How Read Ficm Firmware # Sct X4

JTAG is a concrete hardware interface that makes information technology possible, amidst other things, to extract the firmware image from electronic devices.

The firmware, a programme that executes in a defended way and with a specific purpose in a microcontroller or microprocessor, is usually stored in a persistent memory device like a NAND/NOR wink or EEPROM.

The extraction process involves reading and copying the firmware image stored in the device’s retentiveness to a file on your figurer. This procedure of extracting the firmware paradigm is besides chosen
dumping
or
snarfing.

Simply why extract the firmware from an electronic device?

Why?

Imagine an electronic device like a router, an IP camera or a hard disk.

Now imagine that you desire to understand ameliorate how the device works, merely you don’t have much information about information technology. Extracting and analyzing the firmware prototype tin be a feasible option to understand its performance.

You lot may want to meliorate or alter the behavior of the device. Without admission to the source lawmaking, i possibility is to excerpt the firmware to brand the necessary changes and so update the device.

What if you forgot your credentials and lost access to the device? One possibility to regain access is to extract and alter the firmware image.

If yous are a security researcher, yous may want to extract the firmware of the device to look for vulnerabilities in the software.

And what if the device is very old and is no longer being manufactured or sold by the vendor? Yous may want to clone it, and extracting the firmware image will be essential in this process.

Every bit nosotros can see, there are many situations that can motivate us to excerpt the firmware from an electronic device. Fifty-fifty if it’south just for fun!

Several techniques tin can exist used to extract the firmware from an electronic device.

Merely before you first, make certain the firmware image is not available on the manufacturer’s website. Many device manufacturers such every bit routers and cameras publish updated firmware images on their websites, so that customers can download and update the device. In this example, the effort to extract the firmware is naught!

With physical admission to the device, a technique for extracting the firmware is to directly read the device’south storage memory. Nosotros can identify and remove the memory bit from the board, solder it on another lath and excerpt the firmware. It works, simply can be quite painful and peradventure a piddling risky (at that place is a possibility of burning the memory scrap during the extraction process).

A less risky technique is to but read the device’due south storage retentivity through a connectedness to the bootloader or operating system of the device.

For example, with access to the bootloader (via a serial connection), we can effort to read the device’s memory and send the information to our machine. Likewise, with access to a command line terminal in the operating system (series, ssh, etc.) and with privileges, nosotros tin can endeavor to dump the storage memory of the device and transport it to our machine.

Equally we can encounter, different techniques tin can be used to extract the firmware from a device, depending on the situation.

And if none of these techniques are viable, the JTAG interface may be a expert option!

What is the JTAG interface?

In the past, tests on PCBs (Printed Circuit Boards) were done through a system chosen
bed-of-nails.

In this system, the PCB was designed with several test points to exist connected to a test board. And this test lath performed several checks on the connections and electronic components of the board.

bed of nails

As the complexity of a PCB increased, information technology started to get difficult and complicated to design a bed-of-nails for it.

And then some debug and test interfaces integrated into the chips (processor, microcontroller, SoC, FPGA, etc.) started to appear.

Exactly for this purpose, in 1985 the
JTAG
(Joint Test Action Group) interface was created, a standard (IEEE 1149.i) to exam printed excursion boards during industry.

Over fourth dimension, JTAG has become one of the about popular interfaces to test electronic circuits, getting other features similar debugging and called-for flash devices.

Currently, this interface is bachelor in most processors and microcontrollers of dissimilar architectures such as ARM, x86, MIPS and PowerPC.

How does the JTAG interface work?

Although there are some variations of the standard, the JTAG interface is commonly implemented by the chip manufacturer via four mandatory pins (TDI,
TDO,
TCK,
TMS) and one optional pin (TRST):

TDI
(Test Data In): data input.
TDO
(Test Data Out): data output.
TCK
(Test Clock): clock whose maximum frequency depends on the chip (usually from 10MHz to 100MHz).
TMS
(Test Mode Select): pin to control the JTAG land machine.
TRST
(Examination Reset): optional pin to reset the JTAG state machine.

The pins of the JTAG interface are internally connected to the chip through a module chosen TAP (Test Access Port).

The TAP interface implements the basic JTAG communication protocol, and several TAPs tin can be connected simultaneously in a daisy concatenation architecture.

jtag pins

The TAP interface implements a finite state machine (16 states) that allows admission to a group of registers (IR,
DR) to instrument the chip. The command of this state car is done through the pins
TMS
and
TCK. Through this land machine, it is possible to select an operation via the
IR
annals (Instruction Register) and laissez passer parameters or bank check the outcome via the
DR
register (Information Register).

Read: How to Turn Off Firmware Password on Mac UPDATED

jtag state machine

The size of the
IR
register and the number of instructions supported is divers past the chip manufacturer. For example, a v-bit
IR
register will support upward to 32 instructions.

Each instruction has its own
DR
(Data Register), which has a variable size. Three instructions are defined by the JTAG standard and must exist implemented past the manufacturer (Bypass,
EXTEST,
SAMPLE/PRELOAD). Other instructions are optional, but are as well usually implemented (eg,
IDCODE).

Featherbed: instruction that selects a one-bit register that rotates from
TDI
to
TDO, very useful for testing the JTAG interface.
EXTEST: didactics that selects the
BSR
(Purlieus Browse Register) to read and change the state of the pins.
SAMPLE/PRELOAD: instruction that selects the
BSR
register (Purlieus Scan Register) to read the status of the pins.
IDCODE: pedagogy that selects the device ID annals (32 bits) that contains the chip ID.

In improver to the instructions defined by the standard, the chip manufacturer tin implement other instructions as needed. In this mode, many manufacturers extend the JTAG interface with debugging and retentivity access functions (eg:
MIPS EJTAG).

Information well-nigh supported JTAG instructions and the pins on a flake is usually documented in a file called
BSDL
(Boundary Scan Description Linguistic communication), a subset of VHDL (VHSIC Hardware Clarification Linguistic communication).

For case, here’s a curt excerpt from the STM32F1 BSDL
available on the ST website. Every bit nosotros tin come across in the line 29, the JTAG interface of this microcontroller supports up to 32 instructions (v $.25).

                    
                        1
                      
                        2
                      
                        three
                      
                        4
                      
                        five
                      
                        vi
                      
                        vii
                      
                        8
                      
                        9
                      
                      ten
                      
                      xi
                      
                      12
                      
                      13
                      
                      14
                      
                      xv
                      
                      16
                      
                      17
                      
                      18
                      
                      19
                      
                      20
                      
                      21
                      
                      22
                      
                      23
                      
                      24
                      
                      25
                      
                      26
                      
                      27
                      
                      28
                      
                      29
                      
                      thirty
                      
                      31
                      
                      32
                      
                      33
                      
                      34
                      
                      35
                      
                      36
                      
                      37
                      
                      38
                      
                    [...]   entity STM32F1_High_density_LFBGA144 is   -- This section identifies the default device parcel selected.     generic (PHYSICAL_PIN_MAP: string:= "BGA144_PACKAGE");  -- This section declares all the ports in the pattern.     port ( 	  BOOT0		: in	bit; 	  JTDI		: in	flake; 	  JTMS		: in	fleck; 	  JTCK		: in	bit; 	  JTRST		: in	bit; 	  JTDO		: out	bit; 	  OSC_IN        : inout chip; 	  OSC_OUT       : inout bit; 	  PA0		: inout	chip; 	  PA1		: inout	bit; 	  PA2		: inout	bit; 	  PA3		: inout	bit;  [...]  -- Specifies the number of bits in the instruction register.     aspect INSTRUCTION_LENGTH of STM32F1_High_density_LFBGA144: entity is 5;  -- Specifies the boundary-scan instructions implemented in the design and their opcodes.     aspect INSTRUCTION_OPCODE of STM32F1_High_density_LFBGA144: entity is      "Featherbed  (11111)," &      "EXTEST  (00000)," &      "SAMPLE  (00010)," &      "PRELOAD (00010)," &      "IDCODE  (00001)";

At present that we know a little bit about the JTAG interface, what tin we do with information technology?

The JTAG interface in do

With JTAG we can control the execution of the firmware (stop the execution, inspect the memory, configure breakpoints, execute the code step-by-step, etc). Nosotros can too audit the state of the processor and its registers, read and write to memory and admission whatever I/O device connected to the processor.

Through a feature called
Boundary Scan, the JTAG interface allows access to all the pins of the chip! In this style, we tin individually read and write to each pin, and consequently dispense the peripherals continued to the processor/microcontroller (GPIO, retentivity, flash, etc).

In practice, with the JTAG interface we tin:

Identify information about the hardware (processor, memory, etc).
Dump RAM and gain access to sensitive data such as passwords and cryptographic keys.
Change the behavior of programs at run fourth dimension to obtain privileged access to the system.
Capture sensitive data from hardware devices, such equally information stored in an EEPROM.
Activate peripherals and modify their behavior, such as setting or resetting an I/O pin.
And of form, dump the wink retentiveness to excerpt the firmware of the device!

As nosotros can see, the JTAG interface is perfect for inspecting the execution of the firmware, discover vulnerabilities and exploit the device.

Simply if the JTAG interface is so insecure, why don’t many hardware manufacturers remove or disable the admission to it?

Considering the JTAG interface is very convenient for the development and production of the hardware! Developers use the JTAG interface to debug the firmware running on the device. Also, the JTAG interface is used every bit a tool for programming and testing the device in production.

However, some manufacturers may adopt countermeasures to make it difficult to utilise the JTAG interface in the terminal product, including:

Obfuscation (cutting tracks, removing resistors, etc).
Reconfiguration of the JTAG pins in software.
Encryption and signature validation of the firmware image.

Other manufacturers go further and completely disable the JTAG interface through some fuses (internal $.25 of the bit that, in one case programmed, can no longer exist changed).

Yet, information technology is still possible to re-enable the JTAG interface with techniques such every bit a
silicon die attack.

Afterwards all, security is always a affair of how much time, knowledge and resource yous accept, right?

Now let’s go down to business organisation!

These are the four main steps to extract the firmware from a device using JTAG:

Identify the JTAG connectedness pins.
Test the connection with a JTAG adapter.
Get together information nearly the memory mapping of the flake.
Extract the firmware from the flash retentivity.

While explaining the process, I will provide a real example, extracting the firmware of the
Linksys WRT54G
router.

Footstep one: Identify the JTAG pins

Finding the JTAG interface signals and their pinout can be quite laborious! That’due south because the device manufacturer can hibernate, obfuscate or disable the JTAG interface.

But before you start, practice some research. Possibly someone else has already identified the JTAG interface of your device and published on the Internet.

Read: Upgrade Firmware 2019 Hyundai Accent Android Auto

If y’all can’t find anything on the Internet, accept the board of your device and expect for a group of pins together and not populated through visual inspection. The pins of the JTAG interface may be hidden nether some other component like a capacitor or a battery. Pay attention to the unlike standards of JTAG connectors (2×10, 2×8, 2×7, 2×5, etc).

jtag pinout

Download the datasheet of the processor to identify the JTAG pins and exam with a multimeter, oscilloscope or logic analyzer. A brute-strength tool like
JTAGulator
can also be very useful!

jtagulator

Sometimes the JTAG interface is quite axiomatic and documented on the Internet, like that of the WRT54G router:

jtag wrt54g

Merely sometimes information technology’s not that obvious, similar the JTAG interface of this Western Digital hard bulldoze:

jtag western digital

Therefore, the process of identifying the JTAG interface tin can accept some time and will require a lot of patience!

Step ii: Examination the JTAG connection

With the JTAG pins identified, we can offset the communication procedure with the JTAG interface. For that, we basically need two components: a JTAG adapter and a JTAG communication software.

The JTAG adapter is responsible for the concrete communication with the device through the JTAG interface, usually connecting to the PC via a USB interface.

The JTAG communication software is responsible for communicating with the JTAG interface through the JTAG adapter.

jtag adapter

There are several JTAG adapters bachelor on the market, some quite expensive for professional use and others more accessible, some of which are open hardware:

SEGGER J-Link
Keil ULINK
Flyswatter/Flyswatter2
Motorbus Blaster
Motorcoach Pirate
Black Magic Probe
Shikra

In my tests, I am using
Flyswatter from Tin can Tin can Tools. This is my setup:

jtag wrt54g flyswatter

To communicate with the JTAG interface, there are several software options, many of which are proprietary. Amongst the open source tools, we have
OpenOCD
and
UrJTAG.

OpenOCD
(Open On-Chip Debugger) is an open source tool for communicating with JTAG interfaces. The project has been around for many years, connects easily to GDB and has a very comprehensive support of JTAG adapters and hardware devices.

UrJTAG
is a newer tool, simpler but with a more than friendly interface.

In my tests, I volition utilise UrJTAG, which can be hands installed in a Debian-based distribution:

            $ sudo apt install -y urjtag  $ jtag  UrJTAG 0.x #2007 Copyright (C) 2002, 2003 ETC s.r.o. Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors  UrJTAG is gratuitous software, covered past the GNU General Public License, and y'all are welcome to alter it and/or distribute copies of information technology under certain conditions. There is admittedly no warranty for UrJTAG.  warning: UrJTAG may impairment your hardware! Type "quit" to exit, "help" for help.  jtag>

With the JTAG adapter connected to the WRT54G, we tin can use UrJTAG to exam communication with the JTAG interface and extract the device ID using the
IDCODE
instruction (this ID is a unique number assigned by
JEDEC
to each chip model manufactured in the globe).

Every bit we can encounter in the output below (line 7), the device ID of the WRT54G bit is 0x0535217F.

                    
                        1
                      
                        ii
                      
                        3
                      
                        iv
                      
                        5
                      
                        6
                      
                        seven
                      
                        eight
                      
                        9
                      
                      10
                      
                      11
                      
                      12
                      
                      13
                      
                      fourteen
                      
                      15
                      
                      sixteen
                      
                      17
                      
                      18
                      
                      19
                      
                      20
                      
                      21
                      
                    jtag> cable Flyswatter Connected to libftdi driver.  jtag> detect IR length: viii Chain length: 1 Device Id: 00000101001101010010000101111111 (0x0535217F)   Manufacturer: Broadcom (0x17F)   Office(0):      BCM5352 (0x5352)   Stepping:     V1   Filename:     /usr/local/share/urjtag/broadcom/bcm5352/bcm5352 ImpCode=00000000100000000000100100000100 EJTAG version: <= 2.0 EJTAG Implementation flags: R4k DMA MIPS32 Clear memory protection fleck in DCR Clear Watchdog Potential flash base of operations accost: [0x0], [0x0] Processor successfully switched in debug mode.  jtag> education IDCODE::shift ir::shift dr::dr 00000101001101010010000101111111 (0x0535217F)

Pace 3: Identify information about flash retentiveness

The next footstep is to analyze the memory address space of the bit to identify the device’s flash retentivity initial address and size.

Visual inspection tin can help to identify the flash memory chip. Searching the Net for information almost the hardware platform or products with similar hardware tin can besides aid, too as the documentation of the chip (SoC, processor, etc).

If you take access to a control line concluding on the device, look in the bootloader or the operating system logs for whatever message regarding the model and address infinite of the flash memory.

Sometimes information technology is necessary to apply some trial and error method or brute force to place the accost of the device’s flash retentivity.

In my case, as I am using a MIPS based router, I tin endeavor the
EJTAG instructions
(a MIPS extension of the JTAG protocol) to place the retentiveness mapping of the chip. From the output beneath, we tin can see that the flash address of the device is 0x1FC00000 (line 19).

                    
                        1
                      
                        2
                      
                        3
                      
                        iv
                      
                        5
                      
                        half dozen
                      
                        seven
                      
                        8
                      
                        ix
                      
                      10
                      
                      xi
                      
                      12
                      
                      13
                      
                      14
                      
                      15
                      
                      sixteen
                      
                      17
                      
                      18
                      
                      nineteen
                      
                      xx
                      
                      21
                      
                      22
                      
                      23
                      
                      24
                      
                    jtag> initbus ejtag_dma ImpCode=00000000100000000000100100000100 EJTAG version: <= 2.0 EJTAG Implementation flags: R4k DMA MIPS32 Clear retentivity protection fleck in DCR Clear Watchdog Potential flash base of operations address: [0x0], [0x0] Processor successfully switched in debug way. Initialized bus 1, active jitney 0  jtag> print  No. Manufacturer              Function                 Stepping Instruction          Register -------------------------------------------------------------------------------------------------------------------    0 Broadcom                  BCM5352              V1       EJTAG_CONTROL        EJCONTROL  Active motorbus: *0: EJTAG compatible coach driver via DMA (JTAG part No. 0) 	start: 0x00000000, length: 0x1E000000, data width: 32 chip, (USEG : User addresses) 	beginning: 0x1E000000, length: 0x02000000, data width: 16 bit, (Wink : Addresses in flash (boot=0x1FC00000)) 	start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses) 	outset: 0x80000000, length: 0x20000000, information width: 32 scrap, (KSEG0: Kernel Unmapped Buried) 	start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached) 	starting time: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped) 	commencement: 0xE0000000, length: 0x20000000, data width: 32 scrap, (KSEG3: Kernel Mapped)

With this address, we can employ the
detectflash
control to collect information about flash memory. From the output below (line nineteen), we can run across that the flash retention size is 4M:

Read: How to Change Firmware on Netgear Router

                    jtag> detectflash 0x1fc00000 Query identification string: 	Primary Algorithm Command Prepare and Command Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set) 	Alternate Algorithm Command Fix and Control Interface ID Lawmaking: 0x0000 (null) Query system interface information: 	Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV 	Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV 	Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV 	Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV 	Typical timeout per single byte/word program: 16 u.s. 	Typical timeout for maximum-size multi-byte program: 0 u.s. 	Typical timeout per individual block erase: 1024 ms 	Typical timeout for full chip erase: 0 ms 	Maximum timeout for byte/word program: 512 us 	Maximum timeout for multi-byte program: 0 us 	Maximum timeout per private block erase: 16384 ms 	Maximum timeout for chip erase: 0 ms Device geometry definition: 	Device Size: 4194304 B (4096 KiB, 4 MiB) 	Flash Device Interface Code description: 0x0002 (x8/x16) 	Maximum number of bytes in multi-byte program: 1 	Number of Erase Block Regions within device: 2 	Erase Cake Region Information: 		Region 0: 			Erase Block Size: 8192 B (eight KiB) 			Number of Erase Blocks: 8 		Region 1: 			Erase Cake Size: 65536 B (64 KiB) 			Number of Erase Blocks: 63 Primary Vendor-Specific Extended Query: 	Major version number: 1 	Modest version number: one 	Address Sensitive Unlock: Required 	Erase Suspend: Read/write 	Sector Protect: 4 sectors per group 	Sector Temporary Unprotect: Not supported 	Sector Protect/Unprotect Scheme: 29BDS640 mode (Software Command Locking) 	Simultaneous Operation: Non supported 	Burst Mode Blazon: Supported 	Page Mode Type: Not supported 	ACC (Dispatch) Supply Minimum: 11500 mV 	ACC (Acceleration) Supply Maximum: 12500 mV 	Pinnacle/Lesser Sector Flag: Lesser boot device

Now we have all we need (flash retentiveness start address and size) to extract the firmware from the device.

To extract the firmware, we just need to use the JTAG communication software to read the memory range identified in the previous footstep and salvage the data to a file.

Depending on the size of the flash memory and the communication speed of the JTAG interface, the process can have several minutes!

With the UrJTAG tool, we can dump the wink retention’s content using the
readmem
control:

            jtag> readmem 0x1fc00000 0x400000 flash.bin address: 0x1FC00000 length:  0x00400000 reading: addr: 0x20000000 Done.

Later on several minutes, we will have the firmware image extracted from the wink retention of the device!

            $ ls -lh flash.bin -rw-r--r-- 1 sprado sprado 4,0M fev 18 22:12 flash.bin

Now nosotros can
analyze the firmware image of the router with binwalk:

            $ binwalk --signature wink.bin  DECIMAL       HEXADECIMAL     Clarification -------------------------------------------------------------------------------- 211412        0x339D4         Copyright cord: "Copyright (C) 2000,2001,2002,2003 Broadcom Corporation." 234095        0x3926F         Copyright cord: "Copyright 1995-1998 Mark Adler " 239104        0x3A600         CRC32 polynomial tabular array, lilliputian endian 262144        0x40000         TRX firmware header, niggling endian, image size: 3211264 bytes, CRC32: 0xA293EEE4, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x904, rootfs offset: 0x84800 262172        0x4001C         gzip compressed information, maximum compression, from Unix, terminal modified: 1970-01-01 00:00:00 (cipher appointment) 264452        0x40904         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: -one bytes 804864        0xC4800         Squashfs filesystem, niggling endian, version 3.0, size: 2604183 bytes, 692 inodes, blocksize: 65536 bytes, created: 2011-04-04 xi:37:ten 3473408       0x350000        JFFS2 filesystem, little endian 3604480       0x370000        JFFS2 filesystem, little endian 4001816       0x3D1018        Zlib compressed data, compressed 4002248       0x3D11C8        JFFS2 filesystem, piffling endian 4004760       0x3D1B98        Zlib compressed data, compressed 4005968       0x3D2050        JFFS2 filesystem, little endian 4006772       0x3D2374        Zlib compressed data, compressed 4007356       0x3D25BC        Zlib compressed data, compressed 4008168       0x3D28E8        Zlib compressed data, compressed 4009192       0x3D2CE8        Zlib compressed information, compressed 4010552       0x3D3238        Zlib compressed data, compressed 4012236       0x3D38CC        JFFS2 filesystem, little endian 4014352       0x3D4110        Zlib compressed data, compressed 4014516       0x3D41B4        JFFS2 filesystem, piddling endian 4015916       0x3D472C        Zlib compressed data, compressed 4016672       0x3D4A20        JFFS2 filesystem, footling endian 4038596       0x3D9FC4        JFFS2 filesystem, little endian 4062896       0x3DFEB0        Zlib compressed data, compressed 4063232       0x3E0000        JFFS2 filesystem, little endian

And excerpt the file organization from the paradigm!

            $ binwalk --extract --tranquillity flash.bin  $ ls _flash.bin.extracted/squashfs-root/ bin  boot  dev  etc  jffs  lib  mnt  proc  README  rom  root  sbin  sys  tmp  usr  var  www  $ cat _flash.bin.extracted/squashfs-root/etc/passwd root:$1$OZ1ejEbc$IgmRrZz5/bpm8FSTAbTGl1:0:0:root:/root:/bin/ash back up:$1$KhtjZGTI$BhXbTLJ4IwtdqFKbpsa2J0:100:100:support:/tmp:/bin/ash nobody:*:65534:65534:nobody:/var:/bin/false

The JTAG interface is a fantastic tool for doing security research on electronic devices, and today several open up, popular and inexpensive JTAG adapters can facilitate the procedure, requiring but a little knowledge and a lot of free time. Fun is guaranteed!

About the author: Sergio Prado has been working with embedded systems for more than xx years. If you want to know more most his work, please visit the
About page
or
Embedded Labworks
website.

Delight electronic mail your comments to sergio at embeddedbits.org or
sign up the newsletter
to receive updates.