JTAG and Chip-Off Acquisition

IEEE 1149.1 was published in 1990 to solve a manufacturing problem: as circuit boards became more densely packed, physical test probes could no longer reach every solder joint. The standard defines a serial shift-register chain connecting every pin of every chip on the board. A controller can shift data into and out of this chain through four TAP signals: TDI (data in), TDO (data out), TCK (clock), and TMS (mode select). A fifth pin, TRST, resets the TAP controller and is present on many but not all devices.

For forensic purposes, the boundary-scan chain can be used to read the contents of the device's memory. The JTAG interface box sends instructions that place the processor in a debug or direct-access state, then issues read commands that cause the processor to output memory content through TDO. The output is captured by the forensic hardware and assembled into a raw binary image. The process does not require the device to boot its operating system; the processor executes instructions fed directly through the TAP. This is why JTAG works on devices with corrupted operating systems, unknown passcodes, and damaged displays or touchscreens.

The TAP contacts on a mobile device are small pads, often unlabelled, located near the processor or on a dedicated test point strip. The examiner must identify them from a pinout reference before connecting anything. Tool databases (JTAG WORLD, Easy-JTAG's device library, Cellebrite's hardware resources) contain pinouts for thousands of handset models identified by device model and PCB revision. When a pinout is unavailable, the examiner must locate the TAP pads using a multimeter and continuity testing against known ground and power rails, a process that requires both patience and electronics knowledge.

A JTAG acquisition follows a defined sequence. Skipping or rushing any step increases the probability of a failed or corrupted extraction. The device should be photographed at each stage and the chain of custody documented before the board is touched.

• Device disassembly. The phone is opened to expose the circuit board. Battery is disconnected (some JTAG procedures require the battery, or a bench power supply, to remain connected during the read; the device specification determines this). Photographs document the board state before any wires are attached.
• Pinout identification. The correct TAP contacts are identified from a pinout database or by manual probing. The voltage level of the TAP (1.8 V or 3.3 V is most common) is confirmed so the JTAG box is set to the correct logic level.
• Physical connection. Wires or a pogo-pin jig are soldered or pressed onto the TAP pads. Ground is connected first. The JTAG interface box (RIFF Box, Easy-JTAG, Medusa PRO, or similar) is connected to the wires on one side and a forensic workstation via USB on the other.
• Software configuration. The acquisition software is configured with the device model, processor type, memory map, and read parameters. The software attempts to detect the JTAG chain and identify the chips in it. A successful detection lists the chips and their JEDEC identifiers.
• Memory read. The software reads the full contents of the eMMC or NAND flash to a raw binary image file (.bin). Read speed depends on the JTAG interface and processor speed, typically 2 to 8 MB/s, meaning a 32 GB storage chip takes one to four hours.
• Hash verification. A SHA-256 hash of the image is computed immediately after acquisition and documented. If a second read is possible, the hashes are compared to confirm read consistency. The image is then processed in a forensic tool (Cellebrite Physical Analyser, Oxygen Forensic Detective, or similar).

Common failure points include incorrect TAP voltage (damaging the controller), a missing ground connection (producing corrupt output), a wrong chip configuration in the software (causing the read to address the wrong memory region), and solder bridging between adjacent pads (shorting signals). Each of these typically produces either no output or a binary image that hashes differently on re-read. If re-reading is not possible, the image may still be partially usable but its integrity cannot be confirmed.

Chip-off is the most physically invasive acquisition method available. The storage chip is removed from the board and read independently of the device's processor and operating system. It is used when TAP contacts are absent, damaged, or when the JTAG approach has failed and no less-destructive alternative exists.

Two desoldering approaches are used. Hot-air rework: a controlled-temperature hot-air gun or rework station heats the chip's solder balls or pads until they reflow, allowing the chip to be lifted cleanly from the board. Temperature profiles vary by chip package (BGA packages for eMMC typically reflow around 220 to 240 degrees Celsius); exceeding this by a significant margin damages the memory cells. Chemical desoldering: certain chip packages can be freed using acid-based chemicals (fuming nitric acid is sometimes used in professional settings) that dissolve the substrate while leaving the memory die intact. Chemical methods are slower, require specialist handling and ventilation, and are used mainly when the chip package is damaged or when heat application risks adjacent components.

After removal, the chip is cleaned of residual solder and flux, inspected under magnification for physical damage, and placed in a chip programmer or reader. The reader must be configured for the chip's exact interface (eMMC 4.5, eMMC 5.1, raw NAND, NOR flash), bus width (x8 or x16 for eMMC), and voltage. An incorrect configuration produces a read of all zeros, all ones, or random garbage. The raw binary image produced is processed identically to a JTAG image.

In-system programming (ISP) connects directly to the eMMC command (CMD), clock (CLK), and data (DAT) lines on the circuit board while the chip remains soldered. Unlike JTAG, ISP bypasses the device processor entirely and communicates directly with the eMMC controller using the MultiMediaCard protocol. Unlike chip-off, the chip is not removed, so the risk of physical damage during extraction is much lower.

ISP is applicable when the processor is damaged or completely unresponsive (making JTAG impossible) but the eMMC chip is physically intact. It requires identifying the eMMC CMD, CLK, and DAT0 to DAT7 pads on the board, connecting an eMMC-capable adapter, and using software that speaks the eMMC protocol directly. Several commercial tools support ISP: Easy-JTAG Plus, Medusa PRO II, and UFi Box are among the most widely used. The read speed for ISP is often faster than JTAG, typically 5 to 20 MB/s, because the eMMC interface is higher bandwidth than the JTAG boundary-scan chain.

The acquisition hierarchy for a locked or damaged device is therefore: logical extraction first, then file-system extraction, then physical extraction via bootloader exploit, then JTAG, then ISP, then chip-off. Each step down the hierarchy increases the potential for damage and the complexity of analysis. The examiner should document the reason for moving to each successive method and confirm that less-destructive options have been exhausted.

Several device conditions make hardware-level acquisition the only practical path to stored data.

• Unknown passcode with no exploit available. If a device is locked, full-disk encrypted, and no software-level exploit exists for its firmware version, neither logical nor file-system extraction yields decrypted content. JTAG or chip-off can image the raw encrypted storage, which may be decryptable if the encryption key material is recovered separately (for example, through cloud backup analysis or a device-specific key extraction technique).
• Damaged or unbootable device. A device with a shattered display, damaged charging port, failed touchscreen, or a corrupt bootloader that prevents normal startup can still be read via JTAG if the processor and memory chip are electrically intact. The operating system does not need to run for JTAG acquisition to succeed.
• Water or impact damage. Liquid damage often affects surface components while leaving the memory chip functional. If the circuit board can be cleaned and stabilised, chip-off or ISP can recover data from a device that will not power on.
• Device wiped or in bootloop. A remote wipe command erases partition tables and file system structures but may leave the underlying NAND flash cells containing recoverable remnants. Raw chip-off images can be analysed with NAND flash reconstruction tools to attempt recovery of data from cells that the erase command did not fully overwrite.

Across jurisdictions, hardware-level acquisition evidence is generally admissible when the examiner can demonstrate that standard acquisition methods were tried and failed, that the hardware method was applied following documented procedures, and that the resulting image was hashed and preserved in its original state. In India, the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872) accepts electronic records produced under documented forensic procedures. United States federal courts assess admissibility under Federal Rule of Evidence 702 and the Daubert framework, which require the method to be grounded in accepted scientific practice. The UK's Police and Criminal Evidence Act 1984 codes of practice and the EU's member-state digital evidence rules follow similar competence and documentation requirements.

A raw binary image from JTAG or chip-off contains everything on the storage chip: the bootloader, partition table, all file system partitions, and any unallocated space. Unlike a logical extraction, which provides only files accessible through the file system, a raw image can be analysed at the sector level. This makes it possible to recover deleted files, reconstruct partially overwritten data, and identify areas of the storage that were never mounted as a file system.

Processing follows these steps. The partition table (GPT for most modern Android devices) is parsed to identify partitions and their boundaries. Each partition is carved out of the image and mounted or analysed individually. The userdata partition, which holds the bulk of user-generated content, is typically formatted as ext4 (Android) or APFS (iOS). If the data is encrypted, the encryption type must be identified (Android Full Disk Encryption uses dm-crypt/LUKS; Android File-Based Encryption uses individual file keys derived from the user's passcode and hardware-backed keys). Forensic platforms such as Cellebrite Physical Analyser and Oxygen Forensic Detective include parsers for both partition formats and common encryption schemes. Evidence found at this level is consistent with what physical acquisition methods yield and can be cross-referenced against logical extraction results from cloud backups, as described in the Data Persistence and Evidence Locations topic.

For chip-off images specifically, an additional step is sometimes required: raw NAND flash chips use error-correcting codes (ECC) and may use proprietary bad-block management and interleaving. The raw chip output must be ECC-decoded and de-interleaved before the binary image matches what the eMMC controller would have presented to the operating system. Some forensic tools (JTAG WORLD's PhysicalAnalyzer module, commercial chip programmer software) perform this automatically for known chip models; for unknown configurations the examiner must reconstruct the ECC parameters manually, which is a specialised skill.