hex dumping primer - mobile device forensics · pdf file1 hex dumping primer part i michael...
TRANSCRIPT
1
HHEEXX DDUUMMPPIINNGG PPRRIIMMEERR
Part I
Michael Harrington, CFCE, EnCE
Cell (or Mobile as it’s known outside the US) Phone Forensics has become a red hot topic in the last year or so. Among the issues that examiners often face are the lack of support for specific models and manufacturers and the quixotic and proprietary file systems that are on the handsets. Adding to this mix are the expensive hardware and software ‘solutions’ that have flooded the forensic community-solutions that can run into the hundreds, thousands and even tens of thousands of dollars.
Imagine a solution that was not only inexpensive, required only a hex editor and ASCII table to interpret data AND was able to obtain the Holy Grail of Cell Phone Forensics - the acquisition of the physical memory of the phone.
Impossible you say? Doubt no more! Enter the world of Hex Dumps or ‘Flashing’ as it’s more commonly known.
FFLLAASSHHIINNGG AA PPHHOONNEE -- WWHHAATT IISS IITT??
Flashing a phone is usually interpreted as a dump of the phones memory into a format that is either hexadecimal or binary (for an Absolute or true physical acquisition). The aim of the practitioner then is to get a snapshot of the complete memory contents of the phone in order to uncover hidden and deleted data. Concomitant to this is the hope that this method will eliminate problems caused by the more “traditional” methods of using AT commands to query the handset and thereby create changes to the phone memory. In essence we are striving to get as close to the forensic image which is the bread and butter of conventional electronic evidence forensics and thereby have a best evidence exhibit as defined by the legal courts.
Why is obtaining this forensic image or hex dump so important? I believe it is of utmost importance for the examiner to try to get the data from the phone in this way because most of the so called forensic phone applications are in reality variations of backup software that concentrate on the user data and rely on the phone being up and running in order to get at the data (again using something like AT commands). The examiner needs to look beyond the general user data of contacts, call registers and text messages. Using a hex dump the examiner can plumb the memory for such things as previously inserted SIM cards, previous (and to the traditional tools lost) calls, MAC addresses and more.
2
Add this to the myriad number of handsets each with differences in how data is stored, software and hardware revisions and the exorbitant costs of hardware and software solutions the examiner must look beyond the traditional.
Hex dumps can and have been obtained from handsets that wouldn’t otherwise power up, were broken or had no battery or SIM. This goes way beyond what is capable from a traditional logical examination, which generally requires one of the aforementioned situations.
Obtaining a hex dump is not without caveats though. One has to be cognizant of the fact that the boxes and the software used are not “officially” sanctioned by the handset manufacturers (but then neither are the traditional tools used by the practitioner) and while overly complex to use, there is a dearth of information on how to use the software (what is out there is often in a language foreign to the user) and if the wrong button is pressed you can turn your evidence into a “brick”.
Commercially the devices used to obtain the hex dumps of the phones are used by cell phone retailers to repair, customize and unlock (free the phone from its provider) to use with different providers..
EEQQUUIIPPMMEENNTT
So we have defined what a hex dump or a flash of the phone is and we have hinted that there is some device that is needed to obtain the dump. So what exactly is required?
Common terminology used in this subset of the wireless industry for these devices is typically ‘box’ or ‘clip’. These devices are small aluminum devices with USB and RJ-45 ports.
It can be overwhelming to look at the amount of ‘boxes’ or ‘clips’ available on sites and wonder if one is better than the other or if they even work. Listed below are some of the choices.
UFS3 Tornado
Furious Gold
Smart Clip
GTS
Unibox
JAF
N-box
Vygis
Typically GSM oriented these boxes support a variety of cell phone manufacturers from Nokia to Motorola to Sony-Ericsson. Some cables for CDMA handsets can also be found.
3
It is best to select a box that has the widest support for the manufacturers your department or force sees.
Some of the websites you can find these boxes on (and that the author has used with great success) are the following:
GSM Server
One Stop Factory
Fone Fun Shop (UK)
Tech GSM
This paper is going to focus on the UFS3™™ (Tornado) box because it is a popular and very inclusive solution, though the concepts described though out the paper are applicable to the gamut of products on the market for obtaining hex dumps.
UUFFSS33™™
The terminology of this box can be confusing at times because the Universal Flashing Software and the box itself are both referred to by the same name. This can be further compounded by the software sometimes being referred to as ‘Tornado’. For all intents and purposes the software is the same and only differs by name (later versions also include upgrades for new models etc).
Depending on where the box is purchased, the examiner can get a variety of cables to go with the various supported models of phones.
In general, the UFSx series supports the following manufacturers/models.
Nokia DCT3: 3610 (NAM-1), 2100 (NAM-2), 3410 (NHM-2), 6250 (NHM-3), 3310 (NHM-5), 3330 (NHM-6), 3350 (NHM-9), 3390 (NBP-1), 6210 (NPE-3), 5510 (NPM-5), 5190 (NSB-1), 6190 (NSB-3), 8890 (NSB-6), 8290 (NSB-7), 5110 (NSE-1), 5110i (NSE-2), 6110 (NSE-3), 7110 (NSE-5), 8810 (NSE-6), 3210 (NSE-8), 5130 (NSK-1), 5130 (NSK-3), 6150 (NSM-1), 8850 (NSM-2), 8210 (NSM-3), 8250 (NSM-3D), 8855 (NSM-4), 5210 (NSM-5), 9110 (RAE-2), 6090 (NME-3)
Nokia DCT4: D211 (DTE-1), 3300 (NEM-1), 3300b (NEM-2), 7210 (NHL-4), 7250 (NHL-4J), 7250i (NHL-4JX), 6610 (NHL-4U), 6800 (NHL-6), 6820a (NHL-9), 6650 (NHM-1), 8910 (NHM-4), 8910i (NHM-4NX), 8310 (NHM-7), 3510 (NHM-8), 1220 (NKC-1), 1260/1 (NKW-1), 7600 (NHM-3), 3320 (NPC-1), 6310 (NPE-4), 6310i (NPL-1), 6100 (NPL-2), 6200 (NPL-3), 5100 (NPM-6), 5100a (NPM-6X), 3590 (NPM-8), 6510 (NPM-9), 3595 (NPM-10), 3360 (NPW-1), 6360 (NPW-2), 8390 (NSB-8), 6800a (NSB-9), 6590 (NSM-9), 6108 (RH-4), 3108 (RH-6), 3510i (RH-9), 6340i (RH-13), 3560/20 (RH-14), 1100 (RH-18), 3100 (RH-19), 6220 (RH-20), 6560 (RH-25), 3200 (RH-30), 3200b (RH-31), 1100b (RH-36), 1100a (RH-38), 2260/1 (RH39+41), 2220/1 (RH40+42), 3586i (RH-44), 3100b (RH-50), 2300 (RM-4), 2300a (RM-5)
4
Nokia DCT-L: 9290 (RAB-3), 9210 (RAE-3), 9210i (RAE-5)
Sony Ericsson: R520, T39, T65, T68, T68i, T200, T202, T230, T238, T300, T306, T310, T312, T610, T616, T630, T628, P800, P802, P900, P908, Z600, Z608, A3618, T100, R600, T66, T600, Z200
Samsung: A2xx, A800, N1xx, N2xx, N300, N400, N500, N600, N611, N620, N625, N628, R200, R201, R208, R210, R220, R225, T100, T108, T400, T410, T500, E400, E710, E715, P100, P400, Q100, Q105, Q200, Q300, Q400, Q605, S100, S105, S108, S200, S208, S300, S300m, S308, V100, V200, V205, V208, X400, X430, A100, A110, A188, A300, A400, M100, E100, E105, E700, E708, S500, S508, X100, X600, A500 E-Gold, C100 SkyWorks, C108 SkyWorks
Siemens: C30, S40, C35, C35 NEW, M35, M35 NEW, S35, S35 NEW, A35, A36, A40, A50, A52, A55, A60, 1168, C45, 2118, C55, 2128, C60, C60 boot, S45, S55, SX1, ME45, M55, M55 boot, SL42, SL45, SL55, 6688, MT50, M50, 3118
CCaabblleess aanndd CCoonnnneeccttiioonnss
The cables that come with the UFS3™™ box appear like standard data cables but end in an RJ-45 connector. Included in the kit is usually a DKU/5, FBUS and DKU/2 cable.
The connection between the box and the handset directly access the manufacturer’s service ports typically through the Joint Test Action Group (JTAG) connections or the Mbus/Fbus connections.
These connections can be located underneath the battery of the handset as shown in the below graphic of a Nokia 3310.
Picture taken from http://www.embedtronics.com
They can also be accessed through ports located on the bottom of the phone as is shown in this picture of the fbus connector on a Nokia 3220.
5
The UFS3™™ uses a variety of specialist cables like the one shown below.
Of note on the cable are the connecting points (for accessing the logic board) and the RJ-45 connector. The latter hooks directly into a like port on the UFS3™™ box as is shown below.
SSaarraassSSoofftt’’ss TToorrnnaaddoo™™ SSooffttwwaarree
6
Having discussed what a hex dump is and why it is necessary as well as the equipment for such, we can now move onto the software required to obtain the hex dump.
Installation
Installation of the software is straightforward. You should install the software before hooking the UFS3™™ box to the computer. In most circumstances you will want to take the defaults that the software presents to you.
Once the software is installed, you should connect the box to the computer via the provided USB cable. When prompted to install drivers for the box, you should manually navigate to the SarasSoft folder where you installed the suite of tools to find the driver to install. This is located on my forensic machine at CC::\\PPrrooggrraamm FFiilleess\\SSaarraassSSoofftt\\UUFFSS\\UUFFSS__UUSSBB__DDrriivveerr, though your actual location may differ.
After the installation of the driver you can now launch the UFS software for the type of phone you wish to acquire the hex dump from. A note of caution is required at this point, be very sure you understand what you are doing from this point on, as one wrong button pressed could mean that you turn your phone into a “brick”. In fact, I would recommend that the first few times you use this software that you do this with a test phone to get familiar with the interface and how it functions.
I am going to be concentrating on the UFS_DCTxBB5 toolset for the remainder of our discussion of the software. The other tools work similarly.
UFS_DCTxBB5 Interface
Shown below are graphics and number keys taken from the UFS3 Manual that describe the interfaces for the UFS DCT software.
7
List of Functions by Numerical Key
1. Check - To check the flash mode
2. Info - To check the functionality of M/F Bus (Use to confirm a good connection)
3. Flash -To be used for manual flashing mode
4. UI Setting - User interface setting
5. Phone Mode - (LLooccaall mmooddee, TTeesstt mmooddee, NNoorrmmaall mmooddee)
6. Restart - Restart the phone
7. Phone Type - (Choose between the different platforms, DCT3/4, DCT-L or WD-2)
8. BT HW - Manually choose the Bluetooth hardware (using auto is recommended)
9. Write the User Setting back... - Phone book, etc…
10. Aux Option - (Read/Write PM-UEM, Erase flash, Format user area
11. Progress bar - (Box serial code, counter, progress bar)
12. UI Option - (Resets, simlock, security code, factory defaults, software upgrade defaults)
13. Flash file browser - Choose your flash files
14. Start/Stop button - Execute/Terminate selected jobs
8
15. Special Setting - Relock function, manual flashing, language update only, etc...
16. Connection bus & Flashing speed - Adjust the flashing speed and choose the bus
17. Pre-Setting - Choose the job to be done
18. Progress windows - (Phone details, Box status, Work status and other useful information)
19. Calculator - To calculate network unlock code (Only apply on DCTx_UFSx 1.3b)
20. Support - For product support and website information (www.ufsxsupport.com)
QUICK BUTTONS
This section also from the UFS3 manual describes the quick buttons found along the top of the software interface.
9
CONNECT/DISCONNECT- You have to press connect button to connect software module with the UFSx box hardware. Without this connection you cannot use any software module with UFSx box.
CHECK - You can test the Flash mode with this button.
INFO - You can test the communication Bus (F-bus or M-bus) and read info from your phone. It is recommended to use this to check the cables and establish a good connection.
FLASH - The flash button can be used for manual flashing, for example, if the phone is dead.
UI SETTING - Manual option to execute predefined user interface settings.
[?] - This drop down box lets you manually choose between normal mode, test mode or local mode on the phone.
AUTO DETECT - Use this option if you are not sure what kind of phone it is, it will auto detect it for you.
AUTO CLEAR
RESULT WINDOW - Will clear all result displayed in main window before commencing each function, you can manually clear this by double clicking inside the window.
AUTO SCROLL RESULT WINDOW - Will scroll all result displayed in window when/after commencing each function.
USE INI SETTING - You should use this option if you have already prepared a specific INI file for desire type of phone. It is the fastest way if you have many phones with the same type of job to do.
IMPORT SIMLOCKS - Import simlock from file when doing the simlock.
FLASH PPM ONLY - This option is to flash only the PPM (language pact). It is a fast way to change the available language, however take care that you are using the ppm version which matches with MCU version currently in the phone. Otherwise you will get “Contact Service” or some unexpected fault in which case you will need to full-flash the phone.
NOTE: If you want to flash only PPM, first check the software version of the phone or connect it to the UFSx & click IINNFFOO to get the version. Then choose the same version of PPM and flash the phone to avoid any fault in the phone.
INTERFACE - Communication settings, you should use F-Bus: For ALL DCT-4 and WD-2 Phones M-Bus.
SPEED - (Flashing speed) you can keep default setting of FFAASSTT but if you get errors, you should choose NNOORRMMAALL or SSLLOOWW since not all flash type support FFAASSTT Flashing.
START/STOP BUTTON - To start or stop the job that you do.
10
ACTION WINDOW FOR DCT-4
We will be concentrating on the DCT-4 window as it covers a majority of phones that the examiner may encounter. Other windows have similar functionality. Again, the below graphic and explanations are taken from the UFS3™™ manual by SarasSoft™™.
PRODUCT - Choose your phone model, for example 3200 RH-30, 6610 NHL-4u, 6610i RM-37
MCU - Choose the MCU flash file (Main phone firmware to be flash)
PPM - Choose the PPM flash file (Language pack firmware. Must match with MCU version)
CNT - Choose the CNT flash file (CNT = Content Pack) . This allows you to flash the standard factory wallpapers, ring tones, games and others applications supplied as standard in the hand set.
PM - PM (Permanent Memory) This is the DCT-4 version of "EPROM" but cannot be changed and reset easily. (DO NOT PLAY WITH THIS; YOU MAY DAMAGE YOUR PHONE!) Note: If you know what you are doing then you can play with the PM.
ENABLE BT FLASHING - Flash the Bluetooth firmware (BT=Bluetooth)
BT HW - You can choose AAUUTTOO, OOLLDD or NNEEWW. Defaults is AAUUTTOO, however in some cases such as 7650, it is necessary to use OOLLDD option if the BT function does not work correctly.
UI OPTION - You can double click these items to execute each one individually and immediately.
11
SAVE USER SETTING - You can backup / save the main user settings before starting any job with the phone.
FULL UI DEFAULTS - Set the user setting back to defaults (Phone setting etc...)
FULL FACTORY DEFAULTS - Set the phone to the factory defaults settings, including resetting the wakeup graphics, security code, phone book etc.
SOFTWARE UPGRADE DEFAULTS - This should be done when you have upgraded to newer Software version.
INIT SIM LOCK - Unlock SP-Lock / Network lock
RESET USER LOCK - Set the user lock (Security Code) to factory defaults "1122334455"
REBOOT IN NORMAL MODE - You can insert SIM card and after processing, the phone will reboot into normal operating mode. Use this to check normal operation. Please note that many USB ports cannot supply enough power to phone to transmit, so the phone may shut down when trying to register with the network when using this feature. It is mainly to confirm the phone will power on, accept the SIM card, etc.
USER SETTING ITEMS
Phone Book - Save phone book
UI Setting - Save UI setting
Ringing Tones - Save ring tones
Graphic logos - Save logo and graphics
Write User Settings - Write back saved data
AUX FUNCTION
Read UEM - Create an *.ASK file
Write UEM - Write a *.RPL file
Write PM - Write a PM file
REMEMBER WITH THIS FUNCTION, YOU MAY DAMAGE YOUR PHONE. IF YOU KNOW WHAT YOU ARE DOING THEN YOU CAN PLAY WITH THIS PM. PLAY AT YOUR OWN RISK
Erase Flash - Erase the entire flash! Note: All flash will be erased, including the PM area. You may damage your phone!
12
Create INI file - Create the ini file to be used with "UI Options". Create ini files is made easy for you. After you choose the setting, MMCCUU, PPPPMM UUII,, click CCRREEAATTEE IINNII. The next time you want to flash for the selected models, you have an already created ini file. You don’t need to select the MCU, PPM, etc., merely click FFLLAASSHH or SSTTAARRTT. For DEAD Phone, click FFLLAASSHH and for a normal phone, click SSTTAARRTT
FLASHING DCT-4 PHONES
To flash DCT-4 Phones ‘Working Phone’. Connect cable and power on the phone. Select correct models MCU & PPM and both must be of same version check the UI setting that you wish to and press SSTTAARRTT.
To Flash Only PPM choose the proper PPM version as the MCU version of the phone
If you don't know the phone version it is better before doing anything power on the phone and press **##00000000## to view the phone version or with SarasSoft just click IINNFFOO button. You will get the MCU and PPM version of the phone, select the PPM version and select FFllaasshh.
If the Phone is DEAD after selecting the MCU & PPM, uncheck AAuuttoo DDeetteecctt and click the SSTTAARRTT button
CNT = Content Pack. If you have this, it will flash the CNT to your phone.
CNT is the file which will install the Original Ring tone, Wallpapers, Graphics, etc. If you have failed to extract the CNT, your phone will not have wallpaper, ring tones, etc.
OBTAINING AN HEX DUMP
The following screen captures show various points in obtaining a .PM file from a Nokia 7210. The .PM file and the PM Absolute will be covered in the second part of the primer.
13
The above picture shows the selection of the first record for the software to read.
14
This picture shows the selection of the last record (I choose 999999 to ensure all available records are read).
This last picture shows the file dump in progress.
CONCLUSION
Part One of this Primer covered the why’s and where fore’s of Hex Dumping a phone. The second part of the Primer will cover how to interpret the hex dump once you have the dump of the phone. Discussed in the second part will be the difference between a PM and an Absolute PM and some tricks and tips regarding how to conduct forensic research on phones using the hex data.
ACKNOWLEDGEMENTS
I would like to thank Det. Brian Roach of the Kansas City Police Department for his invaluable advice and keen editorial eye in preparing this paper.
I’d also like to thank the folks at Phone Forensics for their mentorship and help. You are a very important part of the community and thanks for all that you do. Nill illigitimi carborundum.