Blog

So, What is this "JTAG Forensics" anyway?

Though we use the word JTAG often as a verb or a noun to describe the mobile forensic method of extracting data from a phone, the term is really an acronym for the Joint Test Action Group.

JTAG was created to standardize the testing of circuit boards without needing to physically access the memory chip of a device.

When forensic examiners use the term JTAG, they are referring to one of the more advanced methods for extracting data off a mobile device when more traditional methods like bootloader exploits aren’t working.

Unlike it’s cousin method - the Chip Off which actually removes the memory chip from the circuit board to be read by an external programmer - JTAG doesn’t require the outlay of tens of thousands of dollars in specialized equipment to start and maintain.

JTAG is also safer than the Chip Off method which is often irreversible and therefore used as the final resort in extracting data.

JTAG also requires less upkeep in terms of practice and continuing financial commitment as I mentioned earlier.

What JTAG is Not

Before we go further with our discussion of the JTAG method and the equipment that one needs to perform JTAG mobile forensic extractions, it is important to keep in mind what the JTAG method is not.

The JTAG extraction method is not the Holy Grail. There may or may not support for the model of phone to extract data in this way. This by the way is true of the Chip Off method as well.

The JTAG method is not easy. Don’t expect to be able to push the “Find evidence” button and have everything handed to you. This method requires training, practice, creativity and commitment.

The JTAG method is not without its dangers - chief of which is the potential that you could accidentally write to the NAND memory chip instead of reading it. The extraction hardware we will be talking about can be used to both read AND write to the memory of the device. Always make sure of your actions!

The JTAG Method

Now that we have talked a little about the generalities of the JTAG method, let’s get a little more specific.

We can split this method into five distinctive phases or steps.

  • 1. The research phase
  • 2. The Teardown/Disassembly phase
  • 3. The soldering phase
  • 4. The extraction phase
  • 5. The Cleanup phase - desoldering, reassembly and testing

There are of course two additional phases - the analysis and reporting phases. However, as these phases are in line with other digital forensic disciplines they fall outside of the JTAG method.

Now that we have defined the JTAG method in a little more detail, let’s look briefly at the first phase of the method.

The JTAG Forensic Method - Research Phase
We mentioned that the JTAG method is not a silver bullet. This is why it is important to do due diligence in researching JTAG support for phone makes and models. A nice side effect of such research is that the research can lead you to other ways of extracting data from the device if JTAG is not the way to go.

So in researching a phone your goals are:

  • 1) Identify all possible ways of extracting data from the device
  • 2) Identify ways of safely disassembling the device
  • 3) Locate the Test Access Ports (TAPS) for JTAG connections

Unfortunately, there is no central location to find forensic information for all possible mobile devices. On the other hand there are lots of free sources on the Internet that an examiner can access. Finding the information you need on a phone therefore requires both patience and out of the box thinking.

Just as we have suggested an order to the JTAG Methodology, we suggest the following search methodology in order to eliminate time suck as much as possible.

Google

The starting point of any extraction research is the almighty Google. Many many answers to tech/IT/programming problems can be successfully resolved by turning to the powerful algorithms and database index of Google.

The tricky thing with Google is to build the right keyword search string to find and filter results effectively. At a minimum when searching on Google the researcher should build a keyword string that contains keywords for

Manufacturer
Phone model/number
JTAG
The JTAG box you are using, e.g.RIFF

Here we have an example of the query string : samsung galaxy 5 JTAG RIFF

The results included:

  • Images
  • Videos of JTAG/disassembly
  • Article entries on forensic sites

These results give us some really solid clues that it might be possible to perform a JTAG extraction on this phone. As good as Google is at serving up results based on your keywords it might not return all the relevant information - for instance if the information was located in a forum that does not allow indexing - and it is useful to also conduct searches on specific websites as well.

Some final points on Google searches

  • Make sure you also check a few levels down in the search results.
  • Don't forget to try alternative search terms that Google may suggest.
  • Bring up your searching skills, take the Google Course on power searching.

SPECIFIC JTAG RESEARCH SITES

Phone Scoop Phone Scoop has tons of information mobile devices. They technical specifications, processors, phone features and links to FCC information about the device (this latter piece can be especially handy in locating pictures of the device and TAPS.

A visit to phone scoop should always be on your list of must-dos to insure completeness.

As you can see from the below screen capture Phone Scoop has lot of useful information on the device (Samsung Prevail 2) including the processor, OS version and FCC ID (even with a handy link to the FCC site).

Though this search was performed on the name of the device you can also search by model number which will sometimes help eliminate confusion if there were several iterations of the device.

GSM Arena

It’s not generally talked about but most support for JTAG extraction exists for GSM networked devices. As such it is useful to search as site such as GSM Arena which is very similar to Phone Scoop but may have additional data (it isn’t exclusive to GSM devices however). It also a good way to double check the correctness of Phone Scoop.

PDADB.NET

Though more geared toward Android phones -and let’s be honest you are probably using JTAG more on Android devices - the site offers an amazing amount of details about devices.

One totally amazeballs feature is the ability to browse other devices with the same Android version and CPU type.

One trick of the trade is to use a profile of a different phone on a similar phone with the same processor/chipset/Android version. I like to call this “profile forcing” and is useful not only in JTAG specific situations but also with commercial tools such as XRY or Oxygen Forensic Suite.

YouTube

Many people don’t know that Youtube is considered the second largest search engine in the world. As such it is an excellent place to search for videos on device tear-downs and JTAG soldering tips and extractions and how-tos.

Search for terms like teardown, disassembly, repair and append the manufacturer and model number.

You can also find videos on JTAG if you use that term and the manufacturer and model number.

As an aside Youtube is also a great place to search for video how-tos on rooting various Android versions on devices.

IFixit

Another great site to search for teardowns and repairs is iFixit.

The site has step by step guides on tearing down and reassembling devices with high resolution photos.

There are even suggestions on tools and links to troubleshoot and interact with the iFixit community for help.

IFixit also has handy apps for your tablet or phone so you aren’t strapped to your desktop as you work.

XDA Developers Forum

The XDA Developers forum is an awesome resource where you can find tons of information on hacking Android phones. Just a simple search for the word JTAG produced the below result.

The XDA developers forum is a must stop for examiners doing research on everything from rooting to repair.

Note: Sometimes it can be annoying to have to sift through all the forum posts to find your answer. Also you need to be a member of the forum to download code listed in the forums.

FCC ID

Any device that generates a radio signal must be registered and approved by the Federal Communications Commission(FCC). Cell Phones and other mobile devices that have radios for connecting to a cellular or WiFi network fall within this definition.

When a manufacturer registers a device with the FCC they must submit technical information and may even include photos of the device. This type of information is gold for the examiner researching a device for JTAG extraction.

The FCC is located on the web at: https://www.fcc.gov/general/fcc-id-search-page. The FCC ID is listed on the label of the device behind the battery.

You can also find the FCC ID - and possibly a link to the appropriate FCC page - on phone scope or similar site or from a Google search.

The FCC ID search form requires that the ID be entered in as a “Grantee Code” and a “Product Code”. The FCC permanently assigns the grantee code to the manufacturer when they are applying for approval. The grantee code is between three to five alphanumeric characters. The remainder of the FCC ID is the product code.

After pressing search the site will return results if there are any. The results will contain links to documents and pictures. Click on the “detail” link to find the “internal pictures”.

Pro Tip: If the FCC ID search does not work with a grantee code three characters in length try again with the first five characters.

Once you have the internal pictures you can locate the TAPS for the phone.

Pro Tip: FCC IDs can also be found searching via Google. Use the keywords “FCC ID YOUR_ Manufacturer YOUR_Model” replacing the “YOUR_Manufacturer and YOUR_Model with the ones your are researching.

One last note about FCC photos - some aren’t the best quality and it can be hard to identify exactly where the TAPs are located but they can help you determine chances of success without disassembling the device.

JTAG Forensics Wiki

Created off of www.forensicswiki.org, the JTAG specific forensics wiki - www.forensicswiki.org/wiki/JTAG_Forensics — is another useful site for general JTAG forensic information as well as some specific how-tos on a limited number of phones.

GSM Hosting Forum

This forum located at forum.gsmhosting.com, is a phone hacking and repair forum that can be useful to investigators when researching extraction techniques.

The forum is often a springboard for further research or methods for phones that are unsupported.

This forum has many subforums dedicated to flasher box and JTAG tools.

There are many such forums on the Net but be careful in using or interacting with them as they may be concealing malicious actors. Very often however the information is useful and safe.

Wikipedia

The plain old vanilla Wikipedia site can be very useful in finding out information about JTAG, phone makes and models and chipsets.

JTAG Box Manufacturers

Lastly don't forget to look at the box manufacturer pages such as the RIFF Box -www.riffbox.org-for information about specific support for phones.

Pro Tip: Use the syntax “site:your_web_site your_search_terms” replacing “your_web_site” and “your_search_terms” with your specific site and query to quickly get specific results. For instance “samsung galaxy 4s site:www.riffbox.org” yielded 87 results specific to www.riffbox.org.


We have now looked at the JTAG method and some ways of procuring information and research on the viability of performing a JTAG examination on a given device.

We looked at various websites including the FCC website and the XDA developers forum.

As you can see while JTAG is a useful method to employ on devices with limited or no support with traditional commercial forensic tools, it still is a method that requires commitment time and effort.

In the next article, I am going to discuss the hardware needed to perform a JTAG examination - its costs and where to obtain the hardware with the least amount of hassle and cost.

Until then, all the best in your forensic endeavors.

Michael Harrington is a former Detective Sergeant with over 16 years of experience in the digital forensic industry. He has taught mobile forensics throughout the world to hundreds of students.

He is the author of Google Earth Forensics: Using Google Earth Geo-Location in Digital Forensic Investigations, and is the JTAG training consultant at Wild PCS Mobile Forensics.