Search This Blog

Saturday, November 3, 2012

JTAG and a Pattern Locked ZTE x500

The other day I was handed a pattern locked ZTE x500 Android based cell phone using the Metro PCS wireless network.  Since I have not JTAG’ed one of these devices before, I didn’t know if this device was even supported.  I reviewed my various JTAG devices and discovered this specific phone was not directly supported.  I headed over to PhoneScoop (http://www.phonescoop.com/phones/phone.php?p=3368) to learn the device specifications.  According to PhoneScoop, this device has a 600 MHz Qualcomm MSM7627 processor.  Sweet, RIFF and some other tools support this processor/controller.  Now I just need to find the Test Access Points (TAPS).

I Googled the device looking for the phone’s pinouts.  Nothing.  I have the ‘JTAG Finder’ (http://www.jtagfinder.com/x/), but I haven’t had the best luck with it. 

The next step was to take the device apart.  After removing the back cover and backing, I was presented the this.  Well at least the TAPS are easy to find.

2012-11-01_0001

Upon closer inspection of the QR code next to the TAPS, I could see the QR code sticker was covering up some writing.  I removed the QR code and couldn’t believe what I found.

2012-11-01_0003

All the TAPS are labeled!!  Well that just simplified my life.  I soldered my wires according to the labeled TAPS, hooked up my power supply, micro USB cable, selected Qualcomm MSM7xx in RIFF, and was easily able to download the NAND.

Using the Python scripts discussed in previous posts, I was able to get the swipe pattern.

So why is this note worthy???  I have never seen a phone’s TAPS labeled like this!  I wish LG would do this.  

2 comments:

  1. Can you give a little more info on this project? I have an X500 board that I would love to interface with.

    ReplyDelete
    Replies
    1. What are you trying to do? As I stated, I needed to dump the internal memory for analysis.

      Delete