Recommendations: Difference between revisions

From Proghq
Jump to navigation Jump to search
(Created page with "FIXME: convert formatting On dumping firmware See also: eprom_dump ====== General notes ====== * If you have the official programmer, try reading the data back. Yo...")
 
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
FIXME: convert formatting
On dumping firmware
On dumping firmware


See also: [[:eprom_dump]]
[[Bitrot]]
=General notes=


*If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's <span class="wiki_link_ext">Good/BadFET</span> (NOTE: not all versions support voltage glitching!).
*The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
*If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
*If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
*If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
*If the chip has protection, voltage glitching is an attractive option


====== General notes ======
Some low cost / open source / common readers that can rip various formats
  * If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's <span class ======"wiki_link_ext">Good/BadFET</span> (NOTE: not all versions support voltage glitching!).
  * The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
  * If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
  * If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
  * If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
  * If the chip has protection, voltage glitching is an attractive option


Some low cost / open source / common readers that can rip various formats
=Commodity programmers/readers=
 
=The bus pirate=


====== Commodity programmers/readers ======
[http://code.google.com/p/the-bus-pirate/ The bus pirate]


====== [[http://code.google.com/p/the-bus-pirate/|The bus pirate]] ======
Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.
Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.


====== Willem ======  
=Willem=  
General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by [[http://www.sivava.com/|SIVAVA]]. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.
General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by [http://www.sivava.com/ SIVAVA]. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.
 
=GoodFET BadFET=
 
[http://goodfet.sourceforge.net/ GoodFET BadFET]


====== [[http://goodfet.sourceforge.net/|GoodFET/BadFET]] ======
Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections.
Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections.
While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.
While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.


====== [[https://github.com/cyphunk/ParallelFLASHDumper|ParallelFLASHDumper]] ======
=ParallelFLASHDumper=  
 
[https://github.com/cyphunk/ParallelFLASHDumper ParallelFLASHDumper]
 
Arduino based parallel flash dumper.
Arduino based parallel flash dumper.


====== [[http://flashrom.org/|Flashrom]] ======
=Flashrom=  
 
[http://flashrom.org/ Flashrom]
 
PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.
PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.


====== Serial formats ======  
=Serial formats=  
 
=I2C EPROM (24C, etc)=  
 
*Bus pirate
*Willem
 
=SPI=  
 
*Bus pirate
 
=JTAG=  
 
*Bus pirate
*GoodFET/BadFET
*Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days
 
=Parallel formats=  
 
=Parallel flash=  
 
*Willem
*ParallelFLASHDumper


====== I2C EPROM (24C, etc) ======
=EPROM (27C, etc)=  
  * Bus pirate
  * Willem


====== SPI ======
*Willem
  * Bus pirate


====== JTAG ======
=Serial flash (28C, etc)=  
  * Bus pirate
  * GoodFET/BadFET
  * Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days


====== Parallel formats ======
*Willem


====== Parallel flash ======
=Commercial glitchers=  
  * Willem
  * ParallelFLASHDumper


====== EPROM (27C, etc) ======
*RunFei 3148: supports MCUs, PALs, and more
  * Willem
*xforce vvdi prog: supports a few more modern MCUs


====== Serial flash (28C, etc) ======
<br />
  * Willem

Latest revision as of 00:17, 1 March 2022

On dumping firmware

Bitrot

General notes

  • If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's Good/BadFET (NOTE: not all versions support voltage glitching!).
  • The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
  • If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
  • If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
  • If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
  • If the chip has protection, voltage glitching is an attractive option

Some low cost / open source / common readers that can rip various formats

Commodity programmers/readers

The bus pirate

The bus pirate

Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.

Willem

General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by SIVAVA. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.

GoodFET BadFET

GoodFET BadFET

Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections. While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.

ParallelFLASHDumper

ParallelFLASHDumper

Arduino based parallel flash dumper.

Flashrom

Flashrom

PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.

Serial formats

I2C EPROM (24C, etc)

  • Bus pirate
  • Willem

SPI

  • Bus pirate

JTAG

  • Bus pirate
  • GoodFET/BadFET
  • Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days

Parallel formats

Parallel flash

  • Willem
  • ParallelFLASHDumper

EPROM (27C, etc)

  • Willem

Serial flash (28C, etc)

  • Willem

Commercial glitchers

  • RunFei 3148: supports MCUs, PALs, and more
  • xforce vvdi prog: supports a few more modern MCUs