A security researcher known as newp1ayer48 has successfully demonstrated a method to extract firmware from IoT and embedded devices using direct Flash Memory dumps, providing valuable insights for security professionals and bug bounty hunters.
The technique, while potentially risky for the hardware, offers a reliable way to obtain firmware when other methods aren’t viable.
This approach enables researchers to better understand device operations, analyze potential vulnerability vectors, and examine code for security flaws.
Firmware extraction represents a critical first step in IoT and embedded device security research.
While several methods exist, including downloading firmware from official websites, sniffing firmware update packets, and dumping firmware through debugging ports like UART or JTAG, the direct Flash Memory extraction method provides more reliable results in certain scenarios.
The researcher notes that Flash Memory is typically found in IoT devices in an 8-pin form and serves as the primary storage location for firmware.
The process involves using a tool called flashrom to interact directly with the Flash Memory chip.
However, newp1ayer48 cautions that this approach comes with significant risks, as it requires physically removing the chip using heat tools like soldering irons or heat guns, which could potentially damage the hardware.
.webp)
“It’s somewhat like trying to extract a golden egg by cutting open a goose’s belly, only to kill the goose in the process,” the researcher explains.
Despite these risks, the researcher provides a comprehensive workflow for those who need to pursue this method.
The process involves installing flashrom on a Raspberry Pi (64-bit), removing the Flash Memory chip from the target device, connecting the chip to the Raspberry Pi, and then executing the dump.
.webp)
Required equipment includes a Raspberry Pi, an IC Test Hook Clip (SDK08), a heat gun, and jumper cables with a breadboard.
Technical Implementation
The flashrom installation requires several dependencies and uses meson for proper setup.
The researcher provides the exact commands needed: “sudo apt-get install -y gcc meson ninja-build pkg-config python3-sphinx libcmocka-dev libpci-dev libusb-1.0-0-dev libftdi1-dev libjaylink-dev git clone https://github.com/flashrom/flashrom” followed by meson setup and installation commands.
After installation, the next step involves carefully removing the chip from the device board. This is necessary because attempting to dump the firmware while the chip remains attached often fails due to power-related noise interference.
.webp)
The 8-pin Flash Memory chip uses specific pin assignments that must be correctly identified and connected to the Raspberry Pi’s GPIO pins.
The connection process requires understanding each pin’s function: VCC (power supply), GND (ground reference), SCLK (serial clock for synchronization), CS (chip select), DI (data input), DO (data output), WP (write protect), and Hold (chip pause).
Once connected using the IC Test Hook Clip, the extraction begins with commands such as “sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -V” to check the connection and identify the chip, followed by “sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r [filename]” to extract the firmware.
In cases where the chip isn’t supported automatically, researchers can modify the flashchips.c file with information from the chip’s datasheet to add support.
After extraction, the researcher notes that reassembling the device by carefully resoldering the Flash Memory chip can restore full functionality, allowing security professionals to maintain both the extracted firmware and a working device for continued testing.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
