Scraping Memory From Android Phones With JTAG: A how-to video

This video demo shows how a hacker can scrape the memory from a stolen Android device.By grabbing the User Data and Meta Data partitions in this way it opens up the path to getting the PIN.

With this hacking demo we’re looking at JTAG ports, and how to use them to scrape memory.

What is JTAG?

The JTAG port is well defined and typically used by chip firmware developers in order to debug the code as they write it. It allows you to do things like iterate the CPU clock cycle by cycle so you can see where the code might be going wrong, but interestingly for us it also has loads of other functionality.

For this demonstration we’re going to be using its ability to extract memory. We’ll be looking at Android but before we get into that I want to compliment Apple on the security of their JTAG ports. They don’t publish the protocols used to communicate with them, and to the best of my knowledge no-one has successfully communicated with an Apple JTAG port, other than their own developers of course.

Teardowns and closeups

With a close-up camera we can see the teardown of an old iPhone 3. There are six JTAG ports on show, but they are tiny, so unless your micro soldering is extremely good you’re not going to be able to talk to those.

With Android however the JTAG ports are bigger and much easier to get to, and more importantly the protocols have been decoded and are available. Here we look at a teardown of a Samsung S4. With this close up we can see how easy those ports are to access. To talk to those we’ll need a dedicated connector with a ribbon cable.

The Google Nexus 4 shows us again how easily accessible those JTAG ports are on other Android devices.

The JTAGulator

Manufacturers really don’t want you or I communicating with their JTAG ports, so protocols are not readily available. Which is where the
JTAGulator comes in. This little device was designed and written by a guy called Joe Grand. It’ll help you start to decode some protocols and so begin talking to a JTAG interface.

The RIFF Box

The next thing we need is a RIFF Box, which is relatively cheap and easily available. They’re often used by the guys who run mobile phone repair stands, to unlock and resurrect dead phones. The primary reason we use it is because it has a big database of mobile phone model details, so it already knows about the JTAG specifications of many, many devices.

The attack

Before we get going we need the JTAG manager software running on our laptop. We’ve connected up the ribbon cable, mobile device, RIFF Box so now it’s time to try and talk to the device from my laptop. What I’m looking for is the ID which can be found in the two TAP interfaces in the JTAG Port, this is what allows us to get to the flash memory. Using a plugin in the JTAG manager software so we can read the partition tables off the device.

Because the device can be encrypted, and the MDM (Mobile Device Management solution) enforced policy has turned that encryption on, we need to decrypt it so we can read the data that we want. We’re after two partitions, User Data, as that’s where all the sensitive data is, and Meta Data, which is where all the crypto information is.

At this point you can select the Meta Data partition to check and see if there is any crypto information- so that we know it’s definitely the one we want. We then save/dump that as well as the User Data partition. This one is either going to be 8gb or 16gb. Either way the throughput on the RIFF Box is only 150kb per second so that transfer is going to take a while, but it’ll be worth it as it we’ll eventually get the PIN code!

…and we’ll show you how to brute force that PIN in our next video demo on Nexus 4 PIN Bruteforcing.

How you can prevent this happening?

The first thing is to give serious thought as to whether you should even allow Android devices to connect into your organisation. If you want them to connect to your Exchange server you’ll need an MDM solution. The problem is that the majority of MDMs only enforce policy at the local handset level, and as we’ve just shown you, local handset encryption can be compromised.

Some MDM products work differently and have a separate encryption container which works independently of the local operating system. So, when you go looking for an MDM, and you DO need one, make sure it has separate encryption containers, and isn’t just doing policy enforcement.