as follows:
*0x4000 - if set, older RAR versions will ignore the block and remove it when the archive is updated. If clear, the block is copied to the new archive file when the archive is updated;
+
*0x8000 - if set, ADD_SIZE field is present and the full block size is HEAD_SIZE+ADD_SIZE.
+
  
----
+
* Remove the rear cover and battery.
There are certain block types:
+
* Remove the 10 x Phillips screws.
 +
* Remove the rear plate using a case opening tool (guitar pick).
  
{| class="wikitable"
+
{| border="1" cellpadding="2"
|+ Block Types
+
! Head Type Signifier
+
! Description
+
 
|-
 
|-
| HEAD_TYPE=0x72
+
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
| marker block
+
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
 
|-
 
|-
| HEAD_TYPE=0x73
+
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
| archive header
+
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
 
|-
 
|-
| HEAD_TYPE=0x74
 
| file header
 
|-
 
| HEAD_TYPE=0x75
 
| old style comment header
 
|-
 
| HEAD_TYPE=0x76
 
| old style authenticity information
 
|-
 
| HEAD_TYPE=0x77
 
| old style subblock
 
|-
 
| HEAD_TYPE=0x78
 
| old style recovery record
 
|-
 
| HEAD_TYPE=0x79
 
| old style authenticity information
 
|-
 
| HEAD_TYPE=0x7a
 
| subblock
 
 
|}
 
|}
  
----
+
* Once the phone has been disassembled, you can see the JTAG connection port located right about the power button.
===Block Formats===
+
There are several block formats that are contained within a RAR file. They are Marker Block, Archive Header, and File Header.
+
 
+
 
+
----
+
====Marker Block (MARK_HEAD)====
+
  
{| class="wikitable"
+
{| border="1" cellpadding="2"
|+ MARK_HEAD
+
! Field Name
+
! Size (bytes)
+
! Possibilities
+
 
|-
 
|-
| HEAD_CRC
+
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
| 2
+
| Always 0x6152
+
 
|-
 
|-
| HEAD_TYPE
 
| 1
 
| Header type: 0x72
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Always 0x1A21
 
|-
 
| HEAD_SIZE
 
| 2
 
| Block size = 0x0007
 
 
|}
 
|}
  
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (which is seen as 'Rar!  ').
+
* The JTAG pinouts are as follows.
 
+
----
+
====Archive Header (MAIN_HEAD)====
+
  
{| class="wikitable"
+
{| border="1" cellpadding="2"
|+ MAIN_HEAD
+
! Field Name
+
! Size (bytes)
+
! Description
+
 
|-
 
|-
| HEAD_CRC
+
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
| 2
+
| CRC of fields HEAD_TYPE to RESERVED2
+
 
|-
 
|-
| HEAD_TYPE
 
| 1
 
| Header Type: 0x73
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Bit Flags (Please see 'Bit Flags for MAIN_HEAD' table for all possibilities).
 
|-
 
| HEAD_SIZE
 
| 2
 
| Archive header total size including archive comments
 
|-
 
| RESERVED1
 
| 2
 
| RESERVED
 
|-
 
| RESERVED2
 
| 4
 
| RESERVED
 
 
|}
 
|}
  
 +
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire to connected an adapter that was inserted into the 20 pin ribbon cable supplied with the RIFF box.
  
{| class="wikitable"
+
{| border="1" cellpadding="2"
|+ Bit Flags for MAIN_HEAD
+
! Flag (0x)
+
! Description
+
 
|-
 
|-
| 0001
+
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
| Volume attribute (archive volume)
+
 
|-
 
|-
| 0002
 
| Archive comment present RAR 3.x uses the separate comment block and does not set this flag.
 
|-
 
| 0004
 
| Archive lock attribute
 
|-
 
| 0008
 
| Solid attribute (solid archive)
 
|-
 
| 0010
 
| New volume naming scheme ('volname.partN.rar')
 
|-
 
| 0020
 
| Authenticity information present RAR 3.x does not set this flag.
 
|-
 
| 0040
 
| Recovery record present
 
|-
 
| 0080
 
| Block headers are encrypted
 
|-
 
| 0100
 
| First volume (set only by RAR 3.0 and later)
 
 
|}
 
|}
* Other bits in HEAD_FLAGS are reserved for internal use.
 
----
 
  
====File Header (File in Archive)====
+
* Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is the outermost pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
{| class="wikitable"
+
 
|+ File Header
+
{| border="1" cellpadding="2"
! Field Name
+
! Size (bytes)
+
! Description
+
 
|-
 
|-
| HEAD_CRC
+
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
| 2
+
| CRC of fields from HEAD_TYPE to FILEATTR and file name
+
 
|-
 
|-
| HEAD_TYPE
 
| 1
 
| Header Type: 0x74
 
|-
 
| HEAD_FLAGS
 
| 2
 
| Bit Flags (Please see 'Bit Flags for File in Archive' table for all possibilities)
 
|-
 
| HEAD_SIZE
 
| 2
 
| File header full size including file name and comments
 
|-
 
| PACK_SIZE
 
| 4
 
| Compressed file size
 
|-
 
| UNP_SIZE
 
| 4
 
| Uncompressed file size
 
|-
 
| HOST_OS
 
| 1
 
| Operating system used for archiving (See the 'Operating System Indicators' table for the flags used)
 
|-
 
| FILE_CRC
 
| 4
 
| File CRC
 
|-
 
| FTIME
 
| 4
 
| Date and time in standard MS DOS format
 
|-
 
| UNP_VER
 
| 1
 
| RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)
 
|-
 
| METHOD
 
| 1
 
| Packing method (Please see 'Packing Method' table for all possibilities
 
|-
 
| NAME_SIZE
 
| 2
 
| File name size
 
|-
 
| ATTR
 
| 4
 
| File attributes
 
|-
 
| HIGH_PACK_SIZE
 
| 4
 
| High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
| HIGH_UNP_SIZE
 
| 4
 
| High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.
 
|-
 
| FILE_NAME
 
| NAME_SIZE bytes
 
| File name - string of NAME_SIZE bytes size
 
|-
 
| SALT
 
| 8
 
| present if (HEAD_FLAGS & 0x400) != 0
 
|-
 
| EXT_TIME
 
| variable size
 
| present if (HEAD_FLAGS & 0x1000) != 0
 
 
|}
 
|}
  
*other new fields may appear here.
+
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box.  See the picture below for more detail.
  
 +
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz".  This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read.  Leave this setting at "Sample at MAX" unless you experience this problem.
  
{| class="wikitable"
+
{| border="1" cellpadding="2"
|+ Bit Flags for Files in Archive
+
! Flag (0x)
+
! Description
+
 
|-
 
|-
| 01
+
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
| File continued from previous volume
+
 
|-
 
|-
| 02
 
| File continued in next volume
 
|-
 
| 04
 
| File encrypted with password
 
|-
 
| 08
 
| File comment present. RAR 3.x uses the separate comment block and does not set this flag.
 
|-
 
| 10
 
| Information from previous files is used (solid flag) (for RAR 2.0 and later)
 
|-
 
| Dictionary bits 7 6 5 (for RAR 2.0 and later)
 
| Please see the 'Dictionary Bits' table for this descriptions
 
|-
 
| 100
 
| HIGH_PACK_SIZE and HIGH_UNP_SIZE fields are present. These fields are used to archive only very large files (larger than 2Gb), for smaller files these fields are absent.
 
|-
 
| 200
 
| FILE_NAME contains both usual and encoded Unicode name separated by zero. In this case NAME_SIZE field is equal to the length of usual name plus encoded Unicode name plus 1. If this flag is present, but FILE_NAME does not contain zero bytes, it means that file name is encoded using UTF-8.
 
|-
 
| 400
 
| The header contains additional 8 bytes after the file name, which are required to increase encryption security (so called 'salt').
 
|-
 
| 800
 
| Version flag. It is an old file version, a version number is appended to file name as ';n'.
 
|-
 
| 1000
 
| Extended time field present.
 
|-
 
| 8000
 
| This bit always is set, so the complete block size is HEAD_SIZE + PACK_SIZE (and plus HIGH_PACK_SIZE, if bit 0x100 is set)
 
 
|}
 
|}
  
{| class="wikitable"
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
|+Dictionary Bits
+
! Bits (7 6 5)
+
! Description
+
! Size (KB)
+
|-
+
| 0 0 0
+
| Dictionary Size
+
| 64
+
|-
+
| 0 0 1
+
| Dictionary Size
+
| 128
+
|-
+
| 0 1 0
+
| Dictionary Size
+
| 256
+
|-
+
| 0 1 1
+
| Dictionary Size
+
| 512
+
|-
+
| 1 0 0
+
| Dictionary Size
+
| 1024
+
|-
+
| 1 0 1
+
| Dictionary Size
+
| 2048
+
|-
+
| 1 1 0
+
| Dictionary Size
+
| 4096
+
|-
+
| 1 1 1
+
| file is a directory
+
| N/A
+
|}
+
 
+
{| class="wikitable"
+
|+ Operating System Indicators
+
! Byte Indicator
+
! Operating System
+
|-
+
| 0
+
| MS DOS
+
|-
+
| 1
+
| OS/2
+
|-
+
| 2
+
| Windows
+
|-
+
| 3
+
| Unix
+
|-
+
| 4
+
| Mac OS
+
|-
+
| 5
+
| BeOS
+
|}
+
----
+
 
+
==Metadata==
+
 
+
==Sub-formats==
+
 
+
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
+
:* 1.3 (Does not have the RAR! signature)
+
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
+
:* 1.5
+
:** Utilizes a proprietary compression method that is not available to the public.
+
:** Considered the root model of subsequent formats.
+
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
+
:* 2.0
+
:** Utilizes a proprietary compression method that is not available to the public.
+
:** Based off of version 1.5 of the RAR file format.
+
:* 3.0
+
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
+
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
+
:** Based off of version 1.5 of the RAR file format.
+
 
+
 
+
 
+
==Software==
+
 
+
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
+
 
+
;unrarLib
+
 
+
:* RAR file unarchiver written in C
+
:* Easy implementation with a header file and the source code file
+
:* [http://www.unrarlib.org/ Information Link]
+
 
+
;WinRAR
+
 
+
:* Only software that can create and open a RAR file
+
:* Distributed by a proprietary license
+
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
+
 
+
;UnRAR
+
 
+
:* Created by Eugene Roshal for opening up RAR files only
+
:* May not be used to reverse engineer the RAR file format and create RAR files
+
:* Source code provided for people to implement/integrate methods of opening RAR files
+
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
+
:* [http://www.rarlab.com/rar_add.htm Download Link]
+
 
+
;The Unarchiver
+
 
+
:* Utility made for Mac OSX to open a multitude of files, including RAR files
+
:* Very handy for dealing with multiple file types
+
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
+
:* [http://unarchiver.c3.cx/ Information Website]
+
 
+
;7-Zip
+
 
+
:* Utility made for Windows applications to open a multitude of files, including RAR files
+
:* [http://www.7-zip.org/download.html Download Link]
+
 
+
  
There is a lot more software to open RAR files, but have been omitted due to redundancy.
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.  If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
==See Also==
+
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
+
* [http://acritum.com/winrar/rar-format RAR File Format Information]
+
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
+
  
[[Category:File Formats]]
+
* Once the acquisition is complete the resulting image can be saved and Forensic Analysis can take place using the tool of your choosing.

Revision as of 18:13, 23 January 2014

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located right about the power button.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire to connected an adapter that was inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is the outermost pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.

  • Once the acquisition is complete the resulting image can be saved and Forensic Analysis can take place using the tool of your choosing.