Dumping the Firmware from the device Using buspirate - SPI


One of the best way to get the firmware from the hardware


While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W
Software and hardware Requirements:

  • Buspirate
  • Ubuntu 16.04 or any other Linux machine
  • Flashrom tool
  • SOIC cable pin 8
  • Buspirate connectors



             
This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware.

Let’s us Analyze the Inside Device.You can see IC chips like EEPROM, UART pins and Ralink CPU and also some Other IC chips Let us focus mainly on the EEPROM chip (winbond W25Q16).
What is EEPROM:
EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable programmable read-only memory and is a type of non-volatile memory used in computers and other electronic devices to store relatively small amounts of data but allowing individual bytes to be erased and reprogrammed.This is the chip we need to read to dump the firmware.

To read EEPROM chip we required Buspirate and SOIC Pin 8 connector which can be used to connect the interfaces to the device.


This is how Buspirate and SOIC Pin 8 connector looks like.

To Interface bus pirate with the EEPROM chips we need to clearly identify the pins and their corresponding colour codes. we can easily determine the required pins with colour combination

Give the connection to EEPROM chip to SOIC pin8 cable

While giving the connection RED wire must be connecting to pin 1 EEPROM chip , There is round mark on the chip to recognise the pin 1 on EEPROM , as shown below picture

Connect the SOIC cable to Buspirate Pins according to below picture

Use this extra connector to SOIC cable to identify the pins easily


After giving the connections Buspirate to SOIC pin 8 will be looks like this,

Before we are going to dumping the firmware, we have to check the connections of SOIC Cable, buspirate and EEPROM are connected properly

VREG and PWR are blinking on the buspirate which means connections established perfectly as shown below


Make sure you already connected to buspirate , to verify observe PWR led light is turned on the buspirate

Step 1

$sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0

To identifying the EEPROM chip


Step 2:

To dumping the firmware from the chip

$sudo flashrom –p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c (Chip name)  –r (Name.bin)




Comments

Post a Comment

Popular posts from this blog

VR Model P1 - 360 degree camera

Image
This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512) . Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera. What is VR camera..? In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics. VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode Features of this VR CAMERA:    Brand VR CAM Model P1 Product Dimension 15 x 15 x 5 cm Resolution 960p Android/iOS Devices Additional Featur
Read more

Buspirate v3.6 firmware upgrade from USB

Image
Buspirate:  The Bus Pirate v3.6a, created by Ian Lesnet, is a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Upgrading Firmware: buspirate will not come with new firmware so it has to be change by us. buspirate v4 : Supports firmware version 7  buspirate v3.x:  Supports firmware version 6&7 (note : firmware version 7 may hurt the device hardware not fully tested from my side doit in your won risk) Requirements: Buspirate firmware and loader : https://github.com/DangerousPrototypes/Bus_Pirate/tree/master/BPv3-bootloader ICSP pins. in these pins there are two of them which is  PGD and PGC   helps us to load the firmware into it . T he PGC and PGD pins with a jumper cable. When you are in the bootloader, the MODE LED of the Bus Pirate will stay on connect th
Read more