JTAGS a new approach to embedded forensics

As the titles says this is about JTAGS. What are JTAGS? Well laymen language, since all processor designs are prone to screwups, they keep a port for testing and debugging which is called JTAG. These ports I believe are also there on… well memory chips and likes, but unlike in mobile processors they are not accessible, relatively speaking of course.

So you say… so what, right? I have a testing and debugging port, big deal… what do I do with it? Well Mr. Breeuwsma from the Netherlands Forensics Institute published a paper (titled: Forensic Imaging of Embedded Systems using JTAG). This paper explains how you can use this little functionality to get all the data off the memory chips of your mobile.

Wait you said Memory chips’ JTAGs can’t be accessed. True but the JTAG on the processor can be, and since the memory is connected to the processor we can figure out a way to get the data from the memory off the JTAG port of the processor.

To begin a JTAG has three modes of operation: Normal, Extest, Debug. I have no clue what Normal does. Extest is obviously the testing mode. And Debug is well… the debug mode. We are interested in the extest and debug mode and I will discuss each of these in future posts.

Meanwhile why JTAGS?
1. Forensically secure. Since memory is accessed directly data doesnt change.
2. Bypasses any user level passwords.
3. Works for crashed systems.
4. Desoldering a chip works only for non-volatile chips, is risky and in my view is simply barbaric. JTAG analysis has none of these issues.
5. Works for SDRAM as well. (SDRAM can not be removed from the board cause they lose data as soon as they lose power.)

Blah Blah Blah… I think I made my point. This is not full proof, not by a long shot, but looks extremely promising…