Any JTAG Experts on Here?

Jared

Administrator
Staff member
I'm just curious if anyone on here is an expert when it comes to using JTAG for reading memory from phones, tablets, etc. I've got a few questions as I'm looking at possibly getting into this more.
 

pc3000

Member
I do not think I'm called an expert, but I do it.
I prefer to work with a broken smartphone than a smart phone that works
 

Jared

Administrator
Staff member
pc3000":1ehzuznx said:
I do not think I'm called an expert, but I do it.
I prefer to work with a broken smartphone than a smart phone that works

So just a few questions.

What JTAG boxes have you found to be most effective? (Medusa Pro, Riff box, Easy-Jtag, other)

How often are you able to actually read the memory via jtag?

When you dump memory via jtag, is it in a liner format or is it like dumping a NAND?

I usually have avoided phone recoveries because most people aren't willing to pay a reasonable rate, but perhaps jtag could make this easy enough to do it for a lower rate than actually removing/dumping the memory chip.

jol":1ehzuznx said:
what type of OS are you talking about ?

Android phones/tablets mainly, maybe some older ios/blackberry devices. Obviously the newer stuff is all encrypted so it'll be useless there. Though in the case of encrypted devices, an entire re-write of the memory from a broken device to a new device might result in a working phone with transferred memory.
 

pc3000

Member
i have gpg emmc, gpg jtag, octopls+medusa pro. octoplus-medusa is good and easy jtag too
because they has updates .(for samsug & lg, this phones that i used work with.) If it will be profitable I'll add more boxes to my collection, at least not for now.
in most of cases, costumers not pay like in hdd.
In the chip off / broken device, you do not have to worry abut customer's device will not damaged during work
Actually you work harder not for more money
just to keep the customer's cell so it usually It's unprofitable
Except if you're dealing with forensic case (forensic tools cost extra money..)

chip off:
win mobile = liner format, could be encrypted
iPhone- ?. Should be encrypted but i have no experience with those phones
android = liner format but not exactly-For example there is a problem to find a video in ROW and this is depend on couple parameters, like version, encryption, etc'
newer android has no the usual emmc chip, there is reder that can read this cihp - https://multi-com.eu/,details,id_pr,217 ... u,gsm.html
 

Jared

Administrator
Staff member
RIght, I've got all the equipment for chip off recovery of pretty much any eMMC or NAND. I'm more wondering about if JTAG is any easier for data recovery than chip off. Or, if it can be used to extract data from phones that are still functional, but have some sort of glitch preventing access.

For example, I had a Motorola phone a while back that was essentially bricked by a firmware update that would allow the phone to boot to the OS but never would load the login screen. A factory reset could probably fix the phone but would lose all data in the process. So for a case like that, perhaps JTAG could have been the magic bullet to read the data w/o destroying the phone.

Had another case more recently that was a Verizon branded Samsung phone with a deleted video the customer was willing to pay to have recovered. However, the Verizon model was the only one where a root solution hasn't been found yet. So w/o root my only option would be to remove the eMMC and direct read it. Unfortunately, the customer wasn't willing to both lose the phone and pay for recovery, and I wasn't about to make any promises that the phone would still work after I remove/re-ball the eMMC. So again, maybe JTAG could offer a solution to read it w/o destroying the phone.
 

pc3000

Member
evey pone is different. but this is can help in some cases.
Jared":31frebpi said:
So w/o root my only option would be to remove the eMMC and direct read it.
you can read the whole memory without remove the chip by isp, just find the right pin out.

[hidden](Galaxy 5 from the last case.)
2vnbhzmndhkt.jpg
[/hidden]
 

Arcain

New member
@pc3000, i might be recovery old thread but in general, JTAG is old thing, no longer supported in most modern phones (locked) and very, very slow. I used to work with RIFF and Easy-JTAG. Both worked fine, but data transfer speeds were at about 50-150kB/s. Dump was just plain, raw disk image, but dumping 8GB chip took about 2 days and connection wasn't quite stable. I even once managed to read data out of 32GB chip (Xperia S) - took a week. It still is usable, but only for older devices and if there's no other option.
Modern phones (with eMMC) can be connected by ISP (like on picture above) and you'll get speeds up to 2MB/s with 1 bit connection. With chip-off and 8 bit connection you're getting aruond 20MB/s depending on the chip you're reading. In case if customer wants the data but doesn't care about the phone, this can still be profitable and extracting the memory chip then is rather easy.
I don't think you can use ISP with UFS based phones - well, maybe you can, but UFS uses different protocol and there's currently no box/reader capable of reading it like that, so only chip-off and using programmers like nuprog.
 
Top