Dumping the Firmware from the device Using buspirate - SPI
One of the best way to get the firmware from the hardware
While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W
Software
and hardware Requirements:
- Buspirate
- Ubuntu 16.04 or any other Linux machine
- Flashrom tool
- SOIC cable pin 8
- Buspirate connectors
This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware.
Let’s
us Analyze the Inside Device.You can see IC chips like EEPROM,
UART pins
and Ralink CPU and
also some Other IC chips
Let us focus mainly on the EEPROM
chip (winbond W25Q16).
What
is EEPROM:
EEPROM
(also written E2PROM and pronounced “e-e-prom”, “double-e-prom”
or “e-squared-prom”) stands for electrically erasable
programmable read-only memory and is a type of non-volatile memory
used in computers and other electronic devices to store relatively
small amounts of data but allowing individual bytes to be erased and
reprogrammed.This is the chip we need to read to dump the firmware.
To read EEPROM chip we required Buspirate and SOIC Pin 8 connector which can be used to connect the interfaces to the device.
This is how Buspirate and SOIC Pin 8 connector looks like.
To
Interface bus pirate with the EEPROM chips we need to clearly
identify the pins and their corresponding colour codes. we can easily
determine the required pins with colour combination
Give
the connection to EEPROM chip to SOIC pin8 cable
While
giving the connection RED
wire must
be connecting to pin
1 EEPROM chip , There
is round mark on the chip to recognise the pin 1 on EEPROM
, as
shown below picture
Connect
the SOIC
cable to Buspirate
Pins according
to below picture
Use this extra connector to SOIC cable to identify the pins easily
After
giving the connections Buspirate to SOIC
pin 8 will
be looks like this,
Before we are going to dumping the firmware, we have to check the connections of SOIC Cable, buspirate and EEPROM are connected properly
VREG and PWR are blinking on the buspirate which means connections established perfectly as shown below
Make sure you already connected to buspirate , to verify observe PWR led light is turned on the buspirate
Step 1
$sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0
To identifying the EEPROM chip
Step 2:
To dumping the firmware from the chip
$sudo flashrom –p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c (Chip name) –r (Name.bin)
Comments
Post a Comment