In this week’s Whiteboard Wednesday, Deral Heiland, research lead for IoT technology at rapid7, discusses extracting firmware from microcontrollers. This includes how to start thinking about microcontrollers, their manufacturers, and access methods for particular chips. This can include things like SPI, JTAG, cJTAG, serial wire debug, or in-circuit serial programming methods to gain access to that data.
Heading to DEF CON in August? Stop by the IoT village, where we'll be running hands-on exercises where you can get a chance to actually do this work.
Welcome to this week's Whiteboard Wednesday. My name is Deral Heiland, research lead for IoT technology here at Rapid7. This week, we're going to be talking about extracting firmware from microcontrollers. Several months ago, we did a Whiteboard Wednesday where we focused on extracting firmware from flash chips.Show more Show less
This week, we're going to be talking about microcontrollers. When we start thinking about micro controllers, the first thing I want to do is actually go out to the manufacturer. Let's go ahead and pull the data sheets. Those data sheets will define the access method for that particular chip. This may include things like SPI, JTAG, cJTAG, serial wire debug, or in-circuit serial programming methods to gain access to that data.
Once you've identified this method, the next thing you want to do is identify what kind of device I'm actually going to use to attach to this chip to be able to extract the data. Often, I go out to the actual development site. I look at what the developers are doing for working with this particular chipsets. Identify do they have specific vendor debuggers available for this device or about specific vendor software. If those are available and affordable, I'll often utilize those.
Some other things we could utilize are like J-Link, the SEGGER J-Link device. The SEGGER J-Link device covers a multitude of chips. It's a very effective device and I use that quite often.
On the low cost area, there are a couple of other devices we can utilize. We can utilize a bus pirate. We can also utilize the Shikra. To work with those devices, you have access to software known as OpenOCD. The OpenOCD software gives you the ability to work with a number of different chipsets.
But again, often OpenOCD may not cover specific chipsets. In those cases, again, I step back to the actual vendor specific debuggers, vendor specific software. Often that is the most effective and quickest way to actually access these chips.
Also recently, we published a series of four blogs that cover four different microcontrollers, four different debuggers and four different software sets for actually doing this. I recommend taking a look at that. It's very eyeopening. It may lead you in the right direction if you're actually working in this particular area.
So when we think about pulling flash memory from microcontrollers, how do we protect that data? How does a vendor that's producing a product actually protect that data from being pulled off the device? There are a couple methods. One of the methods is actually removing the access method. Example, JTAG. We completely disabled JTAG from the device.
The second, almost every MCU has the ability to set what's known as a no read back bit. This bit can be set on the device and it protects the actual flash memory from being read back out of the device. Those are the two best methods for actually securing this device.
Also, in August, we're going to be at DEF CON. Rapid7 will be working with the IoT Village and we'll be running hands-on exercises where you can get a chance to actually do this work. We'll be covering three to four different microcontrollers and various debuggers in debugging method to actually pull firmware off devices. So that's it for this week's Whiteboard Wednesday. Thank you very much.