The problem that has been plaguing investigators is the fact Android devices offer different mechanisms of data protection. For this reason, it is almost impossible to develop a single method of extracting and decrypting a device’s data. Of course, in many cases data extraction is possible, but often the data is still encrypted. There has been a lot of buzz about EDL from manufactures of forensic software as well as investigators. Let’s take a look at what EDL is and how it can be used in mobile forensics.
What is EDL?
SoC (System on Chip) mobile phone manufacturers usually provide special modes designed for debugging, diagnostics or recovery. In this instance, Qualcomm-based devices have an EDL (Emergency Download Mode) mode. In this built in testing interface it is possible to obtain access to low level memory read-write functions. This access applies to both ROM and RAM
Is attaching the device to a USB connector enough to start the extraction?
To place a device into EDL mode there is not a one-size fits all approach; it is often all over the place. With several ways to switch the device into emergency download (EDL) mode the investigator is often relegated to scanning the pages of the internet because of the various methods, often different for each device. There are both software approaches and hardware approaches.
- ADB (Android Debug Bridge). If the device is unlocked and adb mode is on you can issue the command “adb reboot edl” from a command line.
- Fastboot. Switch the device to fastboot mode by holding Power and Vol- at the same time (the key combination can be different for each device) and run the command “fastboot oem edl”.
Key combination method (combination depends on the device model). You need to turn the device off, plug the USB cable into the PC, but not the device. Push and hold Vol- and Vol+ at the same time and, while holding them, plug the other end of the USB cable into the device. Hold the keys for 3-5 seconds, the device should enter EDL mode. What is more, holding down the “#” button and connecting the device via USB is enough to switch many Qualcomm push-button phones to EDL mode. This method works on many KaiOS Qualcomm devices, including Jio Phone 1.
- EDL cable. Specialized cables can be used to switch the device into EDL mode. These cables are available online, or if you have an Oxygen Forensic Cable Kit they are included.
- Shorting the pins. This method, also known as “shorting test points,” requires technical experience, and often phone disassembly. To switch the phone to EDL, metal tweezers for mobile phone repair or a piece of wire are often used to short/connect the test points. This is not advised unless the investigator has electrical component assembly/disassembly experience.
It is possible to find advise on shorting test points in the Internet. To do so, type the following into the search field:
<device name>, test points, testpoint, 9008, EDL.
Will extraction start immediately after putting the device in EDL mode?
After putting the device in EDL mode a special programmer has to be uploaded to the device. Only after uploading it into the device RAM, will it be possible to start extracting data using the Firehose protocol.
Most Qualcomm-based devices check the programmer’s electronic signature. That’s why a file for another device, even if it is based on the same processor, typically will be of little use. What we know; the manufacturers themselves aren’t too eager to share any of those files with software providers. Offering the most up to date profiles in Oxygen Forensic® Detective, we are now at 500 such files for different Qualcomm devices.
If I found a programmer for model X myself, would it be of use?
The good news is that programmers depend only on the device model, and, if such a file is found, investigators can use it in any software that offers support for extraction via EDL mode. This is one of the reasons Oxygen Forensic Detective allows an investigator to upload any programmer file in using Oxygen Forensic® Detective.
Does this mean that all forensic software offers the same solution and the only difference between them is in the set of those programmers?
In most cases, when the software manufacturer claims they support EDL extraction, it means that the software can upload the corresponding programmer into the device and use it to extract physical dump and not necessarily support the unique ability to add a programmer not shipped with the software package.
What if there is no programmer available?
Some Qualcomm SoCs have a critical vulnerability in the PBL (Primary Boot Loader) that allows an unsigned programmer to be loaded into the device. Oxygen Forensic® Detective uses a specially designed exploit that is based on this vulnerability. Our software offers the ability to upload to the devices with MSM8909, MSM8916, MSM8939 and MSM8952 chipsets a corresponding generic programmer and start the extraction.
Is unique one-for-all exploit for EDL extraction possible?
Most of the solutions, claiming support or simply the possibility of it, rely on the abovementioned vulnerability. This is evidenced by the list of processors for which EDL mode is supported regardless of the presence of the programmer.
What if the phone is encrypted?
The memory of the most modern devices are encrypted, and an encrypted dump is often useless by itself.
Starting with Android 7.0, device memory is encrypted by default, using a hardware key, when SoC allows it. Qualcomm was one of the first to include hardware key encryption in its SoCs and since 2014 all Qualcomm SoCs for Android devices support it. On some devices that have not passed Google certification, an outdated encryption scheme without a hardware key can be used, but those are mainly noname devices from Chinese manufactures. Thus, the vast majority of modern Qualcomm devices are encrypted using a hardware key. To decrypt the data, a hardware key and password from the device lock screen (if one has been set) are needed.
Currently, two fundamentally different approaches are used to decrypt data from these devices. However, both approaches are based on the same vulnerability that bypasses the integrity checks when booting Qualcomm-based devices. The first option involves modification of the bootloader (function which loads the Android OS), so that the device switches on seemingly normal but with the extra communication ability (e.g., root-privileged,adb on). Since the system is fully loaded, the user partition is mounted in decrypted form as dm-0. In this instance the decryption is performed automatically by the operating system itself. This is a universal approach, but it does not work if ‘Secure startup’ mode is enabled. If this mode is on, entering the lock screen password is needed to boot the system. If it is unknown, there will be no passing through the locked screen and the system will not load. If the files do not load the files will not be decrypted and transferred.
It is worth mentioning that the initial approach covered still operates if the device is password-protected, but Secure startup mode is off. The reasoning behind this is if Secure startup is off, the phrase ‘default_password’ is used as the default password, allowing the system to fully boot and mount the dm-0 before the user password is entered. If Secure startup is on, the user-created password is used for encryption and the system does not boot unless it’s entered. Utlizing Secure startup still remains at the discretion of the user and some manufacturers for some reason hide it in the settings, and complicate the procedure of switching it on in various ways.
How does Oxygen Forensic® Detective work with encryption?
The unique approach, adopted by our company, is slightly more complicated and is based on a TrustZone modification. We know the hardware key is often used to encrypt user data, and is stored within TrustZone. Our approach exploits the vulnerability of booting the device with a modified TrustZone. By doing this we are able to execute our code within TrustZone and extract the hardware key. Then, if the Secure startup option is disabled, we immediately decrypt the dump using the default password. If Secure startup mode is on, it is possible to brute-force the password offline (involving external computing power), since the hardware key has already been extracted.
Note: in Qualcomm chips, TrustZone contains an error in the implementation of cryptography, sometimes allowing to decrypt the dump without knowing the password, but while having a hardware key. The vulnerability works in 2-4% of the cases. Thus, the dump with Secure startup mode on could still be decrypted without knowing the password.
This means support of EDL extractions of MSM8937 devices in various forensic solutions could differ?
Some solutions only extract encrypted physical dumps, which is completely useless. Some can extract data from only those device models where a programmer was found and some can decrypt the data only if Secure startup is off.
Take a look into what Oxygen Forensic Detective can do for your investigations into devices using EDL mode.