Search This Blog

Saturday, November 3, 2012

JTAG and a Pattern Locked ZTE x500

The other day I was handed a pattern locked ZTE x500 Android based cell phone using the Metro PCS wireless network.  Since I have not JTAG’ed one of these devices before, I didn’t know if this device was even supported.  I reviewed my various JTAG devices and discovered this specific phone was not directly supported.  I headed over to PhoneScoop (http://www.phonescoop.com/phones/phone.php?p=3368) to learn the device specifications.  According to PhoneScoop, this device has a 600 MHz Qualcomm MSM7627 processor.  Sweet, RIFF and some other tools support this processor/controller.  Now I just need to find the Test Access Points (TAPS).

I Googled the device looking for the phone’s pinouts.  Nothing.  I have the ‘JTAG Finder’ (http://www.jtagfinder.com/x/), but I haven’t had the best luck with it. 

The next step was to take the device apart.  After removing the back cover and backing, I was presented the this.  Well at least the TAPS are easy to find.

2012-11-01_0001

Upon closer inspection of the QR code next to the TAPS, I could see the QR code sticker was covering up some writing.  I removed the QR code and couldn’t believe what I found.

2012-11-01_0003

All the TAPS are labeled!!  Well that just simplified my life.  I soldered my wires according to the labeled TAPS, hooked up my power supply, micro USB cable, selected Qualcomm MSM7xx in RIFF, and was easily able to download the NAND.

Using the Python scripts discussed in previous posts, I was able to get the swipe pattern.

So why is this note worthy???  I have never seen a phone’s TAPS labeled like this!  I wish LG would do this.  

Thursday, May 24, 2012

JTAG and a PIN locked Samsung SPH-M820

In this post I will talk about my experience with a pin locked Samsung SPH-M820 (AKA: Samsung Galaxy Prevail / Precedent) on the Boost Mobile wireless network.  According to Phone Scoop (www.phonescoop.com), this cell phone is also available from TracFone.  Per the User Manual, this phone supports a numeric 4 to 16 digit personal identification number (PIN) code.

P5191109 

Ok, the device wants me to enter a PIN number.  I don’t have it.  I connected the device to a computer and typed ‘adb devices’ in a terminal window.  The computer did not recognize the phone.  USB Debugging may not be turned on or the manufacturer has disabled the USB port.  If the display field below the ‘List of devices attached’ is all question marks (??????????????) where the device’s serial number should be listed, you have a driver issue that needs to corrected.  However, in my case, the ‘List of devices attached’ field was blank.  No question marks.  Nothing.  Since the computer could not communicate with the cell phone, USB Debugging is not turned on.  One trick I learned; when I plug in the USB cable into the phone (and the other end of the USB cable is already plugged into the computer) I watch the top Status Bar on the phone.  If USB Debugging is turned on, a message will usually flash in the Status bar indicating USB Debugging is turned on.  If no USB Debugging message is displayed, there is a good chance USB Debugging is turned off, which is the default setting.

Since the Samsung SPH-M820 phone is supported by my RIFF box, I decided I would attempt to JTAG the device, download the NAND, and run the Recover Android Pin python3 script from CCL Forensics against the NAND dump.

I disassembled the phone and located the JTAG Test Access Port (TAP).  I used a fiberglass pen (http://www.amazon.com/Scratch-Brush-Fiberglass-Colors-vary/dp/B0019V18D2/ref=sr_1_1?ie=UTF8&qid=1337799235&sr=8-1) to clean off any accumulated residue off the TAP.

cleanedjtag-tap 

If you read my previous post, you saw first hand that my soldering skillz need some work.  A good friend offered the following JTAG TAP soldering tips: bring the solder iron to highest heat; use a fine solder tip; place the solder iron tip on the TAP and hold for 3-4 secs; bring solder wire to the TAP and brush up to the solder tip; let it melt and ball up; remove the solder wire; remove the solder iron; you should be left with a nice ball of solder on the TAP; now add a little solder to the end of the wire; now when you solder, you are just trying to melt the solder ball on the TAP and the little bit of solder on the end of the wire, not the TAP itself.  Excellent advice.

solderjtag-tap

Once I located the pinout for this phone, I was able to solder the correct wires to the TAP.  Since I prepped the TAP earlier, the actual wire soldering process took less than a half hour.

image

I connected the JTAG wires to my RIFF Box.  Next, I connected the USB cable from the RIFF Box to the phone’s printed circuit board (PCB).  I applied power to the PCB using my power supply; connected the RIFF Box to the computer via USB; then launched the JTAG Management software.

IMG_20120520_101034

I was having a heck of a time getting the software to connect to the phone.  When I  powered on the phone, the power supply Amp meter readout started at 0.06 amps, then quickly climbed to 0.15 amps.  The phone / software never connected when the Amp meter read 0.15 amps.  After several attempts, I was able to get the software to communicate to the phone.  I had to time it just right, when the Amp meter read 0.06 amps.  Any other amp meter reading and the phone / software would not communicate with each other.

IMG_20120520_101108  

Once the memory dump process began, it took about an hour to complete.

RIFFBox

I ran the Recover Android Pin python3 script against my NAND dump.

image

The recovered PIN is 0805. 

I put the phone back together, cleaning up my solder mess.  It looks almost like new…

image

I powered up the phone and typed in the recovered PIN number.

P5191110

SWEET!!  Now I just need to turn on USB Debugging and Stay Awake.  After that, I can use whatever cell phone forensic software available (commercial or open source) to download the contents of this phone.

Questions, comments, soldering recommendations????

Saturday, May 19, 2012

JTAG and HTC EVO 4G

I came across a cell phone the other day that had the Android pattern lock.  This was a HTC EVO 4G, which is using the Sprint wireless network.

In order to gain access to the pattern locked device, I thought I would root the device.  I checked to see if USB debugging was turned on by attempting to connect to the device using Adb.exe.  It wasn’t..damn.  Not too many options available at this point. 

I had been reading up on the JTAG process from various posts.  The actual soldering / JTAG process seemed to be the most difficult part of the process.  I was only able to successfully complete this task after a good friend helped me get a clear picture of the overall process.

I bought my RIFF Box and assorted jigs from GSM Server.  Yes, the parts came from Hong Kong.   http://gsmserver.com/shop/gsm/riff_box_jtag.php

I purchased additional cell phone disassembly tools from Amazon.com and soldering equipment from my local MarVac Electronics store.  I am ready to do this!!..so I thought.

Prior to soldering the wires to the HTC’s printed circuit board (PCB) test access port (TAP), I took apart other junk cell phones and attempted to hone my soldering skills.  After ruining a couple of junk cell phone PCB’s along with some successful soldering attempts, I decided ‘I got this’.

My next course of self instruction was to watch a couple of HTC EVO 4G disassembly videos on YouTube.  After watching about two or three 5 minute disassembly videos, I thought this is going to be a piece of cake!!

I was able to successfully disassemble the HTC EVO 4G down to the PCB.

 P5111108

If your soldering skillz need some work (like mine), this can be a long process.  You  need to connect/solder specific wires from the RIFF Box to the HTC’s JTAG TAP.  This requires you to obtain documentation of the HTC’s JTAG pinout.  Luckily, since RIFF Box supports the HTC EVO 4G (AKA: HTC Supersonic), the pinout diagram is included in the RIFF JTAG Management software. After a couple of hours, I was done soldering.  YES!!

DSC_1052

Now to connect all the parts so I can dump the HTC PCB’s NAND.  I provided power to the HTC PCB using a Mastech Single-Output DC Power Supply, model# HY3003D.  I connected my JTAG wiring from the HTC PCB to the RIFF Box.  I next connected a USB cable from the computer to the microUSB slot on the HTC PCB.  I connected the RIFF Box to the computer via USB and launched my RIFF JTAG software manager.  I next turned on the HTC PCB.  I knew the device was running because the Amp meter on my power supply was registered about a .10 amp draw.

With the RIFF JTAG software manager up and running, I selected the HTC Supersonic phone from the supported phone drop down menu.  Next I selected the DCC Read/Write tab, then selected ‘Read Memory’.  For all my hard work, I was presented with an error message that basically said the software was not talking to the phone.  To make a long story short, after about an hour of trying to figure out what I did wrong, I discovered I soldered a wire to the wrong HTC PCB JTAG TAP.  I attempted to de-solder the one wire.  In the process, I de-soldered two adjacent wires.  Great!!!! Another hour passed before I once again had all the wires soldered in their correct location.  This time I was able to connect to the device and download the NAND.  The one gigabyte download to over an hour to complete.  Yah, the download crashed once or twice..Ok, a total of five times.  But I was able to continue each time from where the process previously left off.

Using the Python3 GenerateAndroidGestureRainbowTable.py script from CCL Forensics (http://www.ccl-forensics.com/), I created the SHA1 rainbow table of hash values for pattern locks from 3 to 9 positions.  The python script creates a rainbow table,  storing the SHA1 hash values in a SQLite database.  This might be a great time to take a break while the database is being created.  The process took about 30 minutes to complete.  

image

Once the script was finished, I was left with a SQLite database called ‘AndroidLockScreenRainbow.sqlite’. The SQLite database should be around  130MB in size.

My next step was to use the Android_GestureFinder.py python script from CCL Forensics.  Basically this script will parse my HTC EVO NAND dump for the SHA1 pattern lock hash value.  Once a hash value is located, the script will compare this hash value with the hash values stored in the AndroidLockScreenRainbow.sqlite database.  When a SHA1 hash value match is located, the script will present you with the offset where the hash value was located within the NAND dump, the actual SHA1 hash value, and the pattern associated with the hash value.  NOTE TO SELF:  Make sure the Android_GestureFinder.py and the AndroidLockScreenRainbow.sqlite are in the same directory.  If all goes well, you should get something like this…   

image

Ok, so the pattern lock is 0, 3, 4, 1, 6  What does that mean?

Picture it this way:

pattern

I re-assembled the cell phone after de-soldering all my little wires.  The device powered up and presented me with the ‘Draw pattern to unlock’.  Drawing the above pattern, I was able to unlock the HTC EVO 4G.  I immediately went into the Development settings and turned on USB Debugging, and Stay Awake.

From here, I can use whatever cell phone forensic software I have to download (physical or logical) the contents of the cell phone.

Hmmm.  My next project just arrived.  A PIN locked Samsung SPH-M820 cell phone on the Boost Mobile network…..  

Wednesday, May 16, 2012

Me and Windows FE (Forensic Environment) Part 1

Wow…It has been a long time since my last post…

I was asked to present a Creating a Windows FE boot disk segment to our local HTCIA chapter.  In Part 1, I will go through the steps I used to create a Windows FE bootable CD.  With luck, and maybe not so large a gap, Part 2 will go into documenting the use of certain applications within your newly created Windows FE environment.

First some background on Windows FE.  An excellent source on the beginnings of Windows FE and build tutorials can be found on Brett Shavers blog: http://winfe.wordpress.com/2010/05/28/windows-fe/.  I also highly recommend downloading (and reading) Brett’s Users Guide to WinFE.  During your read, you will be directed to http://reboot.pro for current tools to create your Windows FE bootable CD.

For my project/presentation, I downloaded the following items:
1. WinBuilder (version 082) http://reboot.pro/files/file/4-winbuilder/
2. The WinFE script v2.2 (Public Release) for WinBuilder.  I used v2.2 because I am familiar with this script, but as you can see by the link, public release v3.0 is available. http://reboot.pro/files/file/113-winfe-win7pe-sex64x86-v3-publicreleasescript/
2a. After I completed the training but before I was able to complete this post, and still wanting to make the Ultimate WinFE build, I added an additional script.  I have included Colin’s Write Protect Script (wp.script).  It can be downloaded here: https://www.box.com/s/065664cc60bd6bd51464
3. FTK Imager from AccessData http://accessdata.com/support/adownloads.  I actually didn’t download it, I had version FTK Imager 3.0.0.1443 already installed on my machine.
4. VMWare Player, version 4.0.2. http://www.vmware.com/. Once installed, I launched VMWare Player to get all the fist time pop-up screens out of the way.
5. ProDiscoverBasic edition (U3 install package) http://www.techpathways.com/DesktopDefault.aspx?tabindex=7&tabid=14  

You will also need a Windows7 install DVD.  A Win7 Recovery DVD might work, but I wouldn't count on it.  Either the x86 bit or x64 bit version will do.

I downloaded WinBuilder.exe, moved it to the root of my c:\ drive, and launched the application.  I first had to select a project to download (bottom center pane) before the left pane populated with options.  I selected the project: win7pe.winbuilder.net/SE.  When the left pane populated, I expanded the Tweaks folder and selected (green check marked) BGInfo.script.  I like to know if the computer is connected to a network, and if it is, what is the device’s IP address and other available computer information.  I next unchecked Languages, keeping the default English.  These are the only changes I made.  As you become more experienced with this product, you can design it the way YOU want.  When I finished with my ‘fine tuning’, I clicked on the ‘Download’ button.

winbuilder01

After about 10 minutes, WinBuilder finished downloading the various scripts and launched.  A Window’s pop up informed me WinBuilder was not a trusted application.  I chose to run the application and was presented with this screen.  What you didn’t see was WinBuilder also created a Projects folder on the root of the C drive.

image

We next need to do some behind the scenes work and copy an expanded ProdiscoverBasic folder (it was downloaded as a zip file) to our C:\Projects\Win7PE_SE\Apps\Portable\Pstart folder.  We will configure the ProDiscover Basic setup later.

Now we need to manually add the WinFE script v2.2 (Public Release) script and the wp.script to WinBuilder.  Navigate to your downloaded scripts and copy the scripts to your C:\Projects\Win7PE_SE\Tweaks folder.  After the copy process is finished, re-launch WinBuilder.exe. and expand the ‘Tweaks’ folder on the left pane.  You should now see, and it should already be green checked, the WinFE (Forensic Environment) and the Write Protect script.  As of this writing, it is important the write protect script is listed last (per the scripts installation instructions).

winbuilder02

Ok, now that our WinFE script and Write Protect script is seen by WinBuilder, We need to configure the overall environment. The first item is to select the Boot Manager.  If you have read my recommended reading, you know we need to change the Boot Manger option in the Main Configuration to ‘Standard’.

image    

The next change is on the Image Configuration tab.  Since I am NOT using files from the Windows Automated Installation Kit (AIK), I need to instruct WinBuilder to use the WIMMount driver to extract the files from the Windows 7 installation DVD.

winbuilder03

Next, expand the ‘Tweaks’ folder.  I checked BGInfo because I want to see various system information displayed on the desktop.  If you didn’t check this when downloading your initial project, you will need to be connected to the Internet when you create your WinFE ISO.  The BGInfo installation files will need to be downloaded from the Internet at the time of compiling.

Clicking on ‘WinFE (Forensic Environment)’ on the left pane populates the right pane with options.  Check ‘Copy Installed FTK Imager from Host Machine’ and navigate to the FTK Imager folder using the ‘Open Folder’ icon.  On my 32-bit Windows Operating System, FTK Imager.exe is located at the following location: C:\Program Files\AccessData\FTK Imager\.  If you are using a 64-bit OS, FTK Imager.exe is located here: C:\Program Files (x86)\AccessData\FTK Imager\.  No other changes are required.

image

You can click on the ‘WinFE Write Protect Tool’ if you want, but there is nothing to be done here, nor can you make any changes.

Check and Expand ‘Apps’ on the left pane.  Expand ‘Portable’, Check and select ‘PStart and Papps’  We are going to add the ProDiscoverBasic tools to our WinFE project.  On the right pane:  
Add ‘ProDiscoverBasic\Data’ (without the quotes) to the Directory of Apps field.
Add ‘ProDiscoverBasic.exe’ to the Name of exe field.
Check the Start menu box.
Add ‘Forensics’ to the Start menu folder field.
Add ‘ProDiscoverBasic’ to the Name of shortcut field.
Check the ‘Desktop’ box
What you just did was put a ProDiscoverBasic shortcut on the windows desktop in your WinFE environment.

A word of caution.  If you are going to be using a Windows 7 x64-bit install DVD, DO NOT add ProDiscoverBasic to this environment, it will not work in x64-bit builds.

The last thing is to check and expand ‘Virtual Test’ and check VMware Emulation.  This will boot the newly created WinFE ISO in VMWare Player.  This just checks to make sure your build will work.
If you are going to be using a Windows 7 x64-bit install DVD, you will need to make a few more changes to the VMware Emulation configuration settings to make your VMWare session x64 compatible.  Click on the VM ‘More Options’ button. Change the ‘Number of processors’ button to ‘automatic, read from system’.

image

We are FINALLY getting close to create our WinFE ISO image.  Now we need to point WinBuilder to our Windows 7 install DVD.  Select the ‘Source’ button.

winbuilder05

In the Source Directory area, navigate to your Windows 7 install DVD.  If you haven’t put the Win7 install DVD in yet, now would be a good time.  Once that information has been added, click on ‘Play’

winbuilder06

If all goes well with your initial settings, you should get something similar to this display.  The process has begun, but this is only half the battle.  For now, just sit back and let the script do its work.  It will take close to 15 minutes to complete.

winbuilder07

This next window will pop up.  Don’t let the (Not Responding) fool you.  The program has not crashed.  Just let it run!

image

Damn…Got an error message.  When I clicked ‘OK’ the process terminated.  Now what?  You need to fix the cause of the error message.  Review the log file to see what caused the error message.

winbuilder08

After fixing your error issue, go back to the ‘Main Configuration’ option on the left pane. Click on the ‘Script’ button, right pane in upper left.  Now we need to clear the temporary files.  Click the ‘Clear Temporary Files’ to perform this task.
 
winbuilder09

Now you’re ready to try it again.   Click the ‘Play’ button once again and cross your fingers.  If you are presented with a VMWare Player window like this….

image

CONGRADULATIONS!!!   It works.  You see before you the Write Protect script telling you the 2GB VMWare created hard drive is read only.  If you were using this on a regular computer, all storage media should be listed as read-only.  If the drive is not listed, there might be a driver issue or hardware problem.  When you click ‘Close’, the FE environment will continue to boot up.  Windows drivers will continue to load.  If you get an error at this point, it will be a driver issue.  Its not uncommon on newer machines to get a network device error.  This just means the default drivers within Windows do not support this device.  No problem, unless you need network connectivity.  If you need a working network device are need to add a specific driver for a piece of hardware you will be using, read the documentation, it discusses how to add additional drivers to the WinBuilder WinFE creation process.  When the system has finished booting, you will be presented with your normal Windows GUI desktop.

Ok, now I want to burn my WinFE ISO image to a CD/DVD.  Your newly created ISO image is located in your C:\ISO folder.  Depending on the OS version, you will either have a Win7PE_x86.ISO or Win7PE_x64.ISO or both image files in this folder.  Using your favorite ISO burning software, these are the ISO images files you need to create your Win7 bootable CD\DVD.

I recommend you immediately rename the ISO to Win7FE_x86.ISO (or x64) and move it to a different directory.  If you were to create an additional WinFE ISO images using the same Windows7 install DVD, the newly created ISO file overwrites the old ISO file(without asking permission).

That’s it for now….Enjoy you new WinFE boot disk. 

Don’t forget to do some experimentation and add additional portable apps to your WinFE environment.