Difference between pages "Chip-Off BlackBerry Curve 9320" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (Procedures)
 
Line 1: Line 1:
The hardware used in the BlackBerry 9315's and 9320's are almost identical. The following link describes the differences between the models. http://worldwide.blackberry.com/blackberrycurve/9220-9310-9320/specifications.jsp
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
== Tear Down ==
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
<ol start="1">
+
=== Forensic Application ===
<li>Remove the back panel.</li>
+
</ol>
+
  
{| border="1" cellpadding="2"
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
|-
+
| [[File:1-bb9320-BackPanelRemoved.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="2">
+
== Tools and Equipment ==
<li>Remove the SIM and SD Memory Card.</li>
+
</ol>
+
  
<ol start="3">
+
* [[JTAG and Chip-Off Tools and Equipment]]
<li>Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.</li>
+
</ol>
+
  
{| border="1" cellpadding="2"
+
== Procedures ==
|-
+
| [[File:2-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="4">
+
* [[JTAG HTC Wildfire S]]
<li>Remove the screen protector using a shim, guitar pick, or prying tool.</li>
+
* [[JTAG Huawei TracFone M865C]]
</ol>
+
* [[JTAG Huawei TracFone H866C]]
 
+
* [[JTAG Huawei U8655]]
{| border="1" cellpadding="2"
+
* [[JTAG Huawei Y301-A1 Valiant]]
|-
+
* [[JTAG LG L45C TracFone]]
| [[File:3-bb9320-ScreenRemoval.jpg| 300px ]]
+
* [[JTAG LG P930 (Nitro HD)]]
|-
+
* [[JTAG LG E960 (Nexus 4)]]
|}
+
* [[JTAG Samsung Galaxy Centura (SCH-S738C)]]
 
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
<ol start="5">
+
<li>Remove 2 torx-5 screws.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:4-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="6">
+
<li>Use the shim to detach the outer bezel/keyboard from the device.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:5-bb9320-TopPlate.jpg| 300px ]]  
+
| [[File:5-1-bb9320-TopPlate.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="7">
+
<li>Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:6-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="8">
+
<li>Peel off the vendor sticker.</li>
+
</ol>
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:7-bb9320-VendorPlate.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="9">
+
<li>Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.</li>
+
</ol>
+
 
+
<ol start="10">
+
<li>Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="11">
+
<li>Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-bb9320-ScreenRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="12">
+
<li>The tear down is now complete</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-1-bb9320-TearDownComplete.jpg| 300px ]]
+
|-
+
|}
+
 
+
eMMC Removal
+
 
+
<ol start="1">
+
<li>The eMMC is located beneath the heat shield directly above the Micro SD card slot.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:10-bb9320-EMMC-Location.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="2">
+
<li>Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:11-bb9320-HeatShield.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="3">
+
<li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:12-bb9320-HeatShield.jpg| 300px ]]
+
| [[File:13-bb9320-HeatShieldRemoved.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="4">
+
<li>Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:14-bb9320-EMMC-Removed.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="5">
+
<li>Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:15-bb9320-EMMC-Cleanup.jpg| 300px ]]  
+
| [[File:16-bb9320-EMMC-Clean.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="6">
+
<li>The eMMC is now ready to read using the appropriate adapter/programmer and software.</li>
+
</ol>
+
 
+
At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).
+

Revision as of 18:35, 23 December 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures