Difference between pages "Google Chrome" and "JTAG LG P930 (Nitro HD)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Example queries)
 
(Created page with "== JTAG LG P930 (Nitro HD) == The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, pa...")
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
== JTAG LG P930 (Nitro HD) ==
  
== Configuration ==
+
The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.
The Google Chrome configuration can be found in the '''Preferences''' file.
+
  
On Linux
+
For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.
<pre>
+
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
=== Getting Started ===
<pre>
+
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
</pre>
+
  
On Windows XP
+
What you need to extract the lock from the device:
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
# A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
<pre>
+
# Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
# A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
</pre>
+
# PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').
  
Or for '''Chromium'''
+
=== NAND Dump Procedure ===
  
On Linux
+
# Disassemble the phone down to the PCB.
<pre>
+
# Connect the Octoplus JTAG Box to the PC via USB.
/home/$USER/.config/chromium/Default/Preferences
+
# Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
</pre>
+
# Connect the PCB to the DC power supply.
 +
# Start the "Octoplus JTAG" software.
 +
# Power the PCB.
 +
# Dump the NAND.
  
On MacOS-X
+
Instructions for disassembly can be found on Internet but it can be summarised as follows:
<pre>
+
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
</pre>
+
  
On Windows XP
+
# Remove the rear cover and battery.
<pre>
+
# Remove the 9 x Phillips screws.
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
# Split the phone case using a case opening tool (guitar pick).
</pre>
+
  
On Windows Vista and later
+
{| border="1" cellpadding="2"
<pre>
+
|-
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
| [[ File:lg-p930-nitro-hd-front.png | 400px ]]
</pre>
+
| [[ File:lg-p930-nitro-hd-back.png | 400px ]]
 +
|-
 +
|}
  
=== Plugins ===
+
Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.
  
Information about plugins can be found under the "plugins section" of the Preferences file.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-disassembled-1.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-2.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-3.png | 350px ]]
 +
|-
 +
|}
  
=== DNS Prefetching ===
+
With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.
  
DNS is prefetched for related sites, e.g. links on the page.
 
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
 
  
If enabled the Preferences file contains:
+
{| border="1" cellpadding="2"
<pre>
+
|-
  "dns_prefetching": {
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-1.png | 350px ]]
      "enabled": true,
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-2.png | 350px ]]
</pre>
+
| [[ File:lg-p930-nitro-hd-connected-via-jtag-3.png | 350px ]]
 +
|-
 +
|}
  
If disabled the Preferences file contains:
+
Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
  
== Start-up DNS queries ==
 
  
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
{| border="1" cellpadding="2"
<pre>
+
|-
ttrgoiknff.mydomain.com
+
| [[ File:octoplus-settings.png | 600px ]]
bxjhgftsyu.mydomain.com
+
|-
yokjbjiagd.mydomain.com
+
|}
</pre>
+
  
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.
  
== Disk Cache ==
+
If you receive errors that the PCB could not be connected to, try the following:
The Google Chrome disk cache can be found in:
+
  
On Linux
+
* Confirm that the PCB is receiving power from the DC power supply.  If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A.  If the PCB is pulling more current, it is likely already booted and the read may fail.
<pre>
+
* Power off the PCB, power it back on, and immediately connect then start the JTAG read.
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
+
* Check all of your PCB to JTAG connections under a microscope.  Inspect for shorts or incorrect connections.
</pre>
+
* Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.
  
On MacOS-X
+
==== Notes ====
<pre>
+
/Users/$USER/Caches/Google/Chrome/Default/Cache/
+
</pre>
+
  
On Windows XP
+
This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range.  We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF.  This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
  
On Windows Vista and later
+
=== References ===
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
+
</pre>
+
  
The Chrome Cache contains different files with the following file names:
+
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
* index
+
* http://forensics.spreitzenbarth.de/2012/02/
* data_#; where # contains a decimal digit.
+
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Revision as of 22:18, 17 August 2013

Contents

JTAG LG P930 (Nitro HD)

The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.

For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.

Getting Started

What you need to extract the lock from the device:

  1. A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
  2. Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
  4. PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the Octoplus JTAG Box to the PC via USB.
  3. Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "Octoplus JTAG" software.
  6. Power the PCB.
  7. Dump the NAND.

Instructions for disassembly can be found on Internet but it can be summarised as follows:

  1. Remove the rear cover and battery.
  2. Remove the 9 x Phillips screws.
  3. Split the phone case using a case opening tool (guitar pick).
Lg-p930-nitro-hd-front.png Lg-p930-nitro-hd-back.png

Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.

Lg-p930-nitro-hd-disassembled-1.png Lg-p930-nitro-hd-disassembled-2.png Lg-p930-nitro-hd-disassembled-3.png

With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.


Lg-p930-nitro-hd-connected-via-jtag-1.png Lg-p930-nitro-hd-connected-via-jtag-2.png Lg-p930-nitro-hd-connected-via-jtag-3.png

Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.


Octoplus-settings.png

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.

If you receive errors that the PCB could not be connected to, try the following:

* Confirm that the PCB is receiving power from the DC power supply.  If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A.  If the PCB is pulling more current, it is likely already booted and the read may fail.
* Power off the PCB, power it back on, and immediately connect then start the JTAG read.
* Check all of your PCB to JTAG connections under a microscope.  Inspect for shorts or incorrect connections.
* Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.

Notes

This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range. We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF. This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.

References