JTAG and a PIN locked Samsung SPH-M820

In this post I will talk about my experience with a pin locked Samsung SPH-M820 (AKA: Samsung Galaxy Prevail / Precedent) on the Boost Mobile wireless network.  According to Phone Scoop (www.phonescoop.com), this cell phone is also available from TracFone.  Per the User Manual, this phone supports a numeric 4 to 16 digit personal identification number (PIN) code.

 

Ok, the device wants me to enter a PIN number.  I don’t have it.  I connected the device to a computer and typed ‘adb devices’ in a terminal window.  The computer did not recognize the phone.  USB Debugging may not be turned on or the manufacturer has disabled the USB port.  If the display field below the ‘List of devices attached’ is all question marks (??????????????) where the device’s serial number should be listed, you have a driver issue that needs to corrected.  However, in my case, the ‘List of devices attached’ field was blank.  No question marks.  Nothing.  Since the computer could not communicate with the cell phone, USB Debugging is not turned on.  One trick I learned; when I plug in the USB cable into the phone (and the other end of the USB cable is already plugged into the computer) I watch the top Status Bar on the phone.  If USB Debugging is turned on, a message will usually flash in the Status bar indicating USB Debugging is turned on.  If no USB Debugging message is displayed, there is a good chance USB Debugging is turned off, which is the default setting.

Since the Samsung SPH-M820 phone is supported by my RIFF box, I decided I would attempt to JTAG the device, download the NAND, and run the Recover Android Pin python3 script from CCL Forensics against the NAND dump.

I disassembled the phone and located the JTAG Test Access Port (TAP).  I used a fiberglass pen (http://www.amazon.com/Scratch-Brush-Fiberglass-Colors-vary/dp/B0019V18D2/ref=sr_1_1?ie=UTF8&qid=1337799235&sr=8-1) to clean off any accumulated residue off the TAP.

 

If you read my previous post, you saw first hand that my soldering skillz need some work.  A good friend offered the following JTAG TAP soldering tips: bring the solder iron to highest heat; use a fine solder tip; place the solder iron tip on the TAP and hold for 3-4 secs; bring solder wire to the TAP and brush up to the solder tip; let it melt and ball up; remove the solder wire; remove the solder iron; you should be left with a nice ball of solder on the TAP; now add a little solder to the end of the wire; now when you solder, you are just trying to melt the solder ball on the TAP and the little bit of solder on the end of the wire, not the TAP itself.  Excellent advice.

Once I located the pinout for this phone, I was able to solder the correct wires to the TAP.  Since I prepped the TAP earlier, the actual wire soldering process took less than a half hour.

I connected the JTAG wires to my RIFF Box.  Next, I connected the USB cable from the RIFF Box to the phone’s printed circuit board (PCB).  I applied power to the PCB using my power supply; connected the RIFF Box to the computer via USB; then launched the JTAG Management software.

I was having a heck of a time getting the software to connect to the phone.  When I  powered on the phone, the power supply Amp meter readout started at 0.06 amps, then quickly climbed to 0.15 amps.  The phone / software never connected when the Amp meter read 0.15 amps.  After several attempts, I was able to get the software to communicate to the phone.  I had to time it just right, when the Amp meter read 0.06 amps.  Any other amp meter reading and the phone / software would not communicate with each other.

  

Once the memory dump process began, it took about an hour to complete.

I ran the Recover Android Pin python3 script against my NAND dump.

The recovered PIN is 0805. 

I put the phone back together, cleaning up my solder mess.  It looks almost like new…

I powered up the phone and typed in the recovered PIN number.

SWEET!!  Now I just need to turn on USB Debugging and Stay Awake.  After that, I can use whatever cell phone forensic software available (commercial or open source) to download the contents of this phone.

Questions, comments, soldering recommendations????