While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W,
Software and hardware Requirements:
- Buspirate
- Ubuntu 16.04 or any other Linux machine
- Flashrom tool
- SOIC cable pin 8
- Buspirate connectors
This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware.
Let’s us Analyze the Inside Device.You can see IC chips like EEPROM, UART pins and Ralink CPU and also some Other IC chips Let us focus mainly on the EEPROM chip (winbond W25Q16).
What is EEPROM:
EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable programmable read-only memory and is a type of non-volatile memory used in computers and other electronic devices to store relatively small amounts of data but allowing individual bytes to be erased and reprogrammed.This is the chip we need to read to dump the firmware.
To read EEPROM chip we required Buspirate and SOIC Pin 8 connector which can be used to connect the interfaces to the device.
This is how Buspirate and SOIC Pin 8 connector looks like.
To Interface bus pirate with the EEPROM chips we need to clearly identify the pins and their corresponding color codes. we can easily determine the required pins with color combination
Give the connection to EEPROM chip to SOIC pin8 cable
While giving the connection RED wire must be connecting to pin 1 EEPROM chip , There is round mark on the chip to recognize the pin 1 on EEPROM , as shown below picture
Connect the SOIC cable to Buspirate Pins according to below picture ,
Use this extra connector to SOIC cable to identify the pins easily
After giving the connections Buspirate to SOIC pin 8 will be looks like this,
Before we are going to dumping the firmware, we have to check the connections of SOIC Cable, Buspirate and EEPROM are connected properly
VREG and PWR are blinking on the Buspirate which means connections established perfectly as shown below
Make sure you already connected to buspirate , to verify observe PWR led light is turned on the buspirate
Step 1
#sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0
To identifying the EEPROM chip
Step 2:
To dumping the firmware from the chip
#sudo flashrom –p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c (Chip name) –r (Name.bin)
About Author:
Veerababu Penugonda , is an information security enthusiast working has information security consultant @ ISECURION and interested on IoT security and network security
References:
http://dangerousprototypes.com/docs/Features_overview
https://en.wikipedia.org/wiki/EEPROM
https://gist.github.com/jcs/4bf59314d604538a5098
https://github.com/bibanon/Coreboot-ThinkPads/wiki/X60-T60-Hardware-Flashing
Good post
Thank you
I simply needed to thank you so much once more. I’m not certain the things that I could possibly have implemented without the actual ideas contributed by you about my area. It had been the daunting situation in my view, nevertheless being able to see your professional manner you solved it forced me to weep with happiness. I’m grateful for this guidance and trust you really know what a great job you were putting in teaching other individuals through your blog. More than likely you’ve never met all of us.
( In an alcoholics anonymous meeting type setting.) Hi, I’m Bill. I’ve been Windows free now for 132 days and I feel great!!! ( the room explodes with applause and cheers). I got so used to Microsoft forcing Windows 10 down everyone’s throat, I had given in just like everyone. That was until their update blue screened me for the last time!!! I’m still NOT a demi god with Linux on the command line as of yet, but its little informative tid bits like this here, that is helping to keep me on that path. Thanks! ( more applause ensues. Followed by a faint voice in the background that can be heard saying ” yeah,…F*** Windows 10!!!”