Firmware Extraction Methods
Last updated
Was this helpful?
Last updated
Was this helpful?
Firmware is the software embedded in a device's hardware, often critical for its operation. Extracting and analyzing it is crucial to understqnd the device's functionality and structure and establish a foothold by analysing, through methods of reverse engineering, or modifying the firmware and reflashing a device.
But before you fire up or and start analyzing, reversing and establishing your foothold, you first need to obtain the firmware itself.
Obtaining the firmware from devices can be done in several different ways. Depending on the target device, firmware can be extracted through physical, semi-physical, or software-only methods. This page covers both invasive and non-invasive approaches.
These methods do not involve opening or physically tampering with the device and are often less risky.
Manufacturers often host firmware files on their official websites for manual updates.
Tools
For this method there are no specific tools required, however you can benefit from a proficiency in techniques such as google dorking and others detailed within the Reconaissance chapter
Steps of retrieving the software from the Manufacturer Website
Search the vendor’s website or forums for downloadable firmware.
Simply download or use tools like wget to scrape and download files if necessary.
Verify the downloaded file’s integrity and match its expected format.
These firmware could be malicious or in unexpected formats. Be wary when downloading firmware from sources you do not trust 100%, always take precautionary measures when retrieving binaries or files in general from forums or website.
Many devices update their firmware via OTA updates. Capturing these updates can provide the firmware file.
Although many devices use HTTPS, complicating the process of intercepting, it is still possible if you are able to intercept the certificates
Tools required
Packet capture tools (e.g., Wireshark) to monitor and intercept update traffic.
Steps of a MitM attack on the OTA update process
Set up a network sniffer or proxy.
Place the device on the same network and trigger an OTA update.
Capture the firmware file during download.
TODO: add practical example
Exploiting a vulnerability in the device’s software or configuration to access and dump firmware.
Tools
Vulnerability scanning tools (e.g., Nessus, Nmap).
Custom scripts or exploit frameworks.
Steps
Identify vulnerabilities in the device’s firmware or communication.
Use appropriate tools or scripts to exploit the vulnerability and gain a foothold on the device and/or retrieve the firmware.
TODO: add practical example
These approaches require minimal physical interaction with the device but stop short of full disassembly.
Tools
Depending on the interface that is exposed, various different tools might be required:
USB-to-UART adapters.
Step to extracting the firmware through an exposed interface
Locate debug interfaces on the device’s casing or accessible panels.
Use appropriate tools and protocol to interact with the interface and extract the firmware as detailed within the various pages below:
These methods involve opening the device and physically interacting with the components on the board. These usually involve desoldering the component, rendering it unusable, unless perfectly reassebled.
Use these invasive methods only when non-invasive methods fail, and you have permission to "break" the device.
Do keep in mind that interacting in the way as described above, may power the chip when doing the actual reading, leading to possible loss of data, malfunction or unwanted behaviour.
Knowing what chip you have on the device is essential to knowing which reader and extraction method you may or may not need to use when you are attempting to perform a chip-off extraction. A few of the most common package types are listed below
ToDo: add a note/guide on how to identify the chip type (datasheet, marking, visual)
Non-BGA packages are generally easier to desolder and interface with. They are less technically demanding and require minimal specialized equipment
Tools:
Chip readers and programmers (e.g. Xgecu T56).
Hot air stations or chip removal tools.
Steps to perform a chip-off extraction of a non-BGA package
Desolder the chip using a hot air station or similar tool.
Place the chip in a compatible reader and dump the contents.
Ensure proper orientation and connection during the reading process. (possibly label the orientation)
Avoid overheating the chip to prevent data loss.
Performing a chip-off extraction with BGA-packaged flash chips require more advanced tools and expertise.
Tools
Rework station with precise temperature control for BGA chip removal.
Soldering Flux
BGA chip readers and adapters.
Optional & Advanced: Infrared rework stations for precise temperature control.
Steps to perform a chip-off extraction of a BGA package
Precaution: Preheat the board to reduce thermal stress.
Apply soldering flux to the area of the chip
Remove the BGA chip carefully using a rework station (with precise temperature control).
Use a specialized adapter to connect the chip to a reader and extract the data.
ToDo: Add logical next blocks
Proxies (e.g., mitmproxy, ) to redirect and inspect update requests and device network traffic.
Debugging software (e.g., for JTAG).
UFS Flash Chips are a newer counterpart to the eMMC chips that we usually see. as of this moment they are quite rare and require a dedicated programmer to read these out (e.g. )