IoT Security ⚡️
Dumping Firmware with Bus Pirate v3.6 via USB

Dumping Firmware with Bus Pirate v3.6 via USB


buspirate firmware dumping

Introduction

One effective approach to obtain the firmware from hardware devices involves the use of the Bus Pirate and SPI interface. This method is particularly useful in the scenarios where direct firmware downloads are not an option.

Requirements

  • Bus Pirate: A tool for interfacing with hardware devices at the protocol level.
  • Operating System: Ubuntu 16.04 or any other Linux distribution.
  • Flashrom Tool: A utility for detecting, reading, writing, verifying and erasing flash chips.
  • SOIC Cable Pin 8: A cable used for connecting the EEPROM chip.
  • Bus Pirate Connectors

Hardware Example: Binatone DT 850W Wireless Router

This section uses the Binatone DT 850W wireless router to demonstrate firmware dumping. Key internal components include EEPROM, UART pins, a Ralink CPU and other IC chips. The focus is on the EEPROM chip (Winbond W25Q16) for firmware extraction.

What is EEPROM?

EEPROM stands for Electrically Erasable Programmable Read-Only Memory. It’s a non-volatile memory used in electronic devices to store small amount of data, allowing individual bytes to be erased and reprogrammed.

Preparing for Firmware Dumping

1. Connecting Bus Pirate to EEPROM Chip

  • Use the Bus Pirate and the SOIC Pin 8 connector to establish a connection with the EEPROM chip. Carefully identify and connect the corresponding pins, ensuring that the red wire connects to pin 1 of the EEPROM chip, identifiable by a round mark.

  • This is how Buspirate and SOIC Pin 8 connector look like.

2. Bus Pirate and SOIC Cable Setup

  • Arrange the Bus Pirate and SOIC cable according to the provided diagrams to ensure correct pin connections.

3. Connection Verification

  • Check the VREG and PWR indicators on the Bus Pirate to ensure a proper connection.

Firmware Dumping Process

Step 1: Initial Setup

  • While making the connection, the RED wire must be connected to pin 1 of the EEPROM chip. There is a round mark on the chip to identify pin 1, as shown in the picture below.

  • Connect the SOIC cable to Buspirate Pins according to following picture:

  • Use this extra connector to the SOIC cable to identify the pins easily:

  • After giving the connections between Buspirate to SOIC pin 8, it should be looking like this.

  • A perfectly made connections to the device can be seen as:

Step 2: Identifying the EEPROM Chip

  • Execute the following command (to identify the connected EEPROM chip):
sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0

Step 3: Dumping Firmware

  • Execute the following command (to dump the firmware from the chip to a binary file):
sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c <Chip name> –r <Filename.bin>

  • This guide outlines the technical steps required to extract firmware from devices lacking direct vendor support for firmware downloads. The process emphasizes careful preparation and connection verification to ensure successful firmware dumping.

Firmware Reversing

© 2024 Mr-IoT