MediaTek Inc. is one of the largest smartphone chipmakers in the world. Recognizing this, Oxygen Forensic Detective offers data extraction for Android devices based on MTK chipsets. The extraction method is based on a low-level proprietary protocol designed for firmware updates and recovery of MTK-based devices, which permits extraction from password-locked devices. Oxygen Forensic Detective currently supports more than 100 modifications of MTK chipsets.
How It Works
The device must be put into BOOT ROM (BROM) mode before starting the reading. This mode allows information exchange with the MTK device over the proprietary protocol. If the response is not received from the PC within 1 second, the device turns off and switches back to USB charging mode.
For optimal functionality in this mode, we recommend installing a driver to the system, which is included in the product. If the MTK driver is installed correctly, the extraction process will continue. Otherwise, the user will have to reinstall the driver within the system or find the correct driver for this device and repeat the process. Some devices do not work with the standard driver and require a special driver from the manufacturer.
In BROM mode, basic information about the hardware of the MTK device under investigation can be acquired. In order to read the memory dump, a special loader (DA file) is loaded into RAM, automatically putting the MTK device in Download Agent (DA) mode. This operation does not change the device firmware and, therefore, is safe for its operation and data preservation.
DA mode provides a higher-level device interacting API and offers commands for reading the physical dump of the device. To support devices that do not work with the standard DA file, a third-party DA file can be uploaded in Oxygen Forensic Detective.
Full Disk Encryption
Android OS offers complete encryption of the device’s memory, and is enabled. In MTK-based devices a security mechanism known as Full Disk Encryption is generally used. Encryption is performed using hardware support.
If the memory of an MTK device is encrypted, the extracted physical dump content will be encrypted as well, and the user will have to enter or identify the password in order to decrypt the data. If Secure Startup mode is disabled in the OS settings, the default password (default_password) is used by the system, which is the standard behavior of the Android OS.
It is worth noting that in the cheaper MTK chips, a number of modules responsible for cryptography at the hardware level are not implemented. Thus, the ability to encrypt memory is removed from the firmware of the highly affordable MTK devices, making the probability of encountering a device with unencrypted memory high.
Starting with Android 5.0, full-disk encryption (FDE) scheme has changed significantly. For example, the used hardware key prevents password identification based only on the information stored in the extracted physical dump. At the same time, some Android ≥ 5.0 MTK devices do not have hardware key storage implemented. These devices use the old software-based encryption scheme and their password can be brute-forced offline using the Passware module in Oxygen Forensic Detective. Currently, only the older MTK line of Helio chipsets starting with Helio X20 MT6797 have full implementation of hardware key storage.
Extracting Hardware Encryption Keys
In some cases there is a solution for devices with hardware encryption. A special exploit that allows hardware encryption key extraction and follows data decryption is incorporated into our software.
The General Process:
- Connect the device in MTK mode – information regarding the chipset is available upon connection
- Extract physical dump
- Check whether the dump is encrypted
- Check the dump encryption type
- If the hardware-backed key encryption is used and the chipset is vulnerable – extract the hardware-backed key
- Bruteforce or enter the password if Secure Startup mode is activated
- Let the software build the dump decryption key using the encryption keys and password, then decrypt the dump.
There are two protection methods that can either be used together or separately for some MTK chipsets:
- Signed DA file
- Valid .auth file
Protection using the .auth file works as follows:
- The manufacturer puts a secret key into the device
- The device sends a request to get a special. auth file in order to log in to BROM
- Device validates .auth file using the above mentioned secret key
- Access to BROM is allowed if the .auth file is valid
Thus, a signed DA file and/or valid .auth file are needed to log in to BROM.
The purpose of this protection is to restrict the access of an ordinary user to the firmware service mode or recovery. Consequently, it also prevents forensic software from accessing the data. The share of devices with activated BROM protection is approximately 20% of the total number of devices on the market. Unfortunately, these 20% include the most popular devices from well-known and popular manufacturers, such as Meizu, Huawei, Asus, etc. If the manufacturer has enabled BROM protection on the device, our software will not be able to extract data. As for models released before 2014, BROM protection is usually absent.
Some manufacturers block BROM mode on their devices, making it impossible to read the device using this method. To determine if BROM mode is blocked on a particular phone, open the device manager and connect the MTK device. If the device appears in the device manager, BROM mode is not blocked. If the device does not appear in the device manager, then this mode is blocked. Before verifying if BROM mode is blocked, make sure that the MTK driver is installed, otherwise the device will not appear in device manager in any case.
Instructions for MTK Android Dump
1. Select MTK Android Dump method in Oxygen Forensic Extractor and follow the displayed instructions. The software will search for the connected device.
2. Connect the device to a PC with a USB cable. After connecting the device, open the COM port for 1 second and wait for a command from the PC to connect. Make sure the corresponding drivers are installed.
3. The physical dump extraction of the device’s memory will begin. If the device’s memory is encrypted using hardware-backed keys, a screen will appear describing the data decryption process. Before starting the exploit, disconnect the device from the PC.
4. The software will search for the connected device, read the encryption keys, and initiate password check.
5. Connect the device to a PC using a USB cable, wait for the exploit to finish, and click Next.
6. If Secure Startup mode is activated, enter the user password if known. If no user password is available, brute forcing the password with the help of Passware Kit Mobile to decrypt data, will be required.
7. The decryption key will be generated using the password and the acquired encryption keys.
8. The data extraction from the Android physical image will then begin.