Recommendations

From Proghq
Revision as of 05:46, 11 November 2019 by Mcmaster (talk | contribs)
Jump to navigation Jump to search

On dumping firmware

Bitrot

General notes

  • If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's Good/BadFET (NOTE: not all versions support voltage glitching!).
  • The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
  • If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
  • If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
  • If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
  • If the chip has protection, voltage glitching is an attractive option

Some low cost / open source / common readers that can rip various formats

Commodity programmers/readers

The bus pirate

The bus pirate

Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.

Willem

General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by SIVAVA. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.

GoodFET BadFET

GoodFET BadFET

Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections. While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.

ParallelFLASHDumper

ParallelFLASHDumper

Arduino based parallel flash dumper.

Flashrom

Flashrom

PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.

Serial formats

I2C EPROM (24C, etc)

  • Bus pirate
  • Willem

SPI

  • Bus pirate

JTAG

  • Bus pirate
  • GoodFET/BadFET
  • Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days

Parallel formats

Parallel flash

  • Willem
  • ParallelFLASHDumper

EPROM (27C, etc)

  • Willem

Serial flash (28C, etc)

  • Willem