Burners and BackDoors

Throughout the evolution of mobile device examinations there has always been obstacles imposed by the carriers.  From locking a device’s USB port, to removing the ability of software to use development level protocols.  This is not a new tactic for carriers and has been going on for some time down.  By limiting access to the device, carriers can lower the cost of the device and then impose fees for the transfer or backup of the data to a designated server or utilize a custom firmware full of bloatware to recoup some of the device cost.   This method is not to eliminate an examiner’s ability to obtain the device data, but to save and make money.

Back while working as a LE examiner I had to constantly deal with Cricket branded Kyorcera devices that could not even be recognized by any software so a SPC code had to be utilized that allowed access to the underlying file system.  Then along came Trac and Virgin Mobile who introduced a few devices that also had this limitation.  Most of these devices have hidden menus that will allow for the service providers to gain access and make updates when needed.  The problem, finding hidden menus for these devices can be a lot of work!  They however, do exist.  Legacy Trac phones like to use the ##7764726290 code to enter the service menu which happens to spell out ##PROGRAMAZ0.  Virgin Mobile Legacy devices generally use 0000000 and then selecting option and then ##847446 which conveniently spells VIRGIN!  Of course, running into these legacy devices is not typical with our world swiftly moving to smart devices.  So what about some of these smart devices?

In today’s mobile device walmartizati0n, anyone can get a smart device for under $30 USD.  That means, these carriers need to lock these devices down in order to keep the price down.  Again, the ports are locked – but with Android devices there are also some things an examiner can look for to obtain access.
NOTE: Of course, there are many variables, but in this example has been used on several cheap Verizon Android devices.
The LG G2 VS980 is one of the tested devices.  The examiner first realizes there may be a problem when the device is plugged into the computer or mobile solution and see that it is not recognized.  This is baffling to the examiner because this occurs even after going into the settings and turning on ADB!  This creates a problem since the device must be recognized as an ADB device in order for communication to occur via a USB cable solution.  At this point most examiners believe there is one of two solutions – JTAG or chip off.  However, before going down that road an examiner should look for a hidden menu.

Some Android devices when they are plugged in have a menu that comes up with several options: Charging, Media Sync and Internet.  This menu is much different than what will be seen by a device that has not been subsidized. Typically devices will display only MTP or PTP choices.  In the case of this modified menu and selecting Internet the examiner will receive another menu showing Modem and Ethernet.  By selecting Modem the device will release the restriction on ADB since the device must use ADB for allowing the tethering to the attached computer.   Once ADB is visible – any mobile solution that is capable of processing Android devices will have success.

Looking for the hidden menus on these devices can allow an examiner that may not have access to JTAG or chip off skills or training the ability to process the device with a USB cable and their solution of choice.   Good luck!

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department
This entry was posted in Information, Training and tagged , , , , , . Bookmark the permalink.