Difference between pages "Windows SuperFetch Format" and "JTAG and Chip-Off Tools and Equipment"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (Updating links.)
 
Line 1: Line 1:
{{expand}}
+
The following list contains equipment used for performing JTAG and chip-off analysis.  It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment.  The URL's provided are for reference and other vendors and suppliers exist for said equipment.  Please search Internet for other competitive vendors.
  
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
+
''Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.''
  
<b>Note that the following format specification are incomplete.</b>
+
'''JTAG and Chip-Off Equipment List'''
  
== SuperFetch DB files ==
 
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
 
<pre>
 
AgAppLaunch.db
 
AgCx_SC*.db
 
AgGlFaultHistory.db
 
AgGlFgAppHistory.db
 
AgGlGlobalHistory.db
 
AgGlUAD_%SID%.db
 
AgGlUAD_P_%SID%.db
 
AgRobust.db
 
</pre>
 
 
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
 
* Compressed SuperFetch DB - MEM file format; Windows Vista and 7
 
* Compressed SuperFetch DB - MAM file format; Windows 8
 
 
=== Compressed SuperFetch DB - MEM file format ===
 
The MEM file consists of:
 
* file header
 
* compressed blocks
 
 
==== File header ====
 
The file header is 84 bytes of size and consists of:
 
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 
|-
 
|-
! Offset
+
|Carton SPZT-50PG Microscope (optional: w/trinocular)
! Size
+
|http://valleymicroscope.com/shop/spz-50pg/
! Value
+
|$1200
! Description
+
 
|-
 
|-
| 0
+
|Xytronic 988D Solder Rework Station
| 4
+
|http://www.howardelectronics.com/xytronic/988d.html
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) <br> "MEM0" (0x4d, 0x45, 0x4d, 0x30)
+
|$300
| Signature
+
 
|-
 
|-
| 4
+
|Weller WES51 Solder Station
| 4
+
|sourced locally (Electronics shop)
|  
+
|$100
| Uncompressed (total) data size
+
 
|-
 
|-
|}
+
|Xytronic LF-852D Hot Air Station
 
+
|http://www.howardelectronics.com/xytronic/LF-852D.html
Where:
+
|$225
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista and uses the LZNT1 compression method
+
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7 and uses the LZXPRESS Huffman compression method
+
 
+
==== Compressed blocks ====
+
The file header is followed by compressed blocks:
+
{| class="wikitable"
+
 
|-
 
|-
! Offset
+
|HP Agilent U8002A Variable Power Supply
! Size
+
|http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng
! Value
+
|$400
! Description
+
 
|-
 
|-
| 0
+
|Magnifying Desk Lamp
| 4
+
|http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE
|  
+
|$100
| Compressed data size
+
 
|-
 
|-
| 4
+
|Circuit board holder
| ...
+
|http://www.ibreakityoufixit.com/shop/mounting-kit
|
+
|$13
| Compressed data
+
 
|-
 
|-
 +
|Chip Epoxy Glue Remover
 +
|http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3
 +
|$10
 +
|-
 +
|0.040 gauge transformer winding wire
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Kester 44 rosin flux solder
 +
|sourced locally (Electronics shop)
 +
|$50
 +
|-
 +
|Xcelite Hobby Knives
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Terra Dexterity PVC foam gloves
 +
|sourced locally (Costco)
 +
|$10
 +
|-
 +
|8" x 8" x 3/8" steel plate
 +
|sourced locally (Steel fabrication shop)
 +
|free
 
|}
 
|}
  
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
+
'''JTAG Specific Equipment List'''
 
+
=== Compressed SuperFetch DB - MAM file format ===
+
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
+
 
+
==== File header ====
+
<b>TODO</b>
+
  
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 
|-
 
|-
! Offset
+
|RIFF Box
! Size
+
|http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html
! Value
+
|$120
! Description
+
|-
+
| 0
+
| 4
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
+
| Signature
+
 
|-
 
|-
 +
|Octoplus Box
 +
|http://gsmserver.com/shop/gsm/octoplus_box_full_set.php
 +
|$340
 
|}
 
|}
  
==== Compressed blocks ====
 
<b>TODO</b>
 
  
=== Uncompressed SuperFetch DB format ===
+
'''Chip-Off Specific Equipment List'''
<b>TODO</b>
+
  
== TRX files ==
 
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 
<pre>
 
AgCx_SC*.db.trx
 
</pre>
 
 
<b>Note that the following format specification is incomplete.</b>
 
 
=== File header ===
 
The file header is variable of size and consists of:
 
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 
|-
 
|-
! Offset
+
|Wagner HT1000 Heat Gun
! Size
+
|http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html
! Value
+
|$30
! Description
+
 
|-
 
|-
| 0
+
|Heat Gun stand
| 4
+
|http://www.ibreakityoufixit.com/shop/air-gun-holder
| 1
+
|$60
| Unknown (Version?)
+
 
|-
 
|-
| 4
+
|UP-828 Programmer
| 4
+
|http://www.up48.com/english/programmer/up828.htm
|  
+
|$1300 - $1700 depending on source
| Unknown
+
 
|-
 
|-
| 8
+
|UP-828 SBGA152 Adapter
| 4
+
|BlackBerry
|  
+
|$600 - $1000 depending on source
| File size
+
 
|-
 
|-
| 12
+
|UP-828 BGA110 Adapter
| 4
+
|
|  
+
|$600 - $1000 depending on source
| Maximum number of records (of the record offsets array)
+
 
|-
 
|-
| 16
+
|UP-828 VBGA169E Adapter
| 4
+
| BlackBerry and Android
|
+
|$600 - $1000 depending on source
| Number of records
+
|-
+
| 20
+
| ...
+
|
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
+
 
|-
 
|-
 +
|UP-828 VBGA133 Adapter
 +
|iPhone 4
 +
|$600 - $1000 depending on source
 
|}
 
|}
  
=== Record ===
+
'''Notes'''
<b>TODO describe</b>
+
 
+
== See Also ==
+
* [[SuperFetch]]
+
 
+
== External Links ==
+
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
+
  
[[Category:File Formats]]
+
1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.

Revision as of 13:30, 18 April 2014

The following list contains equipment used for performing JTAG and chip-off analysis. It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment. The URL's provided are for reference and other vendors and suppliers exist for said equipment. Please search Internet for other competitive vendors.

Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.

JTAG and Chip-Off Equipment List

Item Info Estimated Cost (CAD)
Carton SPZT-50PG Microscope (optional: w/trinocular) http://valleymicroscope.com/shop/spz-50pg/ $1200
Xytronic 988D Solder Rework Station http://www.howardelectronics.com/xytronic/988d.html $300
Weller WES51 Solder Station sourced locally (Electronics shop) $100
Xytronic LF-852D Hot Air Station http://www.howardelectronics.com/xytronic/LF-852D.html $225
HP Agilent U8002A Variable Power Supply http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng $400
Magnifying Desk Lamp http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE $100
Circuit board holder http://www.ibreakityoufixit.com/shop/mounting-kit $13
Chip Epoxy Glue Remover http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3 $10
0.040 gauge transformer winding wire sourced locally (Electronics shop) $15
Kester 44 rosin flux solder sourced locally (Electronics shop) $50
Xcelite Hobby Knives sourced locally (Electronics shop) $15
Terra Dexterity PVC foam gloves sourced locally (Costco) $10
8" x 8" x 3/8" steel plate sourced locally (Steel fabrication shop) free

JTAG Specific Equipment List

Item Info Estimated Cost (CAD)
RIFF Box http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html $120
Octoplus Box http://gsmserver.com/shop/gsm/octoplus_box_full_set.php $340


Chip-Off Specific Equipment List

Item Info Estimated Cost (CAD)
Wagner HT1000 Heat Gun http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html $30
Heat Gun stand http://www.ibreakityoufixit.com/shop/air-gun-holder $60
UP-828 Programmer http://www.up48.com/english/programmer/up828.htm $1300 - $1700 depending on source
UP-828 SBGA152 Adapter BlackBerry $600 - $1000 depending on source
UP-828 BGA110 Adapter $600 - $1000 depending on source
UP-828 VBGA169E Adapter BlackBerry and Android $600 - $1000 depending on source
UP-828 VBGA133 Adapter iPhone 4 $600 - $1000 depending on source

Notes

1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.