Open main menu
RECESSIM

Changes

Flash Extraction (view source)

Revision as of 00:28, 3 September 2025

1,567 bytes added ,  3 September
→‎Internal ROM: Added links related to STM32F0 Obermaier whitepaper - Shedding too much Light on a Microcontroller’s Firmware Protection
:* [https://en.wikipedia.org/wiki/1-Wire One-Wire]
::- 1-Wire is a wired half-duplex serial bus designed by Dallas Semiconductor that provides low-speed (16.3 kbit/s) data communication and supply voltage over a single conductor.
::: '''[Example]''' Genuine Dell laptop power supplies use the 1-Wire protocol to send transmit data via over the third wire to the laptop computer 's embedded controller, providing information about power, current , and voltage ratings.::: The laptop will embedded controller then refuse charging if the adapter does not meet requirementsverifies that a compatible power supply is connected, allowing all VRM phases to operate at maximum duty cycle.
::: Emulating the [https://github.com/orgua/OneWireHub/blob/main/examples/DS2502_DELLCHG/DS2502_DELLCHG.ino DS2502 TO-92-3 1-wire Dell charger ID EEPROM.]
::::: [https://cardis.org/cardis2013/proceedings/CARDIS2013_16.pdf Example paper 3. Glitch it if you can: parameter search strategies for successful fault injection.]
::::: [https://www.researchgate.net/publication/353922465_The_Forgotten_Threat_of_Voltage_Glitching_A_Case_Study_on_Nvidia_Tegra_X2_SoCs Example paper 4. The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs]
::::: [https://www.aisec.fraunhofer.de/en/FirmwareProtection.html Example paper 5. Using Optical Fault Injection and Race Conditions to Bypass STM32F0 Series Debug Interface Protections]
:::::- [https://github.com/racerxdl/stm32f0-pico-dump RPi Pico Implementation Exploiting Race Conditions to Iteratively Read Firmware]
:::;- Clock glitching (Oscillator Circuits)
::::: [https://caslab.io/publications/durand2021ultra.pdf Example paper 1. Ultra Freezing Attacks and Clock Glitching of Clock Oscillator Circuits]
: Credits to [https://www.0x01team.com/hw_security/bypassing-microchip-atmel-sam-e70-s70-v70-v71-security/ 0x01 Team] and [https://www.youtube.com/watch?v=IOD5voFTAz8 RECESSIM] for finding the reset low period being connected to the glitch timebase.
====Debugging =========Debugging Hardware / Tools=====
::* Tools that are used to find debug ports, OCD interfaces, serial port I/O.
:::;- [https://github.com/openocd-org/openocd OpenOCD (Open On-Chip Debugger)]:::;- [https://www.picotech.com/products/oscilloscope PicoScope. The modern alternative to the traditional benchtop oscilloscope.]:::;- [https://buspirate.com/ BusPirate - universal bus interface device for I2C and SPI.]:::;- [https://github.com/travisgoodspeed/goodfet GoodFET JTAG adapter]:::;- [https://mouser.com/new/segger/seggerjlink/ J-Link In-Circuit Debugger]:::;- [https://github.com/grandideastudio/jtagulator JTAGulator is an open source hardware tool that assists in identifying OCD interfaces from test points, vias, component pads, or connectors on a target device.] =====Logic Analyzer=====:: [https://hardwear.io/netherlands-2024/speakers/sasha-sheremetov.php hardwear.io - Hacking NAND Memory Pinout using Logic Analyzer.]:: '''Abstract:''':: This presentation is about analysis of technological pinout of NAND memory in such devices as microSD, eMMC and other monolithic chips using a logic analyzer.:: YouTube video: https://www.youtube.com/watch?v=sgl9Sfu79Lc
====Non-intrusive methods====
:::; <pre style="font-weight: normal;">Signing an OTA update package involves applying a digital signature using cryptographic methods. This process serves several critical purposes. 1. Authenticity. 2. Integrity.</pre>
====Programmers / Flash Utilities & Nand Flash Controllers ====
=====Programmers=====
======SOP16 / 8 / VSOP8 / WSON8 / PDIP8 / SO8 / TSSOP8 / UFDFPN8======
:: ➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter
:::;- '''Important note:''' limited NOR Flash and NAND Flash support! Might need 1.8v adapter, buggy software. [https://www.onetransistor.eu/2023/12/how-to-use-ezp2023-usb-programmer.html Read more here.]
=====Flash Utilities=====
:: ➤ flashrom (Support: SPI/BIOS/EC)
:::;- [https://github.com/flashrom/flashrom flashrom] - is a utility for identifying, reading, writing, verifying and erasing flash chips. It is designed to flash BIOS/EFI/coreboot/firmware/optionROM images on mainboards, network/graphics/storage controller cards, and various other programmer devices.
=====Nand Flash Controllers=====
Listing of nand flash controller interface chips & off the shelf hardware (cheap stuff).<br>
Since the search engine is broken @ the usual suspects: DHgate, Gearbest, Banggood, Aliexpress or various other China stores. I use a search query like for example '''“TSOP48 usb pcb controller flash disk site:aliexpress.com”''' in image search mode.
======BGA-153======
:: ➤ ['''UFS'''] JMicron JMS901 USB 3 (single channel nand supported)
====The final chapter ====
Analyzing dumped data.You might also find the [[Software_Tools#|software category interesting.]]::* ToolsAnalyzing & unpacking firmware blobs
:::;- [https://github.com/onekey-sec/unblob Unblob]
:::;- [https://github.com/ReFirmLabs/binwalk Binwalk]
:::;- [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Tools (FAT)]
:::;- [https://github.com/fkie-cad/FACT_core FACT (Firmware Analysis and Comparison Tool)]
 
::* Disassemblers
:::;- [[Software_Tools#Interactive_Disassemblers_.28static_analysis.29|Interactive Disassemblers (static analysis)]]
Retrieved from "https://wiki.recessim.com/view/Special:MobileDiff/2975...3208"