ISP means “In-System Programming”.In-System Programming (ISP) allows communication to take place with a target chip without the need to remove it. The main advantage of this method is the possibility to communicate with a target chip eMMC or eMCP bypassing the CPU. It brings higher speed for data extraction compared with JTAG but it requires great soldering skills. ISP applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents.
eMMC and eMCP memory are the standard in today’s smartphones, and the ISP practice enables examiners to directly recover the complete data without removing the chip and destroying the device.ISP benefits the examiner who faces the challenges of tightening budgets, yet wants to expand their expertise in retrieving evidence from locked smartphones. A cost-effective technique, ISP provides examiners with the same results of a chip-off at a lower price-point.
Why do we need ISP Pinout ?
Just Like “Joint Test Action Group (JTAG)” there are specific contacts that will be of interest to the examiner. But unlike JTAG, the contacts are directly off the chip BGAs and do not go through the processor. Acquires data much faster than JTAG, enabling examiners to process more phones faster.
VCC – Voltage Supply for Core (3,3V)
VCCQ – Voltage Supply for I/O (1,8 – 3,3V)
The purpose of each signal is as follows:-
CLK : Clock signal for synchronization.Each cycle of this signal directs a one bit transfer on the command and either a one bit (1x) or a two bits transfer (2x) on all the data lines. The frequency may vary between zero and the maximum clock frequency
CMD : This signal is used to send the Host’s command and Device’s response.
Data0 : These are bidirectional data channels. The DAT signals operate in push-pull mode. Only the Device or the host is driving these signals at a time. By default, after power up or reset, only DAT0 is used for data transfer. A wider data bus can be configured for data transfer, using either DAT0-DAT3 or DAT0-DAT7, by the eMMC host controller. The eMMC Device includes internal pull-ups for data lines DAT1-DAT7. Immediately after entering the 4-bit mode, the Device disconnects the internal pull ups of lines DAT1, DAT2, and DAT3. Correspondingly, immediately after entering to the 8-bit mode the Device disconnects the internal pull-ups of lines DAT1–DAT7.
GND : VSS is the Ground for Core & VSSQ is the Ground for I/O.
Example : How to Communicate with Easy JTAG Plus Box (Full Process)
1. Disassembly the phone & Disconnect the battery.
2.Prepare ISP Pinout for Xiaomi Note 4 (you can find on our ISP Pinout Section)
3.Remove the shield plate on motherboard with cutting nipper (Hot air gun is not recommended here because the shield plate is hard to remove and high temperature might cause damage to components nearby). Be careful – there are many electrical components and if you use too much power you can rip them from the PCB.
4. Solder all contacts for ISP according to Pinout description. The soldering paste is very useful in this step because it helps easily solder 0.1mm copper wire to small soldering pads.
5.Connect all soldered wires to direct eMMC adapter
6.Now connect the eMMC box and the power supply (miniUSB) to the direct eMMC adapter.
7.Run EasyJTAG plus SW
8.Set communication and power parameters according to the picture and click the button “Check eMMC inEasyJTAG Port”
9.You should see all parameters of the eMMC chip now, including information about the memory health.In this example the memory is dead- According to SkHinex (manufacturer of memory chips for Redmi Note 4) documentation on that chips – TYPE B is MLC Cells Health Status exceeded its maximum estimated device life time – it means that device used all reserved backup cells for bad block relocation. The phone boots only into the recovery and all data are imprisoned in the eMMC.
10.Now you are able to make a eMMC memory DUMP (Read eMMC button).wait for finish
11.You can import the extracted data to Easy JTAG Plus Media Tab and make a full extraction including app analysis, deleted data extraction etc.
12.Fill all necessary fields and select required format of the output file.