HEX DUMPING PRIMER

Part I
Michael Harrington, CFCE, EnCE

Cell (or Mobile as it’s known outside the US) Phone Forensics has become a red hot topic
in the last year or so. Among the issues that examiners often face are the lack of support
for specific models and manufacturers and the quixotic and proprietary file systems that are
on the handsets. Adding to this mix are the expensive hardware and software ‘solutions’
that have flooded the forensic community-solutions that can run into the hundreds,
thousands and even tens of thousands of dollars.

Imagine a solution that was not only inexpensive, required only a hex editor and ASCII
table to interpret data AND was able to obtain the Holy Grail of Cell Phone Forensics - the
acquisition of the physical memory of the phone.

Impossible you say? Doubt no more! Enter the world of Hex Dumps or ‘Flashing’ as it’s
more commonly known.

FLASHING A PHONE - WHAT IS IT?

Flashing a phone is usually interpreted as a dump of the phones memory into a format that
is either hexadecimal or binary (for an Absolute or true physical acquisition). The aim of
the practitioner then is to get a snapshot of the complete memory contents of the phone in
order to uncover hidden and deleted data. Concomitant to this is the hope that this method
will eliminate problems caused by the more “traditional” methods of using AT commands
to query the handset and thereby create changes to the phone memory. In essence we are
striving to get as close to the forensic image which is the bread and butter of conventional
electronic evidence forensics and thereby have a best evidence exhibit as defined by the
legal courts.

Why is obtaining this forensic image or hex dump so important? I believe it is of utmost
importance for the examiner to try to get the data from the phone in this way because most
of the so called forensic phone applications are in reality variations of backup software that
concentrate on the user data and rely on the phone being up and running in order to get at
the data (again using something like AT commands). The examiner needs to look beyond
the general user data of contacts, call registers and text messages. Using a hex dump the
examiner can plumb the memory for such things as previously inserted SIM cards, previous
(and to the traditional tools lost) calls, MAC addresses and more.

1
Add this to the myriad number of handsets each with differences in how data is stored,
software and hardware revisions and the exorbitant costs of hardware and software
solutions the examiner must look beyond the traditional.

Hex dumps can and have been obtained from handsets that wouldn’t otherwise power up,
were broken or had no battery or SIM. This goes way beyond what is capable from a
traditional logical examination, which generally requires one of the aforementioned
situations.

Obtaining a hex dump is not without caveats though. One has to be cognizant of the fact
that the boxes and the software used are not “officially” sanctioned by the handset
manufacturers (but then neither are the traditional tools used by the practitioner) and while
overly complex to use, there is a dearth of information on how to use the software (what is
out there is often in a language foreign to the user) and if the wrong button is pressed you
can turn your evidence into a “brick”.

Commercially the devices used to obtain the hex dumps of the phones are used by cell
phone retailers to repair, customize and unlock (free the phone from its provider) to use
with different providers..

EQUIPMENT

So we have defined what a hex dump or a flash of the phone is and we have hinted that
there is some device that is needed to obtain the dump. So what exactly is required?

Common terminology used in this subset of the wireless industry for these devices is
typically ‘box’ or ‘clip’. These devices are small aluminum devices with USB and RJ-45
ports.

It can be overwhelming to look at the amount of ‘boxes’ or ‘clips’ available on sites and
wonder if one is better than the other or if they even work. Listed below are some of the
choices.

UFS3 Tornado
Furious Gold
Smart Clip
GTS
Unibox
JAF
N-box
Vygis

Typically GSM oriented these boxes support a variety of cell phone manufacturers from
Nokia to Motorola to Sony-Ericsson. Some cables for CDMA handsets can also be found.

2
It is best to select a box that has the widest support for the manufacturers your department
or force sees.

Some of the websites you can find these boxes on (and that the author has used with great
success) are the following:

GSM Server
One Stop Factory
Fone Fun Shop (UK)
Tech GSM

This paper is going to focus on the UFS3™ (Tornado) box because it is a popular and very
inclusive solution, though the concepts described though out the paper are applicable to the
gamut of products on the market for obtaining hex dumps.

UFS3™

The terminology of this box can be confusing at times because the Universal Flashing
Software and the box itself are both referred to by the same name. This can be further
compounded by the software sometimes being referred to as ‘Tornado’. For all intents and
purposes the software is the same and only differs by name (later versions also include
upgrades for new models etc).

Depending on where the box is purchased, the examiner can get a variety of cables to go
with the various supported models of phones.

In general, the UFSx series supports the following manufacturers/models.

Nokia DCT3: 3610 (NAM-1), 2100 (NAM-2), 3410 (NHM-2), 6250 (NHM-3), 3310
(NHM-5), 3330 (NHM-6), 3350 (NHM-9), 3390 (NBP-1), 6210 (NPE-3), 5510 (NPM-5),
5190 (NSB-1), 6190 (NSB-3), 8890 (NSB-6), 8290 (NSB-7), 5110 (NSE-1), 5110i (NSE-
2), 6110 (NSE-3), 7110 (NSE-5), 8810 (NSE-6), 3210 (NSE-8), 5130 (NSK-1), 5130
(NSK-3), 6150 (NSM-1), 8850 (NSM-2), 8210 (NSM-3), 8250 (NSM-3D), 8855 (NSM-4),
5210 (NSM-5), 9110 (RAE-2), 6090 (NME-3)

Nokia DCT4: D211 (DTE-1), 3300 (NEM-1), 3300b (NEM-2), 7210 (NHL-4), 7250
(NHL-4J), 7250i (NHL-4JX), 6610 (NHL-4U), 6800 (NHL-6), 6820a (NHL-9), 6650
(NHM-1), 8910 (NHM-4), 8910i (NHM-4NX), 8310 (NHM-7), 3510 (NHM-8), 1220
(NKC-1), 1260/1 (NKW-1), 7600 (NHM-3), 3320 (NPC-1), 6310 (NPE-4), 6310i (NPL-1),
6100 (NPL-2), 6200 (NPL-3), 5100 (NPM-6), 5100a (NPM-6X), 3590 (NPM-8), 6510
(NPM-9), 3595 (NPM-10), 3360 (NPW-1), 6360 (NPW-2), 8390 (NSB-8), 6800a (NSB-9),
6590 (NSM-9), 6108 (RH-4), 3108 (RH-6), 3510i (RH-9), 6340i (RH-13), 3560/20 (RH-
14), 1100 (RH-18), 3100 (RH-19), 6220 (RH-20), 6560 (RH-25), 3200 (RH-30), 3200b
(RH-31), 1100b (RH-36), 1100a (RH-38), 2260/1 (RH39+41), 2220/1 (RH40+42), 3586i
(RH-44), 3100b (RH-50), 2300 (RM-4), 2300a (RM-5)

3
Nokia DCT-L: 9290 (RAB-3), 9210 (RAE-3), 9210i (RAE-5)

Sony Ericsson: R520, T39, T65, T68, T68i, T200, T202, T230, T238, T300, T306, T310,
T312, T610, T616, T630, T628, P800, P802, P900, P908, Z600, Z608, A3618, T100,
R600, T66, T600, Z200

Samsung: A2xx, A800, N1xx, N2xx, N300, N400, N500, N600, N611, N620, N625,
N628, R200, R201, R208, R210, R220, R225, T100, T108, T400, T410, T500, E400, E710,
E715, P100, P400, Q100, Q105, Q200, Q300, Q400, Q605, S100, S105, S108, S200, S208,
S300, S300m, S308, V100, V200, V205, V208, X400, X430, A100, A110, A188, A300,
A400, M100, E100, E105, E700, E708, S500, S508, X100, X600, A500 E-Gold, C100
SkyWorks, C108 SkyWorks

Siemens: C30, S40, C35, C35 NEW, M35, M35 NEW, S35, S35 NEW, A35, A36, A40,
A50, A52, A55, A60, 1168, C45, 2118, C55, 2128, C60, C60 boot, S45, S55, SX1, ME45,
M55, M55 boot, SL42, SL45, SL55, 6688, MT50, M50, 3118

Cables and Connections

The cables that come with the UFS3™ box appear like standard data cables but end in an
RJ-45 connector. Included in the kit is usually a DKU/5, FBUS and DKU/2 cable.

The connection between the box and the handset directly access the manufacturer’s service
ports typically through the Joint Test Action Group (JTAG) connections or the Mbus/Fbus
connections.

These connections can be located underneath the battery of the handset as shown in the
below graphic of a Nokia 3310.

Picture taken from http://www.embedtronics.com

They can also be accessed through ports located on the bottom of the phone as is shown in
this picture of the fbus connector on a Nokia 3220.

4
The UFS3™ uses a variety of specialist cables like the one shown below.

Of note on the cable are the connecting points (for accessing the logic board) and the RJ-45
connector. The latter hooks directly into a like port on the UFS3™ box as is shown below.

SarasSoft’s Tornado™ Software

5
Having discussed what a hex dump is and why it is necessary as well as the equipment for
such, we can now move onto the software required to obtain the hex dump.

Installation

Installation of the software is straightforward. You should install the software before
hooking the UFS3™ box to the computer. In most circumstances you will want to take the
defaults that the software presents to you.

Once the software is installed, you should connect the box to the computer via the provided
USB cable. When prompted to install drivers for the box, you should manually navigate to
the SarasSoft folder where you installed the suite of tools to find the driver to install. This
is located on my forensic machine at C:\Program Files\SarasSoft\UFS\UFS_USB_Driver,
though your actual location may differ.

After the installation of the driver you can now launch the UFS software for the type of
phone you wish to acquire the hex dump from. A note of caution is required at this point,
be very sure you understand what you are doing from this point on, as one wrong button
pressed could mean that you turn your phone into a “brick”. In fact, I would recommend
that the first few times you use this software that you do this with a test phone to get
familiar with the interface and how it functions.

I am going to be concentrating on the UFS_DCTxBB5 toolset for the remainder of our

discussion of the software. The other tools work similarly.

UFS_DCTxBB5 Interface

Shown below are graphics and number keys taken from the UFS3 Manual that describe the
interfaces for the UFS DCT software.

6
List of Functions by Numerical Key
1. Check - To check the flash mode
2. Info - To check the functionality of M/F Bus (Use to confirm a good connection)
3. Flash -To be used for manual flashing mode
4. UI Setting - User interface setting
5. Phone Mode - (L
Local mode, Test mode, Normal mode)
6. Restart - Restart the phone
7. Phone Type - (Choose between the different platforms, DCT3/4, DCT-L or WD-2)
8. BT HW - Manually choose the Bluetooth hardware (using auto is recommended)
9. Write the User Setting back... - Phone book, etc…
10. Aux Option - (Read/Write PM-UEM, Erase flash, Format user area
11. Progress bar - (Box serial code, counter, progress bar)
12. UI Option - (Resets, simlock, security code, factory defaults, software upgrade defaults)
13. Flash file browser - Choose your flash files
14. Start/Stop button - Execute/Terminate selected jobs

7
15. Special Setting - Relock function, manual flashing, language update only, etc...
16. Connection bus & Flashing speed - Adjust the flashing speed and choose the bus
17. Pre-Setting - Choose the job to be done
18. Progress windows - (Phone details, Box status, Work status and other useful information)

19. Calculator - To calculate network unlock code (Only apply on DCTx_UFSx 1.3b)
20. Support - For product support and website information (www.ufsxsupport.com)

QUICK BUTTONS

This section also from the UFS3 manual describes the quick buttons found along the top of the
software interface.

8
CONNECT/DISCONNECT- You have to press connect button to connect software module with
the UFSx box hardware. Without this connection you cannot use any software module with UFSx
box.

CHECK - You can test the Flash mode with this button.

INFO - You can test the communication Bus (F-bus or M-bus) and read info from your phone. It is
recommended to use this to check the cables and establish a good connection.

FLASH - The flash button can be used for manual flashing, for example, if the phone is dead.

UI SETTING - Manual option to execute predefined user interface settings.

[?] - This drop down box lets you manually choose between normal mode, test mode or local mode
on the phone.

AUTO DETECT - Use this option if you are not sure what kind of phone it is, it will auto detect it
for you.

AUTO CLEAR

RESULT WINDOW - Will clear all result displayed in main window before commencing each
function, you can manually clear this by double clicking inside the window.

AUTO SCROLL RESULT WINDOW - Will scroll all result displayed in window when/after
commencing each function.

USE INI SETTING - You should use this option if you have already prepared a specific INI file
for desire type of phone. It is the fastest way if you have many phones with the same type of job to
do.

IMPORT SIMLOCKS - Import simlock from file when doing the simlock.

FLASH PPM ONLY - This option is to flash only the PPM (language pact). It is a fast way to
change the available language, however take care that you are using the ppm version which
matches with MCU version currently in the phone. Otherwise you will get “Contact Service” or
some unexpected fault in which case you will need to full-flash the phone.
NOTE: If you want to flash only PPM, first check the software version of the phone or connect it to
the UFSx & click INFO to get the version. Then choose the same version of PPM and flash the
phone to avoid any fault in the phone.
INTERFACE - Communication settings, you should use F-Bus: For ALL DCT-4 and WD-2
Phones M-Bus.

SPEED - (Flashing speed) you can keep default setting of FAST but if you get errors, you should
choose NORMAL or SLOW since not all flash type support FAST Flashing.

START/STOP BUTTON - To start or stop the job that you do.

9
ACTION WINDOW FOR DCT-4
We will be concentrating on the DCT-4 window as it covers a majority of phones that the examiner
may encounter. Other windows have similar functionality. Again, the below graphic and
explanations are taken from the UFS3™ manual by SarasSoft™.

PRODUCT - Choose your phone model, for example 3200 RH-30, 6610 NHL-4u, 6610i RM-37

MCU - Choose the MCU flash file (Main phone firmware to be flash)

PPM - Choose the PPM flash file (Language pack firmware. Must match with MCU version)

CNT - Choose the CNT flash file (CNT = Content Pack) . This allows you to flash the standard
factory wallpapers, ring tones, games and others applications supplied as standard in the hand set.

PM - PM (Permanent Memory) This is the DCT-4 version of "EPROM" but cannot be changed and
reset easily. (DO NOT PLAY WITH THIS; YOU MAY DAMAGE YOUR PHONE!)
Note: If you know what you are doing then you can play with the PM.

ENABLE BT FLASHING - Flash the Bluetooth firmware (BT=Bluetooth)

BT HW - You can choose AUTO, OLD or NEW. Defaults is AUTO, however in some cases such
as 7650, it is necessary to use OLD option if the BT function does not work correctly.

UI OPTION - You can double click these items to execute each one individually and immediately.

10
SAVE USER SETTING - You can backup / save the main user settings before starting any job
with the phone.

FULL UI DEFAULTS - Set the user setting back to defaults (Phone setting etc...)

FULL FACTORY DEFAULTS - Set the phone to the factory defaults settings, including resetting
the wakeup graphics, security code, phone book etc.

SOFTWARE UPGRADE DEFAULTS - This should be done when you have upgraded to newer
Software version.

INIT SIM LOCK - Unlock SP-Lock / Network lock

RESET USER LOCK - Set the user lock (Security Code) to factory defaults "1
12345"

REBOOT IN NORMAL MODE - You can insert SIM card and after processing, the phone will
reboot into normal operating mode. Use this to check normal operation. Please note that many
USB ports cannot supply enough power to phone to transmit, so the phone may shut down when
trying to register with the network when using this feature. It is mainly to confirm the phone will
power on, accept the SIM card, etc.

USER SETTING ITEMS

Phone Book - Save phone book

UI Setting - Save UI setting

Ringing Tones - Save ring tones

Graphic logos - Save logo and graphics

Write User Settings - Write back saved data

AUX FUNCTION

Read UEM - Create an *.ASK file

Write UEM - Write a *.RPL file

Write PM - Write a PM file

REMEMBER WITH THIS FUNCTION, YOU MAY DAMAGE YOUR PHONE. IF YOU KNOW
WHAT YOU ARE DOING THEN YOU CAN PLAY WITH THIS PM. PLAY AT YOUR OWN
RISK

Erase Flash - Erase the entire flash!

Note: All flash will be erased, including the PM area. You may damage your phone!

11
Create INI file - Create the ini file to be used with "UI Options". Create ini files is made easy for
you. After you choose the setting, MCU, PPM UI, click CREATE INI. The next time you want to
flash for the selected models, you have an already created ini file. You don’t need to select the
MCU, PPM, etc., merely click FLASH or START. For DEAD Phone, click FLASH and for a
normal phone, click START

FLASHING DCT-4 PHONES

To flash DCT-4 Phones ‘Working Phone’. Connect cable and power on the phone. Select correct
models MCU & PPM and both must be of same version check the UI setting that you wish to and
press START.

To Flash Only PPM choose the proper PPM version as the MCU version of the phone

If you don't know the phone version it is better before doing anything power on the phone and press
*#0000# to view the phone version or with SarasSoft just click INFO button. You will get the
MCU and PPM version of the phone, select the PPM version and select Flash.

If the Phone is DEAD after selecting the MCU & PPM, uncheck Auto Detect and click the START
button

CNT = Content Pack. If you have this, it will flash the CNT to your phone.

CNT is the file which will install the Original Ring tone, Wallpapers, Graphics, etc. If you have
failed to extract the CNT, your phone will not have wallpaper, ring tones, etc.

OBTAINING AN HEX DUMP

The following screen captures show various points in obtaining a .PM file from a Nokia 7210. The
.PM file and the PM Absolute will be covered in the second part of the primer.

12
The above picture shows the selection of the first record for the software to read.

13
This picture shows the selection of the last record (I choose 999 to ensure all available records are
read).

This last picture shows the file dump in progress.

CONCLUSION
Part One of this Primer covered the why’s and where fore’s of Hex Dumping a phone. The second
part of the Primer will cover how to interpret the hex dump once you have the dump of the phone.
Discussed in the second part will be the difference between a PM and an Absolute PM and some
tricks and tips regarding how to conduct forensic research on phones using the hex data.

ACKNOWLEDGEMENTS

I would like to thank Det. Brian Roach of the Kansas City Police Department for his
invaluable advice and keen editorial eye in preparing this paper.

I’d also like to thank the folks at Phone Forensics for their mentorship and help. You are a
very important part of the community and thanks for all that you do. Nill illigitimi
carborundum.

14