Introduction to chip-off and JTAG
The chip-off technique describes the practice of removing a memory chip, or any chip, from a circuit board and reading it. The chips are often tested and programmed with the “JTAG” method. The term JTAG (Joint Test Action Group) is the original acronym and name of an IEEE group that set the standards for what would become the 1149.1 Standard Test Access Port and Boundary-Scan Architecture. In plain English, the group established a universally accepted means for testing wire-line interconnects on printed circuit boards. Today, the ports are used for testing integrated circuits, and they are the common test and debug interface for mobile devices and digital products.
These are not new concepts by themselves, and have in fact been in practice for several years in the integrated circuit (IC) programming and testing fields. However, a byproduct of both of these low-level access techniques is the ability to acquire raw data from the memory chip. For the mobile-device examiner, these practices offer another way to access and acquire the raw data from the memory chip.
Prior to engaging in the practice of chip-off or JTAG efforts for mobile-device forensics, a solid understanding of key characteristics of the mobile device’s structure is necessary to properly and successfully pursue these techniques. Particularly, the examiner must have a familiarity with modern mobile-devices’ configurations, the memory types, how they manage data internally, where memory chips are located, and how to identify JTAG connectors on the motherboard of a mobile device. Building this solid foundation of knowledge of where and how data is stored (and erased) is essential for the examiner heading down the chip-off or JTAG roads.
Additionally, a solid command of the skills for repair, dismantling, and chip removal is crucial to properly pursue these techniques.
In our mobile-device repair and chip-off and JTAG classes, our partners at Wild PCS teach students how to properly identify the components of a mobile device, disassemble and reassemble components, as well as how to properly remove and prepare the memory chips for reading. This is in addition to the education on how to repair a broken device to make it operational and examinable with today’s forensic tools. These hands-on skills are essential to anyone who is looking to recover data using chip-off or JTAG techniques.
Chip-off and JTAG are as far from push-button forensics as one can get, and examiners intent on pursuing these practices have to be educated, prepared, and very patient.
While not covered in this article, readers are strongly encouraged to learn and understand the following concepts:
- NAND Memory (TSOP and BGA)
- NOR Memory
- Volatile RAM
- Flash Translation Layer—Controller Chips
- Wear Leveling—Garbage Collection