10/11 - Chip-Off & JTAG

Question 1

What are the drawbacks of flasher tools?

Answer 1

Since the tool developer is not concerned about digital forensics, some of the features one would expect in a forensic examination tool are not included such as an audit trail or hashing function.

Question 2

Name a common flasher tool?

Answer 2

Advanced Turbo Flasher

Question 3

What are the benefits of engineering ports?

Answer 3

Some flusher tools require connectivity via an engineering port. The benefit of using an engineering port is that they are usually protected from the daily wear and pair exposure and damage in comparison to the regular data port. However, connection via an engineering port often requires a proprietary cable or proprietary pinout.

Question 4

What are boot loaders?

Answer 4

Boot loaders provide an option to unlock and acquire certain mobile devices memory by booting them into a custom recovery mode which replaces the standard Android recovery partition. This is particularly applicable to a range of Android devices which will depend on the model chipset, vendor, and even network carrier.

Question 5

Name two custom recovery developers?

Answer 5

• Clockwork Mod Recovery
• team WIN recovery project or TWRP

Question 6

What does FRP stand for?

Answer 6

Factory Reset Protection

is a security method that was designed to make sure someone can’t just wipe and factory reset your phone if you’ve lost it or it was stolen.

Question 7

Explain the Qualcomm EDL Mode?

Answer 7

Special boot mode can be enabled to allow direct memory access. This involves forcing the mobile device into a special state called emergency download or EDL mode. It is also known as deep flash, or 9008 mode.

The EDL mode implements the Sahara protocol, which allows an original equipment manufacturer or OEM to accept a digitally signed programmer over USB. The OEM vendors programmer uses a protocol known as Firehose to interact with Qualcomm chips.

Question 8

What does ISP stand for?

Answer 8

In system programming - or ISP or more commonly known as direct eMMC, involves interfacing directly with the flash memory chip in a mobile device.

Question 9

What is Chip Off Forensics?

Answer 9

is a technique which involves the removal of the flash memory chip from the mobile device printed circuit board and the reading and imaging of its content via some form of memory reading device.

Question 10

What is the Popcorn effect?

Answer 10

Prior to removing a memory chip, some considerations need to take place. For example, is there any likelihood that moisture has been trapped inside the memory chip. If this is a possibility, then the board should be dried in an oven for a number of hours to ensure any moisture has evaporated. Failure to do this could potentially cause the memory chip to be damaged. Commonly known as the popcorn effect, when heat is applied as part of the chip removal technique and moisture trapped inside the chip package rapidly expands due to the increase in heat.

Question 11

What is JEDEC?

Answer 11

Solid State Technology Association

Question 12

What does JTAG stand for?

Answer 12

Joint Test Action Group

JTAG uses a serial communications interface to probe the key components on a printed circuit board in order to validate their correct operation.

Question 13

What is the TAP?

Answer 13

The connection interface used for JTAG is known as the test access port or TAP. Connection points for the Tap are located on a mobile device printed circuit board.

Question 14

Explain the following JTAG TAP pins:

1. TCK
2. TDI
3. TDO
4. TRST
5. NRST
6. RTCK

Answer 14

1. TCK - Test Clock.
   Synchronize the internal machine operation state.
2. TDI - Test Data In.
   For data input.
3. TDO - Test Data Out.
   For data output
4. TRST - Test Reset
   To force controller into a known state.
5. NRST - Normal Reset.
   Set device into unknown state.
6. RTCK - Return Clock.
   Control maximum clock speed

Question 15

Name a few JTAG tools?

Answer 15

• Rift-to-box
• Advance Turbo Flasher
• Z3-X