Difference between pages "JTAG Huawei TracFone M865C" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "== JTAG Huawei TracFone M865C (Ascend II) == This phone is supported by the Cricket Network and Tracfone. This uses a Qualcomm 7627 600 MHz (S1) Processo and comes standard...")
 
 
Line 1: Line 1:
== JTAG Huawei TracFone M865C (Ascend II) ==
+
{{expand}}
  
 +
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
  
 +
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
  
This phone is supported by the Cricket Network and Tracfone. This uses a Qualcomm 7627 600 MHz (S1) Processo and comes standard with Android version 2.3. This phone is unsupported by RIFF Box for the JTAG process for resurrector.  
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
  
 +
== Methods ==
  
{| border="1" cellpadding="2"
+
=== Reading from the Physical Memory Object ===
|-
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
| [[ File:huawei-tracfone-m865c-front.png | 400px ]]
+
| [[ File:huawei-tracfone-m865c-back.png | 400px ]]
+
|-
+
|}
+
  
 +
=== MmMapIoSpace ===
  
 +
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
  
=== Getting Started ===
+
== Memory Imaging Techniques ==
  
 +
; Crash Dumps
 +
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
 +
; LiveKd Dumps
 +
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
 +
; Hibernation Files
 +
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
 +
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
 +
; Firewire
 +
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
 +
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
 +
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
 +
: The [http://digitalfire.ucd.ie/?page_id=430 Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
 +
; Cold and Warm reboots
 +
: Typical RAM-modules retain memory during reboots as long as power is provided. The modules typically support a self-refresh. Whether the data is retained depend on BIOS-es that do or do not clear the RAM during their initialisation of the motherboards. Warm reboots refer to reboot methods in which power is never removed from the memory module. Tools like [http://mcgrewsecurity.com/oldsite/projects/msramdmp.1.html msramdump] or [http://www.sei.cmu.edu/digitalintelligence/tools/afterlife/ afterlife] act like minimal OS-es with a memory footprint around a few 100k that can save memory to disk (Nowadays often only upto 4G afaik). When the RAM is cleared by the standard BIOS, [https://ohm2013.org/wiki/Village:Garrison#Lecture:_RAM_Memory_acquisition_using_live-BIOS_modification replacing the bios] can be an option. Depending on the motherboard this method works fine. [http://en.wikipedia.org/wiki/Cold_boot_attack Cold boot] refers to the cooling of RAM te increase the time the RAM module will retain data without power. Opinions on how practical cold boot is are discussed in "[http://www1.cs.fau.de/filepool/projects/coldboot/fares_coldboot.pdf On the Practicability of Cold Boot Attacks]".
 +
; Virtual Machine Imaging
 +
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
  
What you need:
+
== Also see ==
 +
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
  
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://web.archive.org/web/20101210223853/http://blogs.23.nu/RedTeam/0000/00/antville-5201 RedTeam: FireWire round-up]
 +
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], by [[Antonio Martin]], 2007
 +
* [http://forensic.belkasoft.com/en/live-ram-forensics Catching the ghost: how to discover ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, May 2013
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
# Riff Box
+
[[Category:Memory Analysis]]
 
+
# USB to Micro USB cord
+
 
+
 
+
 
+
=== NAND Dump Procedure ===
+
 
+
# Disassemble the phone down to the PCB.
+
# Connect the RIFF box to the PC via USB.
+
# Connect the RIFF box to the PCB via the JTAG pins.
+
# Connect the PCB to a Micro USB cord and power via a power supply.
+
# Start the "RIFF box" software.
+
# Power the PCB.
+
# Dump the NAND.
+
 
+
The TAPS are located under the battery, behind the Huawei phone label.  The phone will be powered by a Micro USB cord from an AC battery charger.
+
 
+
The TAPS order is as follows:
+
 
+
# 1=Not Used
+
# 2=TCK
+
# 3=GND
+
# 4=TMS
+
# 5=TDI
+
# 6=TDO
+
# 7=RTCK
+
# 8=TRST
+
# 9=NRST
+
 
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:huawei-tracfone-m865c-taps.png | 400px ]]
+
|-
+
|}
+
 
+
 
+
 
+
For the TAPs, the Huawei-8650 was utilized, pictured above. The TAPS on the M865C are located in the same location as the 8650. See below for TAPS locations.
+
 
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:huawei-tracfone-m865c-soldered-taps.png | 400px ]]
+
|-
+
|}
+
 
+
 
+
 
+
After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into a wall outlet. The phone should respond with the vibrator switch activating for less than a second.
+
 
+
Launch the Riff Box JTAG Manager and use the following settings:
+
 
+
* JTAG TCK Speed = RTCK
+
* Resurrector Settings= Huawei U8650
+
* Auto FullFlash size
+
 
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:huawei-tracfone-m865c-riff-settings.png | 400px ]]
+
|-
+
|}
+
 
+
 
+
 
+
Advanced Settings:
+
 
+
* Ignore Target IDCODE during Resurrection and DCC Loader operations
+
 
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:huawei-tracfone-m865c-riff-advanced-settings.png | 400px ]]
+
|-
+
|}
+
 
+
 
+
 
+
Then connect and get the ID, you should receive the dead body signal. Then read the memory.  JTAG complete.
+
 
+
 
+
=== Notes ===
+
 
+
 
+
 
+
The phone has a 512 MB NAND flash memory chip which should take approximately 30 minutes to download.
+

Revision as of 14:51, 1 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Memory Imaging Techniques

Crash Dumps
When configured to create a full memory dump, Windows operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. Andreas Schuster has a blog post describing this technique.
LiveKd Dumps
The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
Hibernation Files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the system drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image. Once hiberfil.sys has been obtained, Sandman can be used to convert it to a dd image.
Mac OS X very kindly creates a file called /var/vm/sleepimage on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on File Vault and enables Secure Virtual Memory. [3].
Firewire
It is possible for Firewire or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
This technique has been turned into a tool that you can download from: http://www.storm.net.nz/projects/16
The Goldfish tool automates this exploit for investigators needing to analyze the memory of a Mac.
Cold and Warm reboots
Typical RAM-modules retain memory during reboots as long as power is provided. The modules typically support a self-refresh. Whether the data is retained depend on BIOS-es that do or do not clear the RAM during their initialisation of the motherboards. Warm reboots refer to reboot methods in which power is never removed from the memory module. Tools like msramdump or afterlife act like minimal OS-es with a memory footprint around a few 100k that can save memory to disk (Nowadays often only upto 4G afaik). When the RAM is cleared by the standard BIOS, replacing the bios can be an option. Depending on the motherboard this method works fine. Cold boot refers to the cooling of RAM te increase the time the RAM module will retain data without power. Opinions on how practical cold boot is are discussed in "On the Practicability of Cold Boot Attacks".
Virtual Machine Imaging
There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. Qemu supports the pmemsave function, Xen has the xm dump-core command.

Also see

External Links