Loading…

Welcome to Farley Forensics

Start exploring

Basic Overview of JTAG, ISP, and Chip Off Extractions

First things: Huge shout out to James Sahm and Jonathan Rajewski, both of which have taught me so much about how to perform JTAG, ISP, and Chip Off extractions (and are extremely good at performing these extractions!).

My next blog post will be a mostly complete hardware bill of materials for those who may want to start putting together a lab.

JTAG Extractions

JTAG stands for Joint Test Action Group, and was mainly used for device manufacturers to debug their devices before launching them. As forensic examiners, we can find these ports and use them to talk to the processor, which in turn talks to the memory card to access a full physical image of the device. I believe manufactures use little devices called jigs to place on the device that connects to the JTAG ports and debugs it that way. We most likely don’t have these jigs, so instead we solder wires to the TAPs, or Test Access Points (or use a VR Table, which I personally don’t like). Depending on the phone, you may or may not have to use a microscope to solder efficiently. This technique works on passcode enabled devices, but not on encrypted devices (you’ll just get a bunch of encrypted data if you pull from an encrypted device). There’s a few standard TAPs that we want to solder to, here’s the list:

  • TCK = Test Clock
  • TMS = Test Mode Select
  • TDIĀ  = Test Data In
  • TDO = Test Data Out
  • TRST = Test Reset (Optional)
  • Ground

These TAPs need to be connected to a box that knows how to access and interpret the data. Devices such as the Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes you can use.

Example of a JTAG’d phone

 

ISP Extractions

Similar to JTAG extractions, the forensic examiner has to solder wires to places on the board. This technique is useful for a few reasons, one is that some phones don’t have accessible TAPs, or two, the manufacturer has disabled data access through the TAPs. So to get around this, we solder wires to resistors and capacitors. The hard part is finding pinouts of the device you’re looking for, which tells you what pins you need to solder to. This method is usually a bit more tough due to the fact that the pins are usually much smaller than JTAG TAPs, which in turn usually needs a microscope and a much finer solder tip, as well as a steady hand. This process also works on passcode enabled devices, but again, not encrypted devices. Here’s a list of the usual pins we want to solder to:

  • D0 = Data 0
  • VCC = 2.8 – 3.3 Volt (I believe this is the range)
  • VCCq = 1.8 Volt
  • CLK = Clock
  • CMD = Command
  • Ground

Like JTAG, the pins need to be connected to a box that knows how to access and interpret the data. Devices such as the Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes you can use.

Example of a ISP’d phone

 

Chip Off Extractions

Chip off extractions are performed when the above two methods are not viable. Definitely not a good idea to try this method first, as it’s unlikely you’ll be able to put the phone back together, unless you’re really good at reballing the chip. Again, works on passcode enabled devices, but not encrypted devices. There’s two methods to go about doing a chip off extraction, the first is micro milling. I have never done a micromill chip off, but it you use the mill to carve out the memory card on the device. If anyone has any informative sites that go into this method in more detail, drop a comment!

Anyway, the other way to perform this extraction is to use a hot air rework station. You basically place the board on the table, heat the bottom of the board to an appropriate temperature, then turn on the hot air gun to melt the solder holding the chip down. It’s more efficient to have these two points of heat, from the bottom and the top, but I have seen people do extractions using just a hot air gun. Once the chip’s solder has melted, an examiner can use tweezers to carefully remove the chip from the board. Depending on how carefully someone pulled the chip, and the temperature at which it was pulled, you can now read the data from the chip via specialized readers for that specific type of chip. If the chip comes off a little messy, you can clean the chip by using a few different methods. I’ve seen people use a copper desoldering wick, flux, and a soldering iron to clean it. Another I’ve seen is to use just a chisel tip soldering iron with flux to scrape off the chip. The last method I know of, which Jon Rajewski told me about, is to use a chemicalĀ  solvent called Attack to remove gunk on the chip (warning: this will cause very dangerous fumes!).

Once you have a cleaned chip, you need to have a reader for that specific model of chip. Some of these readers can be plugged into an SD card reader, and some have connectors to the boxes mentioned above in the JTAG and ISP sections

Example of a phone on a hot air rework station

 

Thanks for reading! If you have any suggestions, questions, or if I have inaccurate information please let me know!

 

External Resources

More Information

Teel Tech – What is JTAG, Chip-off and ISP?

The Mobile Device Examiner – Chip-Off and JTAG Nonsense

Stefanos Pappas’ Masters Thesis on the Investigation of JTAG and ISP Techniques for Forensic Procedures (Links to a PDF)

Binary Intel – JTAG Forensics

ForensicsWiki – JTAG Forensics

XJTAG – Technical Overview of JTAG

Binary Intel – ISP Forensics

Training

Teel Tech – JTAG, ISP, and Chip Off Training and Certifications

Cellebrite Advanced JTAG Extraction (CAJE) – Expert

FLETC – JTAG ChipOff for Smartphones Training Program

H-11 Digital Forensics – Advanced ISP-EDL-JTAG Cell Phone Data Recovery

 

 

One thought on “Basic Overview of JTAG, ISP, and Chip Off Extractions

  1. Good post. Milling a chip isn’t so much carving it out – it’s more physically removing the circuit board from the chip by grinding (milling) it away – working at it from underneath. I use both mill and hot air in my lab. Milling is more useful if you’re dealing with something heat sensitive (like a UFS chip), or one of those phones that they decided to use a gallon of epoxy and glue on and you don’t want to leave the chip under heat for minutes.

Leave a Reply