Welcome to this week's Whiteboard Wednesday. My name's Deral Heiland, Research Lead for IoT technology here at Rapid7. For today's topic, we're going to be talking about the extraction of memory or firmware from SPI-based flash devices. That's serial peripheral interface devices.
Often when you're extracting flash from these devices, one of the most common SPI, or serial peripheral interface devices that we come across are these common eight pin serial outline integrated circuits, as we have represented here in this drawing.
The way we would do this is we would actually attach some kind of device to the actual SPI interface of the chip. What we're going to be talking about doing today is attaching a device known as a Shikra. A Shikra is an inexpensive device, can easily be purchased, to be able to do this kind of functionality.
What we do is, we will attach that device to the chip that's actually in circuit. Now, often there's two ways to actually pull the memory from these devices. One is in circuit, the other's more destructive where we actually remove the chip, but the first one we want to talk about is actually in circuit.
What we'll do is we'll connect up the appropriate pins. The chip select, the serial out, the serial in, the ground, the clock, and those functionalities there. We'll hook them up to the actual Shikra, and then what we'll utilize is a tool known as flashrom. An open source piece of software that is available, and it will be able to detect the actual chip type for most cases and you'll be able to pull the memory.
Often during the process, if you're doing it in circuit, power is going to be supplied by the running device itself. In this case, there's no need to attach any kind of external power. One of the problems you may run into while trying to do this as in circuit, is the main processor on the circuit board will prevent this from happening. It will keep resetting the device when the CPU has the control.
The only way to fix that problem is to actually put the main processor chip in reset. Often chips have a reset pin associated with them. This can be taken to ground, taking the CPU to reset. At that point, by running this flashrom command, you should be able to extract the memory from these devices and write it out to a file.
The second way is more destructive. This is the method that I prefer. It's much easier in my opinion. Often these devices are easy to desolder. They're service mount devices, and can be easily unsolder out of circuit. At that point, we would connect it to the Shikra, also with the same pinout. The only difference is, in this case, we have to supply external power to the actual chip to be able to pull the memory.
We do this by attaching to these pins here. VCC, HOLD, and right protect, and supply 3.3 volts in most cases to these chips, makes it possible to out of circuit, to be able to dump the flash memory to a file using this exact same command.
One thing you need to take into consideration also. This pin out here we show is quite common pin out for these eight pin chips, but it's not always that exact pin out. I encourage you to bring up the data sheets associated with ever what flash chip you want to pull the data from. Confirm that the pin out is accurate before you connect the device up and actually run this command.
Hopefully following this standard process, you can easily pull the firmware off an embedded device that's utilizing these type of flash memory devices. That concludes this week's Whiteboard Wednesday. Thank you very much.
