HardwareAllTheThings/firmware/firmware-dumping/index.html

2819 lines
92 KiB
HTML
Raw Permalink Normal View History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Hardware/IOT Pentesting Wiki">
<link rel="canonical" href="https://swisskyrepo.github.io/HardwareAllTheThings/firmware/firmware-dumping/">
<link rel="prev" href="../../enumeration/jtag/">
<link rel="next" href="../firmware-reverse-engineering/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44">
<title>Firmware Dumping - Hardware All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Firmware Dumping - Hardware All The Things" >
<meta property="og:description" content="Hardware/IOT Pentesting Wiki" >
<meta property="og:image" content="https://swisskyrepo.github.io/HardwareAllTheThings/assets/images/social/firmware/firmware-dumping.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/HardwareAllTheThings/firmware/firmware-dumping/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Firmware Dumping - Hardware All The Things" >
<meta name="twitter:description" content="Hardware/IOT Pentesting Wiki" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/HardwareAllTheThings/assets/images/social/firmware/firmware-dumping.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#firmware-dumping" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Hardware All The Things" class="md-header__button md-logo" aria-label="Hardware All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Hardware All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Firmware Dumping
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Hardware All The Things" class="md-nav__button md-logo" aria-label="Hardware All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Hardware All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
🔌 Hardware All The Things
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Debug interfaces
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Debug interfaces
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../debug-interfaces/jtag/" class="md-nav__link">
<span class="md-ellipsis">
JTAG
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../debug-interfaces/swd/" class="md-nav__link">
<span class="md-ellipsis">
SWD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../debug-interfaces/uart/" class="md-nav__link">
<span class="md-ellipsis">
UART
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Enumeration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Enumeration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../enumeration/chip-identification/" class="md-nav__link">
<span class="md-ellipsis">
Chip identification
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../enumeration/fcc-id/" class="md-nav__link">
<span class="md-ellipsis">
FCC ID
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../enumeration/jtag/" class="md-nav__link">
<span class="md-ellipsis">
JTAG
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Firmware
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Firmware
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Firmware Dumping
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Firmware Dumping
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#flash-memory-types" class="md-nav__link">
<span class="md-ellipsis">
Flash Memory Types
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#flash-a-new-firmware-into-the-microcontroller" class="md-nav__link">
<span class="md-ellipsis">
Flash a new firmware into the microcontroller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dump-flash-using-debug-port" class="md-nav__link">
<span class="md-ellipsis">
Dump flash using debug port
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dump-flash-via-spi" class="md-nav__link">
<span class="md-ellipsis">
Dump Flash via SPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#convert-ihex-to-elf" class="md-nav__link">
<span class="md-ellipsis">
Convert ihex to elf
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#explore-filesystem" class="md-nav__link">
<span class="md-ellipsis">
Explore Filesystem
</span>
</a>
<nav class="md-nav" aria-label="Explore Filesystem">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#common-filesystem" class="md-nav__link">
<span class="md-ellipsis">
Common Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#write-new-firmware" class="md-nav__link">
<span class="md-ellipsis">
Write new firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#type-of-firmware" class="md-nav__link">
<span class="md-ellipsis">
Type of firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#check-entropy" class="md-nav__link">
<span class="md-ellipsis">
Check entropy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#encrypted-firmware" class="md-nav__link">
<span class="md-ellipsis">
Encrypted firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#over-the-air-updates" class="md-nav__link">
<span class="md-ellipsis">
Over-the-air updates
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../firmware-reverse-engineering/" class="md-nav__link">
<span class="md-ellipsis">
Firmware Reverse Engineering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Gadgets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Gadgets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../gadgets/arduino/" class="md-nav__link">
<span class="md-ellipsis">
Arduino
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/bruschetta-board/" class="md-nav__link">
<span class="md-ellipsis">
Bruschetta
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/bus-pirate/" class="md-nav__link">
<span class="md-ellipsis">
Bus Pirate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/ch341a/" class="md-nav__link">
<span class="md-ellipsis">
CH341A
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/esp32/" class="md-nav__link">
<span class="md-ellipsis">
ESP32
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/flipper-zero/" class="md-nav__link">
<span class="md-ellipsis">
Flipper Zero
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/goodfet/" class="md-nav__link">
<span class="md-ellipsis">
GoodFET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydrabus/" class="md-nav__link">
<span class="md-ellipsis">
HydraBus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydraflash/" class="md-nav__link">
<span class="md-ellipsis">
HydraFlash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydranfc/" class="md-nav__link">
<span class="md-ellipsis">
HydraNFC
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydrausb3/" class="md-nav__link">
<span class="md-ellipsis">
HydraUSB3
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/icopy-x/" class="md-nav__link">
<span class="md-ellipsis">
iCopy-X
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/logic-analyzer/" class="md-nav__link">
<span class="md-ellipsis">
Logic Analyzer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/m5stack/" class="md-nav__link">
<span class="md-ellipsis">
Evil M5Core2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/memory-programmer/" class="md-nav__link">
<span class="md-ellipsis">
Memory Programmer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/micro-bit/" class="md-nav__link">
<span class="md-ellipsis">
Micro::bit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/proxmark/" class="md-nav__link">
<span class="md-ellipsis">
Proxmark
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/pwnagotchi/" class="md-nav__link">
<span class="md-ellipsis">
Pwnagotchi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/raspberry-pi/" class="md-nav__link">
<span class="md-ellipsis">
Raspberry Pi
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Other
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Other
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../other/default-iot-passwords/" class="md-nav__link">
<span class="md-ellipsis">
Default IoT Passwords
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../other/electronic-components/" class="md-nav__link">
<span class="md-ellipsis">
Electronic Components
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../other/links-and-hardware-kits/" class="md-nav__link">
<span class="md-ellipsis">
Links &amp; Hardware Kits
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Protocols
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Protocols
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/bluetooth/" class="md-nav__link">
<span class="md-ellipsis">
Bluetooth
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/can/" class="md-nav__link">
<span class="md-ellipsis">
CAN Bus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/dnp3/" class="md-nav__link">
<span class="md-ellipsis">
DNP3
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/gps/" class="md-nav__link">
<span class="md-ellipsis">
GPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/http/" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/i2c/" class="md-nav__link">
<span class="md-ellipsis">
I2C
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/lora/" class="md-nav__link">
<span class="md-ellipsis">
LoRa
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/mms/" class="md-nav__link">
<span class="md-ellipsis">
MMS (IEC 61850)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/modbus/" class="md-nav__link">
<span class="md-ellipsis">
Modbus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/mqtt/" class="md-nav__link">
<span class="md-ellipsis">
MQTT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/ntag215-amiibo/" class="md-nav__link">
<span class="md-ellipsis">
NFC - Amiibo
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/signaling-system-7/" class="md-nav__link">
<span class="md-ellipsis">
SS7 - Signaling System No. 7
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/spi/" class="md-nav__link">
<span class="md-ellipsis">
SPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/upnp/" class="md-nav__link">
<span class="md-ellipsis">
UPnP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/usb/" class="md-nav__link">
<span class="md-ellipsis">
USB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/zigbee/" class="md-nav__link">
<span class="md-ellipsis">
ZigBee
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7_17" >
<label class="md-nav__link" for="__nav_7_17" id="__nav_7_17_label" tabindex="0">
<span class="md-ellipsis">
Rfid nfc
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_7_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7_17">
<span class="md-nav__icon md-icon"></span>
Rfid nfc
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-classic/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare Classic
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-desfire/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare DESFire
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-ultralight/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare UltraLight
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-vigik/" class="md-nav__link">
<span class="md-ellipsis">
HF - Vigik
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/lf-hid-indala/" class="md-nav__link">
<span class="md-ellipsis">
LF - HID &amp; Indala
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/readme/" class="md-nav__link">
<span class="md-ellipsis">
NFC - RFID
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7_18" >
<label class="md-nav__link" for="__nav_7_18" id="__nav_7_18_label" tabindex="0">
<span class="md-ellipsis">
Wifi
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_7_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7_18">
<span class="md-nav__icon md-icon"></span>
Wifi
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-basics/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Basics
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-corporate/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Enterprise Network
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-other/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Additional Tricks and Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-wep/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - WEP Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-wpa/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - WPA Cracking
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Radio frequency
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Radio frequency
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../radio-frequency/limesdr-bts/" class="md-nav__link">
<span class="md-ellipsis">
GSM Network: LimeSDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../radio-frequency/sdr/" class="md-nav__link">
<span class="md-ellipsis">
SDR
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
Secure boot
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Secure boot
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../secure-boot/" class="md-nav__link">
<span class="md-ellipsis">
Secure Boot
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Side channel
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Side channel
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../side-channel/fault-injection/" class="md-nav__link">
<span class="md-ellipsis">
Fault Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#flash-memory-types" class="md-nav__link">
<span class="md-ellipsis">
Flash Memory Types
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#flash-a-new-firmware-into-the-microcontroller" class="md-nav__link">
<span class="md-ellipsis">
Flash a new firmware into the microcontroller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dump-flash-using-debug-port" class="md-nav__link">
<span class="md-ellipsis">
Dump flash using debug port
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dump-flash-via-spi" class="md-nav__link">
<span class="md-ellipsis">
Dump Flash via SPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#convert-ihex-to-elf" class="md-nav__link">
<span class="md-ellipsis">
Convert ihex to elf
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#explore-filesystem" class="md-nav__link">
<span class="md-ellipsis">
Explore Filesystem
</span>
</a>
<nav class="md-nav" aria-label="Explore Filesystem">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#common-filesystem" class="md-nav__link">
<span class="md-ellipsis">
Common Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#write-new-firmware" class="md-nav__link">
<span class="md-ellipsis">
Write new firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#type-of-firmware" class="md-nav__link">
<span class="md-ellipsis">
Type of firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#check-entropy" class="md-nav__link">
<span class="md-ellipsis">
Check entropy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#encrypted-firmware" class="md-nav__link">
<span class="md-ellipsis">
Encrypted firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#over-the-air-updates" class="md-nav__link">
<span class="md-ellipsis">
Over-the-air updates
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings/blob/main/docs/firmware/firmware-dumping.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/HardwareAllTheThings/raw/main/docs/firmware/firmware-dumping.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="firmware-dumping">Firmware Dumping</h1>
<h2 id="flash-memory-types">Flash Memory Types</h2>
<ul>
<li>NOR Flash (SOIC8 package)<ul>
<li>SPI Flash</li>
<li>Mostly error "Fault-free" memory</li>
<li>Used for embedded device that need fast execution, but low storage capacity</li>
</ul>
</li>
<li>NAND Flash (TSOP48 package)</li>
<li>eMMC Flash (BGA{153} package)</li>
<li>UFS Universal Flash Storage</li>
</ul>
<h2 id="flash-a-new-firmware-into-the-microcontroller">Flash a new firmware into the microcontroller</h2>
<ul>
<li>
<p>Using <a href="https://github.com/avrdudes/avrdude">avrdudes/avrdude</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="c"># send raw data firmware</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-p</span> <span class="n">m328p</span> <span class="n">-c</span> <span class="n">usbasp</span> <span class="n">-P</span> <span class="p">/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyUSB0</span> <span class="n">-b</span> <span class="n">9600</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">w</span><span class="p">:</span><span class="n">flash_raw</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="c"># send ihex firmware</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-c</span> <span class="n">arduino</span> <span class="n">-p</span> <span class="n">atmega328p</span> <span class="n">-P</span> <span class="p">/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyUSB</span><span class="p">*</span> <span class="n">-b115200</span> <span class="n">-u</span> <span class="n">-V</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">w</span><span class="p">:</span><span class="n">CHALLENGE</span><span class="p">.</span><span class="n">hex</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-c</span> <span class="n">usbasp</span> <span class="n">-p</span> <span class="n">m328p</span> <span class="o">-F</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">r</span><span class="p">:</span><span class="n">dump</span><span class="p">.</span><span class="n">hex</span><span class="p">:</span><span class="n">i</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="c"># default</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-c</span> <span class="n">usbasp</span> <span class="n">-p</span> <span class="n">m328p</span> <span class="n">-C</span> <span class="p">/</span><span class="n">etc</span><span class="p">/</span><span class="n">avrdude</span><span class="p">.</span><span class="n">conf</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">w</span><span class="p">:</span><span class="n">hardcodedPassword</span><span class="p">.</span><span class="n">ino</span><span class="p">.</span><span class="n">arduino_standard</span><span class="p">.</span><span class="n">hex</span>
</code></pre></div></p>
</li>
<li>
<p>Using <a href="https://github.com/raspberrypi/picotool">raspberrypi/picotool</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="c"># extension indicates the type (bin, uf2)</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="n">picotool</span> <span class="n">load</span> <span class="n">firmware</span><span class="p">.</span><span class="n">bin</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="dump-flash-using-debug-port">Dump flash using debug port</h2>
<ul>
<li>
<p>Using <a href="https://github.com/avrdudes/avrdude">avrdudes/avrdude</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-p</span> <span class="n">m328p</span> <span class="n">-c</span> <span class="n">usbasp</span> <span class="n">-P</span> <span class="p">/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyUSB0</span> <span class="n">-b</span> <span class="n">9600</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">r</span><span class="p">:</span><span class="n">flash_raw</span><span class="p">.</span><span class="n">bin</span><span class="p">:</span><span class="nb">r</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-p</span> <span class="n">m328p</span> <span class="n">-c</span> <span class="n">arduino</span> <span class="n">-P</span> <span class="p">/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyACM0</span> <span class="n">-b</span> <span class="n">115200</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">r</span><span class="p">:</span><span class="n">flash_raw</span><span class="p">.</span><span class="n">bin</span><span class="p">:</span><span class="nb">r</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="p">$</span> <span class="n">avrdude</span> <span class="n">-p</span> <span class="n">atmega328p</span> <span class="n">-c</span> <span class="n">arduino</span> <span class="n">-P</span><span class="p">/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyACM0</span> <span class="n">-b</span> <span class="n">115200</span> <span class="n">-D</span> <span class="n">-U</span> <span class="n">flash</span><span class="p">:</span><span class="n">r</span><span class="p">:</span><span class="n">program</span><span class="p">.</span><span class="n">bin</span><span class="p">:</span><span class="nb">r </span><span class="o">-F</span> <span class="n">-v</span>
</code></pre></div></p>
</li>
<li>
<p>Using <a href="https://github.com/openocd-org/openocd">openocd-org/openocd</a></p>
<ul>
<li>Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as <code>dump_img.cfg</code>:
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="n">init</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="n">reset</span> <span class="n">init</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="n">halt</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="n">dump_image</span> <span class="n">image</span><span class="p">.</span><span class="n">bin</span> <span class="n">0x00000000</span> <span class="n">0x00040000</span>
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a><span class="n">exit</span>
</code></pre></div></li>
<li>Dump with openocd
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="n">sudo</span> <span class="n">openocd</span> <span class="o">-f</span> <span class="p">/</span><span class="n">home</span><span class="p">/</span><span class="n">maki</span><span class="p">/</span><span class="n">tools</span><span class="p">/</span><span class="n">hardware</span><span class="p">/</span><span class="n">openocd</span><span class="p">/</span><span class="n">tcl</span><span class="p">/</span><span class="n">interface</span><span class="p">/</span><span class="n">stlink-v2</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">cfg</span> <span class="o">-f</span> <span class="p">/</span><span class="n">home</span><span class="p">/</span><span class="n">maki</span><span class="p">/</span><span class="n">tools</span><span class="p">/</span><span class="n">hardware</span><span class="p">/</span><span class="n">openocd</span><span class="p">/</span><span class="n">tcl</span><span class="p">/</span><span class="n">target</span><span class="p">/</span><span class="n">nrf51</span><span class="p">.</span><span class="n">cfg</span> <span class="o">-f</span> <span class="n">dump_fw</span><span class="p">.</span><span class="n">cfg</span>
</code></pre></div></li>
</ul>
</li>
<li>
<p>Using <a href="https://github.com/raspberrypi/picotool">raspberrypi/picotool</a></p>
<ul>
<li>Build PicoTool, you will need the pico-sdk
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c"># PicoSDK</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">://</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">raspberrypi</span><span class="p">/</span><span class="n">pico-sdk</span><span class="p">.</span><span class="n">git</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="nb">cd </span><span class="n">pico-sdk</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="n">git</span> <span class="n">submodule</span> <span class="n">update</span> <span class="p">-</span><span class="n">-init</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a><span class="c"># Picotool</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a><span class="nb">cd </span><span class="p">..</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a><span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">://</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">raspberrypi</span><span class="p">/</span><span class="n">picotool</span><span class="p">.</span><span class="n">git</span>
<a id="__codelineno-5-9" name="__codelineno-5-9" href="#__codelineno-5-9"></a><span class="nb">cd </span><span class="n">picotool</span>
<a id="__codelineno-5-10" name="__codelineno-5-10" href="#__codelineno-5-10"></a><span class="n">mkdir</span> <span class="n">build</span>
<a id="__codelineno-5-11" name="__codelineno-5-11" href="#__codelineno-5-11"></a><span class="nb">cd </span><span class="n">build</span>
<a id="__codelineno-5-12" name="__codelineno-5-12" href="#__codelineno-5-12"></a><span class="n">cmake</span> <span class="n">-DPICO_SDK_PATH</span><span class="p">=../</span><span class="n">pico-sdk</span> <span class="p">..</span>
<a id="__codelineno-5-13" name="__codelineno-5-13" href="#__codelineno-5-13"></a><span class="n">make</span>
</code></pre></div></li>
<li>Dump the program or the whole flash memory
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="n">sudo</span> <span class="p">./</span><span class="n">picotool</span> <span class="n">save</span> <span class="o">-F</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">out</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="n">Saving</span> <span class="n">file</span><span class="p">:</span> <span class="p">[==============================]</span> <span class="n">100</span><span class="p">%</span>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a><span class="n">Wrote</span> <span class="n">73312</span> <span class="n">bytes</span> <span class="n">to</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">out</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-6-4" name="__codelineno-6-4" href="#__codelineno-6-4"></a>
<a id="__codelineno-6-5" name="__codelineno-6-5" href="#__codelineno-6-5"></a><span class="n">sudo</span> <span class="p">./</span><span class="n">picotool</span> <span class="n">save</span> <span class="p">-</span><span class="n">-all</span> <span class="o">-F</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">out2</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-6-6" name="__codelineno-6-6" href="#__codelineno-6-6"></a><span class="n">Saving</span> <span class="n">file</span><span class="p">:</span> <span class="p">[==============================]</span> <span class="n">100</span><span class="p">%</span>
<a id="__codelineno-6-7" name="__codelineno-6-7" href="#__codelineno-6-7"></a><span class="n">Wrote</span> <span class="n">2097152</span> <span class="n">bytes</span> <span class="n">to</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">out2</span><span class="p">.</span><span class="n">bin</span>
</code></pre></div></li>
</ul>
</li>
</ul>
<h2 id="dump-flash-via-spi">Dump Flash via SPI</h2>
<ul>
<li>
<p>Using <a href="https://github.com/flashrom/flashrom">flashrom/flashroom</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="n">sudo</span> <span class="n">apt-get</span> <span class="n">install</span> <span class="n">build-essential</span> <span class="n">pciutils</span> <span class="n">usbutils</span> <span class="n">libpci-dev</span> <span class="n">libusb-dev</span> <span class="n">libftdi1</span> <span class="n">libftdi-dev</span> <span class="n">zlib1g-dev</span> <span class="n">subversion</span> <span class="n">libusb</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">0</span><span class="p">-</span><span class="n">0-dev</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="n">svn</span> <span class="n">co</span> <span class="n">svn</span><span class="p">://</span><span class="n">flashrom</span><span class="p">.</span><span class="n">org</span><span class="p">/</span><span class="n">flashrom</span><span class="p">/</span><span class="n">trunk</span> <span class="n">flashrom</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="nb">cd </span><span class="n">flashrom</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="n">make</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="n">flashrom</span> <span class="n">-p</span> <span class="n">ft232_spi</span><span class="p">:</span><span class="n">type</span><span class="p">:</span><span class="n">232h</span> <span class="n">-r</span> <span class="n">spidump</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="n">flashrom</span> <span class="n">-p</span> <span class="n">linux_spi</span><span class="p">:</span><span class="n">dev</span><span class="p">=/</span><span class="n">dev</span><span class="p">/</span><span class="n">spidev0</span><span class="p">.</span><span class="n">0</span><span class="p">,</span><span class="n">spispeed</span><span class="p">=</span><span class="n">512</span> <span class="n">-r</span> <span class="n">spi_dump</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="n">flashrom</span> <span class="n">-p</span> <span class="n">serprog</span><span class="p">:</span><span class="n">dev</span><span class="p">=/</span><span class="n">dev</span><span class="p">/</span><span class="n">ttyACM0</span><span class="p">,</span><span class="n">spispeed</span><span class="p">=</span><span class="n">160k</span> <span class="n">-r</span> <span class="n">dump_spi</span><span class="p">.</span><span class="n">bin</span> <span class="n">-c</span> <span class="s2">&quot;MX25L6406E/MX25L6408E&quot;</span>
</code></pre></div></p>
</li>
<li>
<p>Using HydraBus: <a href="https://github.com/hydrabus/hydrafw/blob/master/contrib/hydra_spi_dump/hydra_spi_dump.py">hydrabus/hydrafw/hydra_spi_dump.py</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="p">./</span><span class="n">hydra_spi_dump</span><span class="p">.</span><span class="n">py</span> <span class="n">firmware</span><span class="p">.</span><span class="n">bin</span> <span class="n">1024</span> <span class="n">0x000000</span> <span class="n">fast</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="convert-ihex-to-elf">Convert ihex to elf</h2>
<blockquote>
<p>The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.</p>
</blockquote>
<p>Each line in the ihex file starts with :</p>
<ul>
<li>a colon :</li>
<li>followed by ONE BYTE = record length</li>
<li>followed by TWO BYTES = offset to load</li>
<li>followed by ONE BYTE = Record Type</li>
<li>Last BYTE in the line = Checksum</li>
</ul>
<p>Convert .hex(ihex format) to .elf file with <code>avr-objcopy</code> or with an online tool <a href="http://matrixstorm.com/avr/hextobin/ihexconverter.html">http://matrixstorm.com</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="p">$</span> <span class="n">avr-objcopy</span> <span class="n">-I</span> <span class="n">ihex</span> <span class="n">-O</span> <span class="n">elf32-avr</span> <span class="n">dump</span><span class="p">.</span><span class="n">hex</span> <span class="n">dump</span><span class="p">.</span><span class="n">elf</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="c"># or </span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="p">$</span> <span class="n">objcopy</span> <span class="n">-I</span> <span class="n">ihex</span> <span class="n">chest</span><span class="p">.</span><span class="n">hex</span> <span class="n">-O</span> <span class="n">binary</span> <span class="n">chest</span><span class="p">.</span><span class="n">bin</span> <span class="p">;</span> <span class="n">xxd</span> <span class="n">chest</span><span class="p">.</span><span class="n">bin</span>
</code></pre></div>
<p>Alternative with Python <code>bincopy</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="kn">import</span> <span class="nn">bincopy</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="kn">import</span> <span class="nn">sys</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="n">f</span> <span class="o">=</span> <span class="n">bincopy</span><span class="o">.</span><span class="n">BinFile</span><span class="p">()</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="n">f</span><span class="o">.</span><span class="n">add_ihex_file</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a><span class="nb">print</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">as_binary</span><span class="p">())</span>
</code></pre></div>
<p>Quick strings on .hex</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="nb">cat </span><span class="n">defaultPassword</span><span class="p">.</span><span class="n">ino</span><span class="p">.</span><span class="n">arduino_standard</span><span class="p">.</span><span class="n">hex</span> <span class="p">|</span> <span class="n">tr</span> <span class="n">-d</span> <span class="s2">&quot;:&quot;</span> <span class="p">|</span> <span class="n">tr</span> <span class="n">-d</span> <span class="s2">&quot;\n&quot;</span> <span class="p">|</span> <span class="n">xxd</span> <span class="n">-r</span> <span class="n">-p</span> <span class="p">|</span> <span class="n">strings</span>
</code></pre></div>
<p>Inspect the assembly with <code>avr-objdump -m avr -D chest.hex</code>.\
Emulate : <code>qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin</code></p>
<h2 id="explore-filesystem">Explore Filesystem</h2>
<h3 id="common-filesystem">Common Filesystem</h3>
<ul>
<li><strong>SquashFS</strong> : It is a compressed read-only filesystem commonly used in Linux-based Firmware. It provides a good flexibility because it supports creating writable overlay filesystems, allowing changes to be made to the filesystem at runtime.</li>
<li><strong>CramFS</strong> (Compressed ROM Filesystem) : Simple read-only filesystem, that supports compression.</li>
<li><strong>ROMFS</strong> (Read-Only Memory Filedystem) : Simple filesystem that is strictly read-only, and do not provide compression support.</li>
<li><strong>YAFFS/YAFFS2</strong> (Yet Another Flash Filesystem) : This filesystem is specifically designed for NAND Flash memory. In particular, it incorporates ECC management for ensuring data integrity. Filesystem integrity is also maintained by storing metadata redundantly.</li>
<li><strong>JFFS/JFFS2</strong> (Journalized Flash Filesystem) : This filesystem is also designed for NAND Flash memory. JFFS utilizes a journaling mechanism to track changes to the filesystem, ensuring data consistency and integrity even in the event of sudden power loss or system crashes. It also supports ECC.</li>
<li><strong>UBIFS</strong> (Unsorted Block Image Filesystem) : UBIFS is a successor to JFFS2 and is optimized for NAND flash memory. It offers improved performance, reliability, and scalability, with features such as compression, encryption, and fast mounting. UBIFS supports multiple partitions.</li>
</ul>
<table>
<thead>
<tr>
<th>Filesystem</th>
<th>RO/RW</th>
<th>Magic</th>
<th>Tool</th>
</tr>
</thead>
<tbody>
<tr>
<td>SquashFS</td>
<td>RO</td>
<td>sqsh, hsqs, qshs, sqsl</td>
<td>unsquashfs, 7zip</td>
</tr>
<tr>
<td>JFFS(2)</td>
<td>RW</td>
<td>0x07C0 (v1), 0x72b6(v2)</td>
<td>jefferson</td>
</tr>
<tr>
<td>YAFFS(2)</td>
<td>RW</td>
<td>0x5941ff53</td>
<td>unyaffs</td>
</tr>
<tr>
<td>CramFS</td>
<td>RO</td>
<td>0x28cd3d45</td>
<td>uncramfs, 7zip</td>
</tr>
<tr>
<td>UBIFS</td>
<td>RW</td>
<td>0x06101831</td>
<td>ubi_reader</td>
</tr>
<tr>
<td>RomFS</td>
<td>RO</td>
<td>0x7275</td>
<td>/</td>
</tr>
<tr>
<td>CPIO</td>
<td>RO</td>
<td>"070707"</td>
<td>cpio, 7zip</td>
</tr>
</tbody>
</table>
<h3 id="tools">Tools</h3>
<ul>
<li>
<p><a href="#">unix/strings</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="p">$</span> <span class="n">strings</span> <span class="n">file</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="p">$</span> <span class="n">strings</span> <span class="n">-e</span> <span class="n">l</span> <span class="n">file</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="n">The</span> <span class="n">strings</span> <span class="n">-e</span> <span class="n">flag</span> <span class="n">specifies</span> <span class="n">the</span> <span class="n">encoding</span> <span class="n">of</span> <span class="n">the</span> <span class="n">characters</span><span class="p">.</span> <span class="n">-el</span> <span class="n">specifies</span> <span class="n">little-endian</span> <span class="n">characters</span> <span class="n">16-bits</span> <span class="n">wide</span> <span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.</span> <span class="n">UTF</span><span class="p">-</span><span class="n">16</span><span class="p">)</span>
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a>
<a id="__codelineno-12-6" name="__codelineno-12-6" href="#__codelineno-12-6"></a><span class="p">$</span> <span class="n">strings</span> <span class="n">-tx</span> <span class="n">file</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-12-7" name="__codelineno-12-7" href="#__codelineno-12-7"></a><span class="n">The</span> <span class="n">-t</span> <span class="n">flag</span> <span class="n">will</span> <span class="k">return</span> <span class="n">the</span> <span class="n">offset</span> <span class="n">of</span> <span class="n">the</span> <span class="n">string</span> <span class="n">within</span> <span class="n">the</span> <span class="n">file</span><span class="p">.</span> <span class="n">-tx</span> <span class="n">will</span> <span class="k">return</span> <span class="n">it</span> <span class="k">in</span> <span class="n">hex</span> <span class="n">format</span><span class="p">,</span> <span class="n">T-to</span> <span class="k">in</span> <span class="n">octal</span> <span class="n">and</span> <span class="n">-td</span> <span class="k">in</span> <span class="n">decimal</span><span class="p">.</span>
</code></pre></div></p>
</li>
<li>
<p><a href="#">unix/dd</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="p">$</span> <span class="n">dd</span> <span class="k">if</span><span class="p">=</span><span class="n">firmware</span><span class="p">.</span><span class="n">bin</span> <span class="n">of</span><span class="p">=</span><span class="n">firmware</span><span class="p">.</span><span class="n">chunk</span> <span class="n">bs</span><span class="p">=</span><span class="n">1</span> <span class="n">skip</span><span class="p">=$((</span><span class="n">0x200</span><span class="p">))</span> <span class="n">count</span><span class="p">=$((</span><span class="n">0x400</span><span class="p">-</span><span class="n">0x200</span><span class="p">))</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="k">If</span> <span class="n">we</span> <span class="n">wanted</span> <span class="n">to</span> <span class="n">run</span> <span class="n">it</span> <span class="n">a</span> <span class="n">little</span> <span class="n">faster</span><span class="p">,</span> <span class="n">we</span> <span class="n">could</span> <span class="n">increase</span> <span class="n">the</span> <span class="n">block</span> <span class="n">size</span><span class="p">:</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="p">$</span> <span class="n">dd</span> <span class="k">if</span><span class="p">=</span><span class="n">firmware</span><span class="p">.</span><span class="n">bin</span> <span class="n">of</span><span class="p">=</span><span class="n">firmware</span><span class="p">.</span><span class="n">chunk</span> <span class="n">bs</span><span class="p">=$((</span><span class="n">0x100</span><span class="p">))</span> <span class="n">skip</span><span class="p">=$((</span><span class="n">0x200</span><span class="p">/</span><span class="n">0x100</span><span class="p">))</span> <span class="n">count</span><span class="p">=$(((</span><span class="n">0x400</span><span class="p">-</span><span class="n">0x200</span><span class="p">)/</span><span class="n">0x100</span><span class="p">))</span>
</code></pre></div></p>
</li>
<li>
<p><a href="https://github.com/ReFirmLabs/binwalk">ReFirmLabs/binwalk</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="p">$</span> <span class="n">binwalk</span> <span class="n">-Me</span> <span class="n">file</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="p">$</span> <span class="n">binwalk</span> <span class="n">-Y</span> <span class="n">dump</span><span class="p">.</span><span class="n">elf</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a><span class="n">DECIMAL</span> <span class="n">HEXADECIMAL</span> <span class="n">DESCRIPTION</span>
<a id="__codelineno-14-4" name="__codelineno-14-4" href="#__codelineno-14-4"></a><span class="p">--------------------------------------------------------------------------------</span>
<a id="__codelineno-14-5" name="__codelineno-14-5" href="#__codelineno-14-5"></a><span class="n">3708</span> <span class="n">0xE7C</span> <span class="n">ARM</span> <span class="n">executable</span> <span class="n">code</span><span class="p">,</span> <span class="n">16-bit</span> <span class="p">(</span><span class="n">Thumb</span><span class="p">),</span> <span class="n">little</span> <span class="n">endian</span><span class="p">,</span> <span class="n">at</span> <span class="n">least</span> <span class="n">522</span> <span class="n">valid</span> <span class="n">instructions</span>
</code></pre></div></p>
</li>
<li>
<p><a href="https://github.com/onekey-sec/unblob">onekey-sec/unblob</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="n">docker</span> <span class="n">run</span> <span class="p">-</span><span class="n">-rm</span> <span class="p">-</span><span class="n">-pull</span> <span class="n">always</span> <span class="n">-v</span> <span class="p">/</span><span class="n">path</span><span class="p">/</span><span class="n">to</span><span class="p">/</span><span class="n">extract-dir</span><span class="p">/</span><span class="n">on</span><span class="p">/</span><span class="n">host</span><span class="p">:/</span><span class="n">data</span><span class="p">/</span><span class="n">output</span> <span class="n">-v</span> <span class="p">/</span><span class="n">path</span><span class="p">/</span><span class="n">to</span><span class="p">/</span><span class="n">files</span><span class="p">/</span><span class="n">on</span><span class="p">/</span><span class="n">host</span><span class="p">:/</span><span class="n">data</span><span class="p">/</span><span class="n">input</span> <span class="n">ghcr</span><span class="p">.</span><span class="n">io</span><span class="p">/</span><span class="n">onekey-sec</span><span class="p">/</span><span class="n">unblob</span><span class="p">:</span><span class="n">latest</span> <span class="p">/</span><span class="n">data</span><span class="p">/</span><span class="n">input</span><span class="p">/</span><span class="n">path</span><span class="p">/</span><span class="n">to</span><span class="p">/</span><span class="n">file</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="n">docker</span> <span class="n">run</span> <span class="p">-</span><span class="n">-rm</span> <span class="p">-</span><span class="n">-pull</span> <span class="n">always</span> <span class="n">ghcr</span><span class="p">.</span><span class="n">io</span><span class="p">/</span><span class="n">onekey-sec</span><span class="p">/</span><span class="n">unblob</span><span class="p">:</span><span class="n">latest</span> <span class="p">-</span><span class="n">-help</span>
</code></pre></div></p>
</li>
<li>
<p><a href="https://github.com/plougher/squashfs-tools">squashfs-tools/unsquashfs</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="n">sudo</span> <span class="n">unsquashfs</span> <span class="o">-f</span> <span class="n">-d</span> <span class="p">/</span><span class="n">media</span><span class="p">/</span><span class="n">seagate</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">file</span><span class="p">.</span><span class="n">squashfs</span>
</code></pre></div></p>
</li>
<li>
<p><a href="https://github.com/onekey-sec/jefferson/">onekey-sec/jefferson</a> - JFFS2 filesystem extraction tool
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="n">pip</span> <span class="n">install</span> <span class="n">jefferson</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="n">jefferson</span> <span class="n">filesystem</span><span class="p">.</span><span class="n">img</span> <span class="n">-d</span> <span class="n">outdir</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="n">jefferson</span> <span class="n">file</span><span class="p">.</span><span class="n">jffs2</span> <span class="n">-d</span> <span class="n">jffs2</span>
</code></pre></div></p>
</li>
<li>
<p><a href="https://github.com/whataday/unyaffs">whataday/unyaffs</a> - YAFFS2 filesystem extraction tool
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="n">unyaffs</span> <span class="p">[</span><span class="n">-l</span> <span class="p">&lt;</span><span class="n">layout</span><span class="p">&gt;]</span> <span class="p">[</span><span class="n">-t</span><span class="p">]</span> <span class="p">[</span><span class="n">-v</span><span class="p">]</span> <span class="p">[</span><span class="n">-V</span><span class="p">]</span> <span class="p">&lt;</span><span class="n">image_file_name</span><span class="p">&gt;</span> <span class="p">[&lt;</span><span class="n">base</span> <span class="n">dir</span><span class="p">&gt;]</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a> <span class="n">-l</span> <span class="p">&lt;</span><span class="n">layout</span><span class="p">&gt;</span> <span class="nb">set </span><span class="n">flash</span> <span class="n">memory</span> <span class="n">layout</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a> <span class="n">layout</span><span class="p">=</span><span class="n">0</span><span class="p">:</span> <span class="n">detect</span> <span class="n">chunk</span> <span class="n">and</span> <span class="n">spare</span> <span class="n">size</span> <span class="p">(</span><span class="k">default</span><span class="p">)</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a> <span class="n">layout</span><span class="p">=</span><span class="n">1</span><span class="p">:</span> <span class="n">2K</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">64</span> <span class="n">byte</span> <span class="n">spare</span> <span class="n">size</span>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a> <span class="n">layout</span><span class="p">=</span><span class="n">2</span><span class="p">:</span> <span class="n">4K</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">128</span> <span class="n">byte</span> <span class="n">spare</span> <span class="n">size</span>
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a> <span class="n">layout</span><span class="p">=</span><span class="n">3</span><span class="p">:</span> <span class="n">8K</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">256</span> <span class="n">byte</span> <span class="n">spare</span> <span class="n">size</span>
<a id="__codelineno-18-7" name="__codelineno-18-7" href="#__codelineno-18-7"></a> <span class="n">layout</span><span class="p">=</span><span class="n">4</span><span class="p">:</span> <span class="n">16K</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">512</span> <span class="n">byte</span> <span class="n">spare</span> <span class="n">size</span>
<a id="__codelineno-18-8" name="__codelineno-18-8" href="#__codelineno-18-8"></a> <span class="n">-t</span> <span class="n">list</span> <span class="n">image</span> <span class="n">contents</span>
<a id="__codelineno-18-9" name="__codelineno-18-9" href="#__codelineno-18-9"></a> <span class="n">-v</span> <span class="n">verbose</span> <span class="n">output</span>
<a id="__codelineno-18-10" name="__codelineno-18-10" href="#__codelineno-18-10"></a> <span class="n">-V</span> <span class="n">print</span> <span class="n">version</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="write-new-firmware">Write new firmware</h2>
<ul>
<li>
<p>Repack firmware
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="n">mksquashfs4</span> <span class="n">squashfs-root</span> <span class="n">myrootfs</span> <span class="p">{</span><span class="n">options</span><span class="p">}</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="n">dd</span> <span class="k">if</span><span class="p">=</span><span class="n">myrootfs</span> <span class="n">of</span><span class="p">=</span><span class="n">dump</span><span class="p">/</span><span class="n">bin</span> <span class="n">bs</span><span class="p">=</span><span class="n">1</span> <span class="n">seek</span><span class="p">=&lt;</span><span class="n">offset</span><span class="p">&gt;</span> <span class="n">conv</span><span class="p">=</span><span class="n">notrunc</span>
</code></pre></div></p>
</li>
<li>
<p>Flashrom write
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="n">flashrom</span> <span class="n">-p</span> <span class="n">ft2232_spi</span><span class="p">:</span><span class="n">type</span><span class="p">=</span><span class="n">232H</span> <span class="n">-w</span> <span class="n">dump</span><span class="p">.</span><span class="n">bin</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="type-of-firmware">Type of firmware</h2>
<ul>
<li><code>SREC</code> - Motorola S-Record : All S-record file lines start with a capital S.</li>
<li><code>Intel HEX</code> lines all start with a colon.</li>
<li><code>TI-TXT</code> is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an <strong>@</strong>, and data is represented in hex.</li>
<li><code>Raw</code> NAND dumps</li>
</ul>
<h2 id="check-entropy">Check entropy</h2>
<p>High entropy = probably encrypted (or compressed). Low entropy = probably not</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="p">$</span> <span class="n">binwalk</span> <span class="n">-E</span> <span class="nb">fw</span>
</code></pre></div>
<h2 id="encrypted-firmware">Encrypted firmware</h2>
<p><img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w" /></p>
<ul>
<li><a href="https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware">MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE</a></li>
</ul>
<h2 id="over-the-air-updates">Over-the-air updates</h2>
<p>TODO</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.youtube.com/watch?v=nruUuDalNR0">Extracting Firmware from Embedded Devices (SPI NOR Flash) - Flashback Team - 9 sept. 2022</a></li>
<li><a href="https://youtu.be/wVPochUgTvw">Real Hardware Hacking for S$30 or Less - Joe FitzPatrick - 31 march 2020</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 13, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>