When a forensically sound image cannot be produced with flasher tools, a second option is to use a JTAG test access port of an embedded device. A JTAG test access port is normally used to test or debug embedded systems but can also be used to access flash memory.
Test modes for forensic imaging of flash memory
Extest and Debug mode are used for forensic imaging of flash memory in the following information.
JTAG enabled boards have extra test pads, usually not directly reachable for the user. The second part of this section describes a method to find this JTAG test access port on an embedded system with unknown layout. 1) How to access flash memory using JTAG: Flash memory chips are not JTAG enabled. But, as shown in an example embedded system in figure 6, flash memory chips are usually connected to other chips like a processor. This processor can be used to gain access to flash memory if the processor is JTAG enabled. Most JTAG enabled processors offer an extest mode or debug mode. Note that extest or debug mode may not be available on all processors and some processors offer both modes. The next two paragraphs explain how to use these two modes for forensic imaging of flash memory.
a) Extest mode: In extest mode, all processor pins are controlled by a JTAG controller while the processor core is
disabled. Test vectors are loaded or read using a, usually, long shift register. An external flash memory can be read by loading and reading a series of test vectors. An example in figure 7 shows how to access a NOR flash memory using extest mode and a series of two test vectors.
1)The first test vector contains an address of a NOR flash memorylocationandalsocontrol-signals(ce,r/w)witha
readcommand.This test vectoris activated after loading. See step 1 in figure 7.
2)After an access time, the flash memory chip responds with the requested data on the data bus and is captured
in a second test vector. See step 2 in figure 7.
3)This secondtest vector isread by a PC and thedata from the data bus is stored in a file. See step 3 in figure 7. An
image of a NOR flash memory chip can be produced by repeating these three steps for all memory locations.
Also NAND flash memory chips can be imaged using extest mode. However this will be slower because it takes a higher number of test vectors to read a byte or word of data from a NAND flash memory. Especially an address latch cycle takes more test vectors compared to a NOR flash memory.
b) Debug mode: Debug circuitry build in a processor can eusedtodebugembeddedsoftwarerunningonthisprocessor.
JTAG circuitry in the processor has extra registers to stop and start execution, read status registers or to write and read data from external memory chips. This last option can be used for producing an image of NOR flash memory. A commercially available debugger like JTAGjet from Sygnum systems can be used for this task. Producing an image of NAND flash memory cannot be done or is difficult using a commercially available debugger.
2) How to find a JTAG test access port: Before an image of flash memory can be produced the JTAG test access port
has to be found in an embedded system. On some PCB’s the test pads of the JTAG test access port are located in a
row and clearly marked, but usually they look similar to other test pads and may even be spread over both sides of the PCB, making it difficult to find them between all other test pads.
When a manufacturer of an embedded system cannot or does not want to give information about its JTAG test access port, a forensic examiner could try to find the JTAG test access port. This section explains some methods to find a JTAG test access port.
1)Modern embedded systems use a processor chip build in a micro BGA casing. A way to find the JTAG test access port is to de-solder the processor chip of a reference embedded system. Traces on the PCB can be measured with a multi-meter to find the JTAG test access port. This method needs the availability of a reference embedded system with an equal PCB layout and usually leads to the destruction of this reference embedded system.
2)Most embedded systems use a multi-layer PCB.Amulti-layer PCB can be viewed with an X-ray machine. The traces can be followed by focusing on the right layer. However, parallel running tracks in different layers and components on both sides of the PCB mostly thwart the attempts to follow the interesting connections.
3)Measure all test pads on the PCB. Because JTAG inputs and output have special properties it is possible to find
the JTAG test access port between all other test pads. First a simple measurement has to be done on all test
pads of a reference embedded system. This first step eliminates most test pads and can be done relatively fast, although the number of test pads can be high (>100) on some embedded systems. This measurement leads to a limited number of candidate test pads (test pads belonging to the JTAG test access port). The test access port can be found with a second measurement by testing all possible input / output combinations with an exhaustive search algorithm until a valid signal is received. Figure 8 shows an example of a JTAG test access port on a SGH-D500 from manufacturer Samsung. This is an example where the test pads of the JTAG test access port are located in a row.
3) JTAG advantages and disadvantages:
* The risk of changing data is minimized. It can be guaranteed that no data is written in extest or debug mode.
However there is always at least a short period between power-up and the time when debug or extest mode is
entered. In this period the system itself can interact with flash memory
* Flash memory can be imaged without de-soldering of flash memory chips.
* A complete forensic image can be produced (all data, inclusive spare area, bad blocks etc).
* A disadvantage is that communication in extest mode is slow. Debug mode can be faster however.
* A JTAG test access point can be difficult to find.
* Not all embedded systems are JTAG enabled.
Fig. 6. An example of an embedded system
Fig. 7. Using extest mode for accessing memory
Fig. 8. JTAG test access port of a Samsung SGH-D500
Data recovery Salon welcomes your comments and share with us your ideas, suggestions and experience. Data recovery salon is dedicated in sharing the most useful data recovery information with our users and only if you are good at data recovery or related knowledge, please kindly drop us an email and we will publish your article here. We need to make data recovery Salon to be the most professional and free data recovery E-book online.