197
edits
Changes
Jump to navigation
Jump to search
TBD==Table======Introduction====Basics explanation of embedded and smart devices and their ways of storing code in modern electronics.Techniques and data shared regarding the extraction process can be find here.----====Purpose of data extraction====:* Security audits:* Industrial hardware repair:* Recovery in mission critical failure mode (back-up a day keeps the Dr away) ====Physical locations====:* Chip Internal ROM (embedded inside the microcontroller):* Chip external ROM (an external part on the PCB) ====Types of Memory====:* Various types of EEPROMs::* Serial EEPROM::* Parallel EEPROM::* Flash Memory -> Bigger, faster and cheaper but less reliable (less write cycles)::* NAND/NOR Flash::* FeRAM ====Chip interfaces====:* I2C:* SPI:* Parallel Interface:* Microwire:* QSPI:* One-Wire ====Extraction Methods [ >> hot topic << ]=========External ROM=====::* In-circuit programming::* Out-of-circuit programming =====Internal ROM=====::* 1. Decapsulation:::;- [https://www.youtube.com/watch?v=T1rRgb9N9s4 Nitric Acid and Microscopes. Decapsulating IC's.]::* 2. Bootloader hacking:::;- [https://0xinfection.github.io/reversing/reversing-for-everyone.pdf Great resources on reserve engineering]::* 3. Fault injection & Glitching Attacks:::;- VCC glitching:::;- Clock glitching:::;- EMFI (Electromagnetic Fault Injection)::* 4. Scanning Electron Microscopy (SEM):::;- An expensive method.::* Public Fault Injection Toolkits:::;- [https://github.com/newaetech/chipwhisperer ChipWhisperer]:::;- [https://github.com/newaetech/chipshouter-picoemp PicoEMP]::* Debugging Tools:::;- [https://github.com/openocd-org/openocd OpenOCD (Open On-Chip Debugger)]:::;- [https://www.picotech.com/products/oscilloscope PicoScope. The modern alternative to the traditional benchtop oscilloscopes.]:::;- [https://buspirate.com/ BusPirate - universal bus interface device for I2C and SPI.]:::;- [https://github.com/travisgoodspeed/goodfet GoodFET JTAG adapter] ====Non-intrusive methods=========[Vector] Factory debug/programming ports=====::* JTAG (primarily used for testing and debugging electronic circuits)::* UART (an asynchronous serial communication protocol that transmits data):::* TTL::::: TTL defines voltage levels in digital logic circuits:::::* [https://en.wikipedia.org/wiki/Level_shifter Level shifters]=====[Vector] Network based=====::* Network stack - > WLAN firmware bugs::* Network stack - > Promiscuous mode eavesdropping::* Network stack - > MiTM methods::* Local - > Signed updates::* Local - > Cryptographic checksums ====Off the shelf extraction hardware (cheap stuff)====Since the search engine is broken @ the usual suspects. I use a search query like example '''“TSOP48 usb pcb controller flash disk site:aliexpress.com”''' in image search mode.=====BGA-153 Nand Flash=====:: ➤ ['''UFS'''] JMicron JMS901 USB 3 (single channel nand supported):: ➤ ['''eMMC'''] Alcor Micro AU6438 USB 2.0 (single channel nand supported) =====TSOP48 =====:: ➤ Innostor IS917 [http://www.flash-extractor.com/library/IS/IS917/ click here for details (Flash-extractor library)]:: ➤ Silicon Motion Sm3281n [http://flash-extractor.com/library/SM/SM3281/SM3281N%20BB__2c_a4_08_32__1x8 click here for details (Flash-extractor library)]:: ➤ Chipsbank CBM2099E [https://flash-extractor.com/library/CBM/CBM2099/ click here for details (Flash-extractor library)] =====SOP16 / 8 / VSOP8 / WSON8=====:: ➤ CH341A Programmer:: ➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter (Important note: limited NOR Flash and NAND Flash support! Might need 1.8v adapter, buggy software) =====Controller firmwares & datasheets=====USBDev.ru is a great resource. :: [https://www.usbdev.ru/files/ usbdev.ru/files/]:: [https://www.usbdev.ru/databases/ usbdev.ru/databases/] ====The final chapter ====Analyzing dumped data.::* Tools:::;- [https://github.com/onekey-sec/unblob Unblob]:::;- [https://github.com/ReFirmLabs/binwalk Binwalk]:::;- [https://github.com/gchq/CyberChef CyberChef]:::;- [https://github.com/BinaryResearch/centrifuge-toolkit Centrifuge]:::;- [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Tools (FAT)]:::;- [https://github.com/fkie-cad/FACT_core FACT (Firmware Analysis and Comparison Tool)]
push empty skeleton. todo fill & improve..
