
JTAGing Mobile Phones - j_s
https://sysforensics.org/2016/08/jtaging-mobile-phones/
======
q3k
Too bad most of tools targeting mobile phones come only as shady, Windows-
only, closed-source, DRM-laden (requires unnecessarily expensive adapter)
solutions.

That's capitalism for you - every vendor wants their piece of the cake by
keeping their reverse-engineering efforts secret. Nothing else is preventing
an open-source and open-hardware ecosystem from thriving by reusing existing
tools (eg. OpenOCD and any FT2232-based adapter clone).

~~~
jtl999
Indeed. I wish someone would reverse engineer some of them.

Also some of the JTAG tools allow disabling the network lock and IMEI
changing, which could be interesting.

------
nom
Somewhat offtopic, but this article reminded me of the old times when every
mobile phone came with a serial port and you could just talk to them direcly.
The Nokia and Siemens devices always supported it by default and it was easy
to access everything from address book, to call lists, to ringtones and the
"provider logo".

Unfortunately, it was also used by the police to make a copy of everything you
had on it...

~~~
roywiggins
At least with a front-door you know it's there, I guess!

~~~
nom
Most people were not aware of it at that time.

It's comforting to know that devices like the Nokia 3310 had the serial port,
called "F-Bus" or "M-Bus", located _below_ the battery. It made it impossible
to connect a cable without entering the PIN again.

------
jdalgetty
If it wasn't so expensive to get started with this, I'd be all over it.

~~~
j_s
Agreed. This is the first list I've seen of _everything_ used. $1400 is a big
initial investment, though people who already solder may not need to spend
that much.

~~~
Declanomous
Additionally, I think you could do the job with much cheaper tools. For one
thing, I definitely don't need a dissection scope to solder JTAG pins, nor do
I need a hot-air reflow gun. I don't know enough about the particular JTAG
bits and bobs he is using, but I've had success using the $5 JTAG programmers
from Aliexpress. You need to know the pinout to use them though, which seems
like one of the huge benefits of the options he listed. The solder fume
extractor is pretty uneccessary as well.

I think if you went with the bare minimum required to tinker with JTAG on
phones, you'd probably be looking at $100 (inexpensive soldering iron, cheapo
JTAG, salvaged wall wart for power, kester solder/flux) to $250 (upgrade to
temperature controlled iron, cheap bench supply)

~~~
Thrillington
Gonna disagree on the fume hood. Especially if you're working with older
electronics that likely have leaded solder.

You don't have to buy one, but you should build one with a fan and a filter as
suggested, anything so you don't inhale the fumes.

~~~
Declanomous
From what I understand, there is little to no lead in soldering fumes. The
fumes are almost entirely from the flux. If you are working in a well
ventilated space you should be able to protect yourself by setting up a small
fan to blow the smoke away.

I think a filter is overkill for someone who is just starting out. They should
at least figure out if they enjoy the hobby before they spend $60 on a filter.
That being said, even if they don't contain lead, the fumes from soldering are
not good for your health. If you do continue soldering, some form of fume
extraction is in order.

There is a pretty good discussion on stack exchange about this topic:
[http://electronics.stackexchange.com/questions/1904/are-
sold...](http://electronics.stackexchange.com/questions/1904/are-solder-fumes-
bad-for-me)

------
2bluesc
The image of the test point pads covered with soldermask is quite interesting.

If they are modifying the PCB to put soldermask over the pads for production,
why not just remove the pads? Are they still in the design for field recovery
or work?

Does anyone know? Curious to learn some tricks.

[0]
[https://res.cloudinary.com/sysforensics/image/upload/c_scale...](https://res.cloudinary.com/sysforensics/image/upload/c_scale,w_400/v1458082960/clean_taps_pkiiig.png)

------
pulverize
Remember when you were motivated to take a screwdriver, pliers, hammer,
blowtorch and strong magnet to your decommissioned spinning platter HDD cases,
before tossing your old desktop PC components in the trash?

Yeah, same goes for smartphones now, too.

------
k2enemy
A great tool for exploring JTAG and other protocols is the bus pirate:
[http://dangerousprototypes.com/docs/Bus_Pirate](http://dangerousprototypes.com/docs/Bus_Pirate)

It isn't great for what the article mentions (lack of pre-existing tools for
common mobile phone tasks) but it is cheap and versatile.

~~~
fapjacks
I can't recommend the Bus Pirate enough! An old coworker introduced me to
these things and they are _so_ helpful!

------
hrrsn
It seems to me that most flagships would now be incompatible with this sort of
hacking due to full disk encryption?

~~~
voltagex_
Depends what your target is. If you somehow managed to connect JTAG while the
phone was on and unlocked you could dump the phone's RAM completely,
potentially with the encryption keys as well.

------
KiDD
Good Article!

