Difference between pages "JTAG Samsung Galaxy S4 (SGH-I337)" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(NAND Dump Procedure)
 
(Exploit Kit)
 
Line 1: Line 1:
== JTAG Samsung Galaxy S4 ==
+
'''Malware''' is a short version of '''Malicious Software'''.
  
The Samsung Galaxy S4 is an Android based smartphone. At the time of this writing (2013JUL24), I am unaware of any method other than JTAG to acquire a physical image of the NAND on a Samsung Galaxy S4.
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
For the purpose of this document, a Samsung Galaxy S4 was disassembled, read via JTAG, reassembled.
+
== Virus ==
 +
A computer program that can automatically copy itself and infect a computer.
  
=== Getting Started ===
+
== Worm ==
 +
A self-replicating computer program that can automatically infect computers on a network.
  
What you need to dump the NAND:
+
== Trojan horse ==
 +
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
  
# A RIFF Box [http://www.riffbox.org/|RIFF Box]
+
== Spyware ==
# Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
+
A computer program that can automatically intercept or take partial control over the user's interaction.
# A DC Power supply capable of supplying 3.8V/1.83A output.  The power supply used for this was an [http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply].
+
  
=== NAND Dump Procedure ===
+
== Exploit Kit ==
 +
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
  
# Disassemble the phone down to the PCB.
+
=== Drive-by-download ===
# Connect the RIFF JTAG Box to the PC via USB.
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
# Connect the RIFF JTAG Box to the PCB via the JTAG pins.
+
# Connect the PCB to the DC power supply.
+
# Start the "RIFF BOX JTAG" software.
+
# Enable the power on the DC power supply.
+
# Power the phone via the power button.
+
# Dump the NAND via the RIFF Box software.
+
  
Instructions for disassembly can be found on Internet but it can be summarized as follows:
+
== See Also ==
  
* Remove the rear cover and battery.
+
== External Links ==
* Remove the 9 x Phillips screws.
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia entry on malware]
* Split the phone case using a case opening tool (guitar pick).
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
{| border="1" cellpadding="2"
+
=== Exploit Kit ===
|-
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
| [[File:1-S4-Phone.jpg |350px ]]
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
| [[File:2-S4-BackCoverRemoved.jpg |550px]]
+
|-
+
| [[File:3-S4-RemoveScrews.jpg |450px]]
+
| [[File:4-S4-RemoveBackPlate.jpg |450px]]
+
|-
+
|}
+
  
* Once the phone has been disassembled, you can see the JTAG connection port located right about the power button. This JTAG port is in a great spot which makes it handy for soldering.
+
[[Category:Malware]]
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:5-S4-BackPlateRemoved.jpg | 1000px]]  
+
|-
+
|}
+
 
+
 
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire to connected an adapter that was inserted into the 20 pin ribbon cable supplied with the RIFF box.
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:6-S4-JTAGpinouts.jpg | 500px]]
+
| [[File:7-S4-Soldered.jpg | 500px]]
+
|-
+
|}
+
 
+
* Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is the outermost pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.80A but do not apply power at this time.
+
 
+
'''NOTE:''' Attempts the connect to and read this using power supplied via the battery and USB port displayed inconsistent results. This is why we opted to use the DC power supply.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8-S4-NANDdump.jpg | 1000px]]
+
|-
+
|}
+
 
+
* Now we can start the RIFF JTAG software and configure it, and connect the phone to the RIFF box. See the picture for more detail.
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-S4-RiffBox.jpg | 1000px]]
+
|-
+
|}
+
 
+
* Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading... if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
+
 
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option restart the read where it left off.
+
 
+
* Once the acquisition is complete the resulting image can be saved and Forensic Analysis can take place using the tool of your choosing.
+

Revision as of 01:05, 21 October 2013

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

See Also

External Links

Exploit Kit