Basic Overview of JTAG, ISP, and Chip Off Extractions
First things: Huge shout out to James Sahm and Jonathan Rajewski, both of which have taught me so much about how to perform JTAG, ISP, and Chip Off extractions (and are extremely good at performing these extractions!).
My next blog post will be a mostly complete hardware bill of materials for those who may want to start putting together a lab.
JTAG Extractions
JTAG stands for Joint Test Action Group, and was mainly used for device manufacturers to debug their devices before launching them. As forensic examiners, we can find these ports and use them to talk to the processor, which in turn talks to the memory card to access a full physical image of the device. I believe manufactures use little devices called jigs to place on the device that connects to the JTAG ports and debugs it that way. We most likely don’t have these jigs, so instead we solder wires to the TAPs, or Test Access Points (or use a VR Table, which I personally don’t like). Depending on the phone, you may or may not have to use a microscope to solder efficiently. This technique works on passcode enabled devices, but not on encrypted devices (you’ll just get a bunch of encrypted data if you pull from an encrypted device). There’s a few standard TAPs that we want to solder to, here’s the list:
- TCK = Test Clock
- TMS = Test Mode Select
- TDIĀ = Test Data In
- TDO = Test Data Out
- TRST = Test Reset (Optional)
- Ground
These TAPs need to be connected to a box that knows how to access and interpret the data. Devices such as the Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes you can use.
ISP Extractions
Similar to JTAG extractions, the forensic examiner has to solder wires to places on the board. This technique is useful for a few reasons, one is that some phones don’t have accessible TAPs, or two, the manufacturer has disabled data access through the TAPs. So to get around this, we solder wires to resistors and capacitors. The hard part is finding pinouts of the device you’re looking for, which tells you what pins you need to solder to. This method is usually a bit more tough due to the fact that the pins are usually much smaller than JTAG TAPs, which in turn usually needs a microscope and a much finer solder tip, as well as a steady hand. This process also works on passcode enabled devices, but again, not encrypted devices. Here’s a list of the usual pins we want to solder to:
- D0 = Data 0
- VCC = 2.8 – 3.3 Volt (I believe this is the range)
- VCCq = 1.8 Volt
- CLK = Clock
- CMD = Command
- Ground
Like JTAG, the pins need to be connected to a box that knows how to access and interpret the data. Devices such as the Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes you can use.
Chip Off Extractions
Chip off extractions are performed when the above two methods are not viable. Definitely not a good idea to try this method first, as it’s unlikely you’ll be able to put the phone back together, unless you’re really good at reballing the chip. Again, works on passcode enabled devices, but not encrypted devices. There’s two methods to go about doing a chip off extraction, the first is micro milling. I have never done a micromill chip off, but it you use the mill to carve out the memory card on the device. If anyone has any informative sites that go into this method in more detail, drop a comment!
Anyway, the other way to perform this extraction is to use a hot air rework station. You basically place the board on the table, heat the bottom of the board to an appropriate temperature, then turn on the hot air gun to melt the solder holding the chip down. It’s more efficient to have these two points of heat, from the bottom and the top, but I have seen people do extractions using just a hot air gun. Once the chip’s solder has melted, an examiner can use tweezers to carefully remove the chip from the board. Depending on how carefully someone pulled the chip, and the temperature at which it was pulled, you can now read the data from the chip via specialized readers for that specific type of chip. If the chip comes off a little messy, you can clean the chip by using a few different methods. I’ve seen people use a copper desoldering wick, flux, and a soldering iron to clean it. Another I’ve seen is to use just a chisel tip soldering iron with flux to scrape off the chip. The last method I know of, which Jon Rajewski told me about, is to use a chemicalĀ solvent called Attack to remove gunk on the chip (warning: this will cause very dangerous fumes!).
Once you have a cleaned chip, you need to have a reader for that specific model of chip. Some of these readers can be plugged into an SD card reader, and some have connectors to the boxes mentioned above in the JTAG and ISP sections
Thanks for reading! If you have any suggestions, questions, or if I have inaccurate information please let me know!
External Resources
More Information
Teel Tech – What is JTAG, Chip-off and ISP?
The Mobile Device Examiner – Chip-Off and JTAG Nonsense
Stefanos Pappas’ Masters Thesis on the Investigation of JTAG and ISP Techniques for Forensic Procedures (Links to a PDF)
ForensicsWiki – JTAG Forensics
XJTAG – Technical Overview of JTAG
Training
Teel Tech – JTAG, ISP, and Chip Off Training and Certifications
Cellebrite Advanced JTAG Extraction (CAJE) – Expert
FLETC – JTAG ChipOff for Smartphones Training Program
H-11 Digital Forensics – Advanced ISP-EDL-JTAG Cell Phone Data Recovery
Good post. Milling a chip isn’t so much carving it out – it’s more physically removing the circuit board from the chip by grinding (milling) it away – working at it from underneath. I use both mill and hot air in my lab. Milling is more useful if you’re dealing with something heat sensitive (like a UFS chip), or one of those phones that they decided to use a gallon of epoxy and glue on and you don’t want to leave the chip under heat for minutes.