Difference between pages "Mozilla Firefox" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Cache)
 
(Created page with "= JTAG Samsung Galaxy S3 (SGH-I747M) = The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than J...")
 
Line 1: Line 1:
{{expand}}
+
= JTAG Samsung Galaxy S3 (SGH-I747M) =
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
+
  
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
+
The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
  
== Anonymous Browsing ==
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
+
  
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
+
== Getting Started ==
  
== History ==
+
What you need to dump the NAND:
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
+
  
'''places.sqlite''' can be found in the following locations:
+
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
 +
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
  
On Linux
+
== NAND Dump Procedure ==
<pre>
+
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
+
</pre>
+
  
On MacOS-X
+
# Disassemble the phone down to the PCB.
<pre>
+
# Connect the RIFF Box to the PC via USB.
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
+
# Connect the RIFF Box to the PCB via the JTAG pins.
</pre>
+
# Connect the PCB to the DC power supply.
 +
# Start the "RIFF Box JTAG Manager" software.
 +
# Enable the power on the DC power supply.
 +
# Power the phone via the power button.
 +
# Dump the NAND via the RIFF Box software.
  
On Windows XP
+
Instructions for disassembly can be found on Internet but it can be summarized as follows:
<pre>
+
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
  
On Windows Vista, 7
+
* Remove the rear cover and battery.
<pre>
+
* Remove the 10 x Phillips screws.
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
* Remove the rear plate using a case opening tool (guitar pick).
</pre>
+
  
=== Timestamps ===
+
{| border="1" cellpadding="2"
The places.sqlite uses the following timestamps.
+
|-
 +
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
 +
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
 +
|-
 +
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
 +
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
 +
|-
 +
|}
  
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
+
* Once the phone has been disassembled, you can see the JTAG connection port located right about the power button.
  
Some Python code to do the conversion into human readable format:
+
{| border="1" cellpadding="2"
<pre>
+
|-
date_string = datetime.datetime( 1970, 1, 1 )
+
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
            + datetime.timedelta( microseconds=timestamp )
+
|-
</pre>
+
|}
  
=== Example queries ===
+
* The JTAG pinouts are as follows.
Some example queries:
+
  
To get an overview of the visited sites:
+
{| border="1" cellpadding="2"
<pre>
+
|-
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
+
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
</pre>
+
|-
 +
|}
  
== Downloads ==
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire to connected an adapter that was inserted into the 20 pin ribbon cable supplied with the RIFF box.
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
+
  
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
 +
|-
 +
|}
  
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite'''
+
* Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is the outermost pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
  
=== Timestamps ===
+
{| border="1" cellpadding="2"
The places.sqlite uses the following timestamps.
+
|-
 +
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
 +
|-
 +
|}
  
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
+
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.
  
=== Example queries ===
+
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz".  This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read.  Leave this setting at "Sample at MAX" unless you experience this problem.
Some example queries:
+
  
To get an overview of the downloaded files:
+
{| border="1" cellpadding="2"
<pre>
+
|-
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
+
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
</pre>
+
|-
 +
|}
  
== Cache ==
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
On Linux
+
<pre>
+
/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/
+
</pre>
+
  
On MacOS-X
+
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
<pre>
+
/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
+
</pre>
+
 
+
On Windows Vista, 7
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[Mozilla Suite]]
+
* [[Mozilla Firefox History File Format]]
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
 
+
* [http://www.mozilla.com/firefox/ Official website]
+
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
+
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
+
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Revision as of 17:37, 23 January 2014

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located right about the power button.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire to connected an adapter that was inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is the outermost pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.