Flash Extraction

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search

Flash mediawiki banner.png

Table

Introduction

Basics explanation of embedded and smart devices and their ways of storing code in modern electronics. Techniques and data shared regarding the extraction process can be find here.


Purpose of data extraction

  • Security audits
  • Industrial hardware repair
  • Recovery in mission critical failure mode (back-up a day keeps the Dr away)

Physical locations

  • Chip Internal ROM (embedded inside the microcontroller)
  • Chip external ROM (an external part on the PCB)

Types of Memory

  • Various types of EEPROMs
  • Serial EEPROM
  • Parallel EEPROM
  • Flash Memory -> Bigger, faster and cheaper but less reliable (less write cycles)
  • NAND/NOR Flash
  • FeRAM

Chip interfaces

  • I2C
  • SPI
  • Parallel Interface
  • Microwire
  • QSPI
  • One-Wire

Extraction Methods [ >> hot topic << ]

External ROM
  • In-circuit programming
  • Out-of-circuit programming
Internal ROM
  • 1. Decapsulation
- Nitric Acid and Microscopes. Decapsulating IC's.
  • 2. Bootloader hacking
- Great resources on reserve engineering
  • 3. Fault injection & Glitching Attacks
- VCC glitching
- Clock glitching
- EMFI (Electromagnetic Fault Injection)
  • 4. Scanning Electron Microscopy (SEM)
- An expensive method.
  • Public Fault Injection Toolkits
- ChipWhisperer
- PicoEMP
  • Debugging Tools
- OpenOCD (Open On-Chip Debugger)
- PicoScope. The modern alternative to the traditional benchtop oscilloscopes.
- BusPirate - universal bus interface device for I2C and SPI.
- GoodFET JTAG adapter

Non-intrusive methods

[Vector] Factory debug/programming ports
  • JTAG (primarily used for testing and debugging electronic circuits)
  • UART (an asynchronous serial communication protocol that transmits data)
  • TTL
TTL defines voltage levels in digital logic circuits
[Vector] Network based
  • Network stack - > WLAN firmware bugs
  • Network stack - > Promiscuous mode eavesdropping
  • Network stack - > MiTM methods
  • Local - > Signed updates
  • Local - > Cryptographic checksums

Off the shelf extraction hardware (cheap stuff)

Since the search engine is broken @ the usual suspects. I use a search query like example “TSOP48 usb pcb controller flash disk site:aliexpress.com” in image search mode.

BGA-153 Nand Flash
➤ [UFS] JMicron JMS901 USB 3 (single channel nand supported)
➤ [eMMC] Alcor Micro AU6438 USB 2.0 (single channel nand supported)
TSOP48
➤ Innostor IS917 click here for details (Flash-extractor library)
➤ Silicon Motion Sm3281n click here for details (Flash-extractor library)
➤ Chipsbank CBM2099E click here for details (Flash-extractor library)
SOP16 / 8 / VSOP8 / WSON8
➤ CH341A Programmer
➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter (Important note: limited NOR Flash and NAND Flash support! Might need 1.8v adapter, buggy software)
Controller firmwares & datasheets

USBDev.ru is a great resource.

usbdev.ru/files/
usbdev.ru/databases/

The final chapter

Analyzing dumped data.

  • Tools
- Unblob
- Binwalk
- CyberChef
- Centrifuge
- Firmware Analysis Tools (FAT)
- FACT (Firmware Analysis and Comparison Tool)