First things: Huge shout out to James Sahm and Jonathan Rajewski, both of which have taught me so much about how to perform JTAG, ISP, and Chip Off extractions (and are extremely good at performing these extractions!).
My next blog post will be a mostly complete hardware bill of materials for those who may want to start putting together a lab.
JTAG stands for Joint Test Action Group, and was mainly used for device manufacturers to debug their devices before launching them. As forensic examiners, we can find these ports and use them to talk to the processor, which in turn talks to the memory card to access a full physical image of the device. I believe manufactures use little devices called jigs to place on the device that connects to the JTAG ports and debugs it that way. We most likely don’t have these jigs, so instead we solder wires to the TAPs, or Test Access Points (or use a VR Table, which I personally don’t like). Depending on the phone, you may or may not have to use a microscope to solder efficiently. This technique works on passcode enabled devices, but not on encrypted devices (you’ll just get a bunch of encrypted data if you pull from an encrypted device). There’s a few standard TAPs that we want to solder to, here’s the list:
- TCK = Test Clock
- TMS = Test Mode Select
- TDI = Test Data In
- TDO = Test Data Out
- TRST = Test Reset (Optional)
Similar to JTAG extractions, the forensic examiner has to solder wires to places on the board. This technique is useful for a few reasons, one is that some phones don’t have accessible TAPs, or two, the manufacturer has disabled data access through the TAPs. So to get around this, we solder wires to resistors and capacitors. The hard part is finding pinouts of the device you’re looking for, which tells you what pins you need to solder to. This method is usually a bit more tough due to the fact that the pins are usually much smaller than JTAG TAPs, which in turn usually needs a microscope and a much finer solder tip, as well as a steady hand. This process also works on passcode enabled devices, but again, not encrypted devices. Here’s a list of the usual pins we want to solder to:
- D0 = Data 0
- VCC = 2.8 – 3.3 Volt (I believe this is the range)
- VCCq = 1.8 Volt
- CLK = Clock
- CMD = Command
Chip Off Extractions
Chip off extractions are performed when the above two methods are not viable. Definitely not a good idea to try this method first, as it’s unlikely you’ll be able to put the phone back together, unless you’re really good at reballing the chip. Again, works on passcode enabled devices, but not encrypted devices. There’s two methods to go about doing a chip off extraction, the first is micro milling. I have never done a micromill chip off, but it you use the mill to carve out the memory card on the device. If anyone has any informative sites that go into this method in more detail, drop a comment!
Anyway, the other way to perform this extraction is to use a hot air rework station. You basically place the board on the table, heat the bottom of the board to an appropriate temperature, then turn on the hot air gun to melt the solder holding the chip down. It’s more efficient to have these two points of heat, from the bottom and the top, but I have seen people do extractions using just a hot air gun. Once the chip’s solder has melted, an examiner can use tweezers to carefully remove the chip from the board. Depending on how carefully someone pulled the chip, and the temperature at which it was pulled, you can now read the data from the chip via specialized readers for that specific type of chip. If the chip comes off a little messy, you can clean the chip by using a few different methods. I’ve seen people use a copper desoldering wick, flux, and a soldering iron to clean it. Another I’ve seen is to use just a chisel tip soldering iron with flux to scrape off the chip. The last method I know of, which Jon Rajewski told me about, is to use a chemical solvent called Attack to remove gunk on the chip (warning: this will cause very dangerous fumes!).
Once you have a cleaned chip, you need to have a reader for that specific model of chip. Some of these readers can be plugged into an SD card reader, and some have connectors to the boxes mentioned above in the JTAG and ISP sections
Thanks for reading! If you have any suggestions, questions, or if I have inaccurate information please let me know!