Recommendations: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
On dumping firmware | On dumping firmware | ||
[[Bitrot]] | |||
=General notes= | |||
*If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's <span class="wiki_link_ext">Good/BadFET</span> (NOTE: not all versions support voltage glitching!). | |||
* If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's <span class ="wiki_link_ext">Good/BadFET</span> (NOTE: not all versions support voltage glitching!). | *The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port. | ||
* The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port. | *If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read | ||
* If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read | *If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible | ||
* If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible | *If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this | ||
* If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this | *If the chip has protection, voltage glitching is an attractive option | ||
* If the chip has protection, voltage glitching is an attractive option | |||
Some low cost / open source / common readers that can rip various formats | Some low cost / open source / common readers that can rip various formats | ||
= Commodity programmers/readers = | =Commodity programmers/readers= | ||
= The bus pirate = | =The bus pirate= | ||
[http://code.google.com/p/the-bus-pirate/ The bus pirate] | [http://code.google.com/p/the-bus-pirate/ The bus pirate] | ||
Line 20: | Line 21: | ||
Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for. | Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for. | ||
= Willem = | =Willem= | ||
General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by [http://www.sivava.com/ SIVAVA]. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily. | General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by [http://www.sivava.com/ SIVAVA]. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily. | ||
= GoodFET BadFET = | =GoodFET BadFET= | ||
[http://goodfet.sourceforge.net/ GoodFET BadFET] | [http://goodfet.sourceforge.net/ GoodFET BadFET] | ||
Line 30: | Line 31: | ||
While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board. | While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board. | ||
= ParallelFLASHDumper = | =ParallelFLASHDumper= | ||
[https://github.com/cyphunk/ParallelFLASHDumper ParallelFLASHDumper] | [https://github.com/cyphunk/ParallelFLASHDumper ParallelFLASHDumper] | ||
Line 36: | Line 37: | ||
Arduino based parallel flash dumper. | Arduino based parallel flash dumper. | ||
= Flashrom = | =Flashrom= | ||
[http://flashrom.org/ Flashrom] | [http://flashrom.org/ Flashrom] | ||
Line 42: | Line 43: | ||
PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc. | PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc. | ||
= Serial formats = | =Serial formats= | ||
= I2C EPROM (24C, etc) = | =I2C EPROM (24C, etc)= | ||
*Bus pirate | |||
* Bus pirate | *Willem | ||
= | =SPI= | ||
*Bus pirate | |||
= | =JTAG= | ||
*Bus pirate | |||
* | *GoodFET/BadFET | ||
*Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days | |||
= | =Parallel formats= | ||
=Parallel flash= | |||
*Willem | |||
*ParallelFLASHDumper | |||
=EPROM (27C, etc)= | |||
*Willem | |||
=Serial flash (28C, etc)= | |||
*Willem | |||
=Commercial glitchers= | |||
*RunFei 3148: supports MCUs, PALs, and more | |||
*xforce vvdi prog: supports a few more modern MCUs | |||
<br /> | |||
Latest revision as of 00:17, 1 March 2022
On dumping firmware
General notes
- If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's Good/BadFET (NOTE: not all versions support voltage glitching!).
- The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
- If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
- If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
- If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
- If the chip has protection, voltage glitching is an attractive option
Some low cost / open source / common readers that can rip various formats
Commodity programmers/readers
The bus pirate
Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.
Willem
General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by SIVAVA. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.
GoodFET BadFET
Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections. While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.
ParallelFLASHDumper
Arduino based parallel flash dumper.
Flashrom
PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.
Serial formats
I2C EPROM (24C, etc)
- Bus pirate
- Willem
SPI
- Bus pirate
JTAG
- Bus pirate
- GoodFET/BadFET
- Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days
Parallel formats
Parallel flash
- Willem
- ParallelFLASHDumper
EPROM (27C, etc)
- Willem
Serial flash (28C, etc)
- Willem
Commercial glitchers
- RunFei 3148: supports MCUs, PALs, and more
- xforce vvdi prog: supports a few more modern MCUs