Android Mobile Forensics, Recovery, & Debugging

Tutorial: From Locked Device to Raw Data – A Step-by-Step JTAG/ISP Forensics Workflow

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking the Unseen with JTAG/ISP Forensics

In the challenging realm of mobile forensics, encountering locked or severely damaged Android devices is a common hurdle. Traditional methods like ADB, custom recoveries, or even bootloader exploits often fall short when the device’s software is corrupted, the screen is unresponsive, or strong encryption is in place. This is where advanced hardware-level data extraction techniques—Joint Test Action Group (JTAG) and In-System Programming (ISP)—become indispensable. These methods allow forensic examiners to bypass the operating system entirely, gaining direct access to the device’s raw flash memory. This tutorial will guide you through a comprehensive workflow for performing JTAG/ISP data extraction from locked Android devices, empowering you to recover critical evidence when all other avenues are exhausted.

Understanding the underlying principles of JTAG and ISP is crucial. JTAG, standardized as IEEE 1149.1, is primarily used for testing integrated circuits but can also provide a debug interface for microcontrollers, enabling access to memory. ISP, often referring to eMMC/NAND direct access, involves bypassing the device’s CPU and connecting directly to the flash memory chips (e.g., eMMC, UFS) via their communication protocols, typically involving specific data, clock, command, and reset lines. Both methods yield a bit-for-bit copy of the device’s non-volatile memory, which can then be analyzed for forensic artifacts.

Prerequisites and Essential Tools

Before embarking on JTAG/ISP extraction, ensure you have the following:

  • Technical Skills: Proficient soldering skills (micro-soldering is often required), understanding of electronics, and familiarity with mobile device architectures.
  • Hardware Tools: Soldering station (fine tip), multimeter, magnifying lamp/microscope, various wires (e.g., 30 AWG Kynar wire), and a device-specific JTAG/ISP adapter or box (e.g., RIFF Box 2, Easy JTAG Plus, UFI Box).
  • Software Tools: JTAG/ISP software suite (provided with your hardware box), hex editor, and a forensic analysis tool (e.g., UFED Physical Analyzer, Autopsy, EnCase, FTK Imager).
  • Reference Materials: Device schematics, service manuals, or known good pinouts for your target device model.

Step-by-Step JTAG/ISP Forensics Workflow

1. Device Identification and Research

The first critical step is accurate device identification. Determine the exact make, model, and variant of the Android device. This information is vital for locating JTAG test points (TAPs) or eMMC/UFS ISP points. Research online forums, manufacturer service manuals, or forensic databases for schematics and known pinouts. Incorrectly identifying points can lead to device damage.

2. Physical Access: Device Disassembly

Carefully disassemble the Android device to expose the main logic board. Document each step with photographs to ensure proper reassembly if necessary. Pay close attention to ribbon cables, screws, and adhesive to avoid damage. The goal is to gain clear, stable access to the target JTAG or ISP points on the PCB.

3. Connecting to JTAG/ISP Points

This is arguably the most delicate step. Based on your research, identify the specific JTAG Test Access Port (TAP) points (TCK, TMS, TDO, TDI, TRST, RTCK, GND) or eMMC/UFS ISP points (CMD, CLK, DATA0, VCC, VCCQ, GND). Use fine-tipped soldering iron and thin Kynar wires (typically 30 AWG) to carefully solder directly to these points on the PCB. Ensure strong, clean solder joints to maintain stable electrical connections. Alternatively, some devices may have exposed pads where pogo pins can be used for a non-destructive connection, though this is less common for ISP.

Example JTAG Pinout (Generic):

TCK (Test Clock)TMS (Test Mode Select)TDI (Test Data In)TDO (Test Data Out)TRST (Test Reset, optional)GND (Ground)VREF (Voltage Reference, optional)

Example eMMC ISP Pinout (Generic):

CMD (Command Line)CLK (Clock Line)DATA0 (Data Line 0)VCC (Core Voltage, often 2.8V-3.3V)VCCQ (I/O Voltage, often 1.8V-3.3V)GND (Ground)

4. Connecting the JTAG/ISP Adapter

Once the wires are securely soldered to the device’s PCB, connect them to the corresponding pins on your JTAG/ISP hardware box. Double-check all connections before proceeding. Configure your JTAG/ISP software to recognize the connected adapter and specify the target device’s power settings (VCC, VCCQ) if required. Many boxes automatically detect common eMMC/UFS chips.

5. Software Configuration and Data Acquisition

Launch your JTAG/ISP software (e.g., RIFF Box 2 JTAG Manager, Easy JTAG Plus software). The software should allow you to configure the connection speed and voltage. After successful chip detection, initiate the data extraction process. You will typically have options to read the entire physical memory dump (raw data) or specific partitions. Always opt for a full physical dump if possible.

A typical data acquisition sequence might look like this within the software:

  1. Connect the JTAG/ISP box to the PC via USB.
  2. Launch the JTAG/ISP software.
  3. Select the correct ‘Target Device’ or ‘Chip Type’ if prompted.
  4. Click ‘Check Connection’ or ‘Detect eMMC/UFS’. The software should report successful connection and display chip information (manufacturer, size, etc.).
  5. Select ‘Read Full Flash’ or ‘Read Physical Dump’.
  6. Specify the output file path and format (usually raw binary .bin or .img).
  7. Click ‘Start Read’.

The extraction process can take several hours depending on the storage size (e.g., 64GB, 128GB) and the stability of the connection. Monitor the progress and error logs closely. If errors occur, check solder joints, wire lengths, and connection speed settings.

6. Data Parsing and Forensic Analysis

Once the raw data dump (e.g., raw_data.bin) is acquired, the next phase is parsing and analysis. This raw image is a bit-for-bit copy of the device’s entire flash memory, including deleted data, file system structures, and unallocated space. Load this image into your preferred forensic analysis tool (e.g., UFED Physical Analyzer, Autopsy, FTK Imager).

These tools will help you:

  • Reconstruct File Systems: Identify and reconstruct various file systems (e.g., EXT4, F2FS, YAFFS2) present on the device.
  • Extract User Data: Recover contacts, call logs, SMS, multimedia files, application data, browsing history, and more.
  • Perform Keyword Searches: Search for specific terms, email addresses, or phone numbers across the entire raw image.
  • Analyze Deleted Data: Scrutinize unallocated space for fragments of deleted files or artifacts.
  • Bypass Encryption: If the device’s data partition was encrypted, you might still recover pre-encryption artifacts, or if the encryption key was derived from a simple PIN/pattern, brute-forcing might be possible depending on the chip and OS version.

Example Command for Basic Disk Image Analysis (Linux):

# Use 'file' to determine image type (might show 'data')file raw_data.bin# Use 'fdisk -l' or 'mmls' (Sleuth Kit) to list partitionsfdisk -l raw_data.bin# Mount a specific partition (e.g., if you know the offset)mount -o loop,offset=$((PARTITION_OFFSET * 512)) raw_data.bin /mnt/forensics

Replace PARTITION_OFFSET with the start sector of the desired partition multiplied by 512 (bytes per sector) to get the byte offset.

7. Documentation and Reporting

Thoroughly document every step of the process, including device details, photos of connections, software settings, and any challenges encountered. Detail the findings from your analysis in a clear, concise forensic report, ensuring chain of custody and evidentiary integrity are maintained.

Challenges and Considerations

  • Device Damage: Incorrect soldering or power settings can permanently damage the device.
  • Obscure Pinouts: Finding reliable JTAG/ISP points for newer, less common devices can be extremely challenging.
  • Encryption: Full disk encryption (FDE) and file-based encryption (FBE) on modern Android devices, especially with hardware-backed keystores, can significantly limit data recovery even with raw access. However, unencrypted metadata, bootloaders, and system partitions often yield valuable clues.
  • Time-Consuming: The entire process, from research to analysis, is labor-intensive and requires significant time and patience.

Conclusion

JTAG and ISP forensics represent the pinnacle of data extraction techniques for challenging mobile devices. While demanding in terms of skill and resources, mastering these methods provides forensic professionals with an unparalleled ability to recover crucial evidence from otherwise inaccessible Android devices. By meticulously following this workflow, from careful preparation and precise physical connections to in-depth data analysis, you can unlock vital information, transforming a locked device into a trove of raw data.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android data recovery #ISP Forensics #JTAG Forensics #Mobile forensics #Raw Data Extraction

Related Technical Guides

Case Study: Recovering Encrypted Data via ISP on a Locked Samsung Galaxy S9

May 29, 2026

The Forensic Investigator’s Toolkit: Advanced ADB Commands for Android Data Acquisition

May 30, 2026

Scripting Deleted SMS Recovery: Automating SQLite WAL File Analysis for Android Forensics

May 30, 2026